https://live.paloaltonetworks.com/t5/globalprotect-discussions/conditional-rules-for-gp-mfa-auth/m-p/584501#M5275 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37508">@JimMcGrady</a> ,</P> <P>&nbsp;</P> <P>That is a very interesting question!&nbsp; The only option you have for different authentication policies on the portal or gateway is OS.&nbsp; That doesn't help.</P> <P>&nbsp;</P> <P>However, you can have clients select different gateways based upon countries, and the gateways can be configured with different authentication methods.</P> <P>&nbsp;</P> <P>For example, you could have SAML for your portal login.&nbsp; The login info is cached by the portal and sent to the gateway.&nbsp; One gateway can have the same SAML, and the client will not be prompted for login again.&nbsp; Another gateway could have the same SAML (so same creds) with MFA enabled, and those clients will be prompted for MFA.</P> <P>&nbsp;</P> <P>MFA is always recommended for RA VPN.&nbsp; Another option you may consider is have a long cookie lifetime for the trusted country and a short lifetime for the untrusted countries.&nbsp; As long as the cookie is not expired, users will not be prompted for MFA.&nbsp; However, they will not be prompted for username and password either.&nbsp; This is not the portal/gateway authentication cookie, but rather the IdP MFA authentication cookie.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 22 Apr 2024 14:59:39 GMT TomYoung 2024-04-22T14:59:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/conditional-rules-for-gp-mfa-auth/m-p/584438#M5273 <P>Is it possible to apply conditional rules on a GlobalProtect login so the means of login can vary? For example; If a Windows client is operating within a particular country or public IP range, just require simple SAML user login and maybe AD machine membership. However, if the client is outside of the country/ip-range, prompt the user for an MFA login.</P> Mon, 22 Apr 2024 02:26:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/conditional-rules-for-gp-mfa-auth/m-p/584438#M5273 JimMcGrady 2024-04-22T02:26:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/conditional-rules-for-gp-mfa-auth/m-p/584501#M5275 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37508">@JimMcGrady</a> ,</P> <P>&nbsp;</P> <P>That is a very interesting question!&nbsp; The only option you have for different authentication policies on the portal or gateway is OS.&nbsp; That doesn't help.</P> <P>&nbsp;</P> <P>However, you can have clients select different gateways based upon countries, and the gateways can be configured with different authentication methods.</P> <P>&nbsp;</P> <P>For example, you could have SAML for your portal login.&nbsp; The login info is cached by the portal and sent to the gateway.&nbsp; One gateway can have the same SAML, and the client will not be prompted for login again.&nbsp; Another gateway could have the same SAML (so same creds) with MFA enabled, and those clients will be prompted for MFA.</P> <P>&nbsp;</P> <P>MFA is always recommended for RA VPN.&nbsp; Another option you may consider is have a long cookie lifetime for the trusted country and a short lifetime for the untrusted countries.&nbsp; As long as the cookie is not expired, users will not be prompted for MFA.&nbsp; However, they will not be prompted for username and password either.&nbsp; This is not the portal/gateway authentication cookie, but rather the IdP MFA authentication cookie.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 22 Apr 2024 14:59:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/conditional-rules-for-gp-mfa-auth/m-p/584501#M5275 TomYoung 2024-04-22T14:59:39Z