https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/465048#M102550 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/194770">@isentric89</a> ,</P><P>&nbsp;</P><P>Yes, you can have different authentication methods for different users.</P><P>&nbsp;</P><OL><LI>Create a new authentication profile without MFA and list only yourself under Advanced &gt; Allow List.</LI><LI>Add a new Authentication Sequence, with your new authentication profile on top.</LI><LI>Change you authentication profile under both the portal and gateway to the authentication sequence.</LI><LI>Since you are the only one in the allow list, the new authentication profile will be used for you.&nbsp; The existing one will be used for everyone else.</LI></OL><P>You do not need a new gateway.&nbsp; With regard to access to resources, that is controlled in the security policy.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P><P>&nbsp;</P><P>Edit:&nbsp; Thank you <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a> for the feedback!&nbsp; I actually made this same mistake when doing this for a customer months ago, and forgot my lesson learned!&nbsp; I have corrected my steps above.</P> Wed, 16 Feb 2022 16:51:13 GMT TomYoung 2022-02-16T16:51:13Z https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/465015#M102548 <P>Hi All,</P><P>&nbsp;</P><P>I would like to access Global Protect for myself using different profile to access one of our resources subnet 10.21.xx.xx.</P><P>&nbsp;</P><P>I want to access without having to go through 2FA. Any idea for it? is it possible?</P><P>&nbsp;</P><P>Do we need to create another gateway on the GP for a single user?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 10 Feb 2022 23:14:43 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/465015#M102548 isentric89 2022-02-10T23:14:43Z https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/465048#M102550 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/194770">@isentric89</a> ,</P><P>&nbsp;</P><P>Yes, you can have different authentication methods for different users.</P><P>&nbsp;</P><OL><LI>Create a new authentication profile without MFA and list only yourself under Advanced &gt; Allow List.</LI><LI>Add a new Authentication Sequence, with your new authentication profile on top.</LI><LI>Change you authentication profile under both the portal and gateway to the authentication sequence.</LI><LI>Since you are the only one in the allow list, the new authentication profile will be used for you.&nbsp; The existing one will be used for everyone else.</LI></OL><P>You do not need a new gateway.&nbsp; With regard to access to resources, that is controlled in the security policy.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P><P>&nbsp;</P><P>Edit:&nbsp; Thank you <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a> for the feedback!&nbsp; I actually made this same mistake when doing this for a customer months ago, and forgot my lesson learned!&nbsp; I have corrected my steps above.</P> Wed, 16 Feb 2022 16:51:13 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/465048#M102550 TomYoung 2022-02-16T16:51:13Z https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/466071#M102646 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a> ,</P> <P>Will the GP falback to the second authentication schema, if the first one reject the the user?</P> <P>I have used two authentication schema only for two different types of OS, so I got the impresion that GP will select auth schema based on the OS, top-to-bottom, but it reject the authentication it will not falback to the rest in the list.</P> <P>&nbsp;</P> <P>I was thinking more like using authentication sequence</P> <P>- Create auth sequenece and put the authentication profile without MFA first and second the auth profile with MFA</P> <P>- Non-MFA profile can be configured with allow list as you suggested</P> <P>- Use the Authentication Sequence as authentication schema for GlobalPortect Portal and Gateway authentication.</P> Wed, 16 Feb 2022 07:39:35 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-single-user-to-bypass-mfa/m-p/466071#M102646 aleksandar.astardzhiev 2022-02-16T07:39:35Z