https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588535#M3246 <P>Hello,</P> <P>I need to integrate my FortiAuthenticator, which is located at a remote site, with my PA firewall to add additional authentication factors for users connecting to GlobalProtect.</P> <P>&nbsp;</P> <P>I haven't been able to find the documentation and procedures to accomplish this. I would appreciate it if someone with experience in this could provide the necessary requirements and configuration steps.</P> <P>&nbsp;</P> <P>Thank you in advance.</P> Sat, 01 Jun 2024 21:09:00 GMT hamza_d 2024-06-01T21:09:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588535#M3246 <P>Hello,</P> <P>I need to integrate my FortiAuthenticator, which is located at a remote site, with my PA firewall to add additional authentication factors for users connecting to GlobalProtect.</P> <P>&nbsp;</P> <P>I haven't been able to find the documentation and procedures to accomplish this. I would appreciate it if someone with experience in this could provide the necessary requirements and configuration steps.</P> <P>&nbsp;</P> <P>Thank you in advance.</P> Sat, 01 Jun 2024 21:09:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588535#M3246 hamza_d 2024-06-01T21:09:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588580#M3250 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/934742765">@hamza_d</a> ,</P> <P>&nbsp;</P> <P>I am guessing you are talking about the "native MFA" functionallity described here - <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication</A></P> <P>&nbsp;</P> <P>There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - <A href="https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support</A></P> <P>&nbsp;</P> <P>However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.</P> <P>&nbsp;</P> <P>You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.</P> <P>&nbsp;</P> Mon, 03 Jun 2024 09:09:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588580#M3250 aleksandar.astardzhiev 2024-06-03T09:09:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588655#M3256 <P>Thanks,&nbsp;&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>,&nbsp;</P> <P>&nbsp;</P> <DIV class="flex-shrink-0 flex flex-col relative items-end"> <DIV> <DIV class="pt-0.5 juice:pt-0"> <DIV class="gizmo-bot-avatar flex h-6 w-6 items-center justify-center overflow-hidden rounded-full juice:h-8 juice:w-8"> <DIV class="relative p-1 rounded-sm flex items-center justify-center bg-token-main-surface-primary text-token-text-primary h-8 w-8">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="group/conversation-turn relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex-col gap-1 md:gap-3"> <DIV class="flex flex-grow flex-col max-w-full"> <DIV class="min-h-[20px] text-message flex flex-col items-start whitespace-pre-wrap break-words [.text-message+&amp;]:mt-5 juice:w-full juice:items-end overflow-x-auto gap-2" dir="auto" data-message-author-role="assistant" data-message-id="47ed1114-edf1-4402-9cd4-fc5ded088af6"> <DIV class="flex w-full flex-col gap-1 juice:empty:hidden juice:first:pt-[3px]"> <DIV class="markdown prose w-full break-words dark:prose-invert light"> <P>Could you clarify what you mean by "native MFA"? Based on your experience, which is recommended: using FortiAuthenticator as a RADIUS server or as an IdP server (SAML)?</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Mon, 03 Jun 2024 23:30:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588655#M3256 hamza_d 2024-06-03T23:30:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588877#M3273 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;,<BR /><BR />I am waiting for your response.</P> <P>Thank you.&nbsp;</P> Wed, 05 Jun 2024 22:41:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588877#M3273 hamza_d 2024-06-05T22:41:42Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588947#M3274 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;wrote:<BR /> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/934742765">@hamza_d</a> ,</P> <P>&nbsp;</P> <P>I am guessing you are talking about the "native MFA" functionallity described here - <A href="https://aeroshield.me/whatsapp-call-egypt/" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication</A></P> <P>&nbsp;</P> <P>There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - <A href="https://aeroshield.me/how-to-unblock-messenger-in-dubai/" target="_self">https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support</A></P> <P>&nbsp;</P> <P>However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.</P> <P>&nbsp;</P> <P>You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;wrote:<BR /> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/934742765">@hamza_d</a> ,</P> <P>&nbsp;</P> <P>I am guessing you are talking about the "native MFA" functionallity described here - <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication</A></P> <P>&nbsp;</P> <P>There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - <A href="https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support</A></P> <P>&nbsp;</P> <P>However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.</P> <P>&nbsp;</P> <P>You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P><BR /><BR /></P> <P>&nbsp;</P> <P>Native MFA means native multi factor authentication</P> Thu, 06 Jun 2024 13:48:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588947#M3274 OllyBe 2024-06-06T13:48:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588952#M3275 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/934742765">@hamza_d</a> ,</P> <P>&nbsp;</P> <P>Q: Could you clarify what you mean by "native MFA"?</P> <P>A: Please check the link I provided earlier. I have never had an use case to use this, but my understanding is that FW is communicating with some kind of API with one of those IdP services (Okta, Duo etc) instead of the using additional auth protocol</P> <P>&nbsp;</P> <P>Q: Based on your experience, which is recommended: using FortiAuthenticator</P> <P>A: I would say this is heavilty depends on your requirements, environment and setup. Lately more people are prefering SAML mainly because it could provide great Single Sign-On experience for the end users. Also with RADIUS I am not sure you can have "push notification" for MFA, user will need to manually type the one-time-password. While with SAML you can have push notifcation, allowing the user just to click "approve" button</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 06 Jun 2024 14:34:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/integrating-fortiauthenticator-with-pa-firewall-for-multi-factor/m-p/588952#M3275 aleksandar.astardzhiev 2024-06-06T14:34:39Z