https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259455#M73573 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>,</P><P>&nbsp;</P><P>Yes it is a pretty big challenege. I'm familiar with most of Palo Alto as I spent my first couple of months in this job diving in and learning our setup and getting familiar with the device. We intend to use freeRADIUS, which we use for authenticating admin access into our devices, for the 2FA portion.</P><P>&nbsp;</P><P>thanks for those links, I'll be diving into them shortly.</P> Wed, 01 May 2019 19:55:50 GMT bhughesiii 2019-05-01T19:55:50Z https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259136#M73482 <P>In an attempt to secure connections to production resources. I would like to implement a policy that if you are for instance using SSMS to connect from one location to a database in the data center, that you first have to authenticate via global protect client using two factor authentication before you can connect to said resource.</P><P>&nbsp;</P><P>any guidance would be greatly appreciated and any requests for more information will be answered as quickly as I can.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you</P> Mon, 29 Apr 2019 19:51:26 GMT https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259136#M73482 bhughesiii 2019-04-29T19:51:26Z https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259354#M73541 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112122">@bhughesiii</a>,</P><P>Usually GlobalProtect connections are terminated in their own zone on the firewall. If that's the case in your environment, you would simply modify the existing security policies so that only the GlobalProtect zone is allowed access to your data center resources and let everything else hit the interzone-default policy or a specific deny rule.</P><P>&nbsp;</P> Tue, 30 Apr 2019 22:08:08 GMT https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259354#M73541 BPry 2019-04-30T22:08:08Z https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259428#M73567 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thank you, I'll look into that. This is my first rodeo with Palo Alto and firewalls in general so somethings like this are slightly over my head.</P> Wed, 01 May 2019 16:40:02 GMT https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259428#M73567 bhughesiii 2019-05-01T16:40:02Z https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259440#M73570 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112122">@bhughesiii</a>&nbsp;</P><P>&nbsp;</P><P>For a start with paloalto you chose a challenging project <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>What you are asking for is possible. To start with this read the following documents:</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal.html</A></P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/authentication-policy-and-multi-factor-authentication-for-globalprotect" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/authentication-policy-and-multi-factor-authentication-for-globalprotect</A></P><P><A href="https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications.html" target="_blank">https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications.html</A></P><P>&nbsp;</P><P>Depending on the authentication method and if you use MFA GlobalProtect will guide the user through the authentication process or display an URL that leads to the captive portal website where the user is required to authenticate.</P><P>&nbsp;</P><P>Hope this helps.</P><P>Regards,</P><P>Remo</P><P>&nbsp;</P> Wed, 01 May 2019 19:31:20 GMT https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259440#M73570 Remo 2019-05-01T19:31:20Z https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259455#M73573 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>,</P><P>&nbsp;</P><P>Yes it is a pretty big challenege. I'm familiar with most of Palo Alto as I spent my first couple of months in this job diving in and learning our setup and getting familiar with the device. We intend to use freeRADIUS, which we use for authenticating admin access into our devices, for the 2FA portion.</P><P>&nbsp;</P><P>thanks for those links, I'll be diving into them shortly.</P> Wed, 01 May 2019 19:55:50 GMT https://live.paloaltonetworks.com/t5/general-topics/require-authentication-via-global-protect-when-connecting-to/m-p/259455#M73573 bhughesiii 2019-05-01T19:55:50Z