https://live.paloaltonetworks.com/t5/globalprotect-discussions/two-phase-vpn/m-p/355781#M490 <P>Hello,</P><P>&nbsp;</P><P>I have a question regarding the possibility of a 2 phase VPN connection. Please see below for a description of the scenario.</P><P>&nbsp;</P><P>User A logs in to global protecting when logging on to their PC. I have this part completed using User logon (Always on). This log on allows basic VPN connectivity to make sure their machine is patched/AV updated, etc. I am now looking for a way to escalate the network privileges to allow full access to the rest of the network. What I am not sure is, on how to get some type of extra layer of authentication to where the user will now log in using 2FA, such as a token to gain this access. What does Global protect offer to perform this next level of authentication? I am thinking of a web page redirect that when the user opens a web browser, they are taken to a splash page to input their username/token.</P><P>&nbsp;</P><P>So lets say their initial connection has an ACL like, VPN network permit to networks A,B and C. They are denied access to all other networks (This is a full tunnel so that would include internet). After they hit the redirect and are authenticated using their Token, they now have a allow any any ACL (for example). I am looking to perform this with out any HIP checks (if possible).</P><P>&nbsp;</P><P>Thanks in advance for your help!</P> Mon, 12 Oct 2020 15:14:06 GMT RJenkins 2020-10-12T15:14:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/two-phase-vpn/m-p/355781#M490 <P>Hello,</P><P>&nbsp;</P><P>I have a question regarding the possibility of a 2 phase VPN connection. Please see below for a description of the scenario.</P><P>&nbsp;</P><P>User A logs in to global protecting when logging on to their PC. I have this part completed using User logon (Always on). This log on allows basic VPN connectivity to make sure their machine is patched/AV updated, etc. I am now looking for a way to escalate the network privileges to allow full access to the rest of the network. What I am not sure is, on how to get some type of extra layer of authentication to where the user will now log in using 2FA, such as a token to gain this access. What does Global protect offer to perform this next level of authentication? I am thinking of a web page redirect that when the user opens a web browser, they are taken to a splash page to input their username/token.</P><P>&nbsp;</P><P>So lets say their initial connection has an ACL like, VPN network permit to networks A,B and C. They are denied access to all other networks (This is a full tunnel so that would include internet). After they hit the redirect and are authenticated using their Token, they now have a allow any any ACL (for example). I am looking to perform this with out any HIP checks (if possible).</P><P>&nbsp;</P><P>Thanks in advance for your help!</P> Mon, 12 Oct 2020 15:14:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/two-phase-vpn/m-p/355781#M490 RJenkins 2020-10-12T15:14:06Z