topic Re: Two Portals, or two authentication profiles or better idea to test 2FA with global protect. in General Topics

Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

mattscratt — Thu, 25 Feb 2021 18:07:09 GMT

Howdy all,

Relatively new to PA and GP, spent more time with Fortigate and Cisco at previous jobs. Work at a small company and until the pandemic and snowpoclypse VPN access was only given to select people, we all just came to work.

I've been tasked with getting Duo Security two factor authentication set up for vpn users. Problem is we cant just roll it out to all users at one time and we want time to test it with IT staff and then others. It was suggested I set up another gateway and portal. For example, we use vpn.amce.com, I should set up 2favpn.acme.com, then we can test at that address, work out the kinks etc, then replicate the settings to the production gateway/portal after training the uses.

I've read plenty of links in the live community about people trying similar things but nothing quite the same. As I read more and more, I'm wondering if that will actually work. I would need to assign a second IP to the ETH 1/1 interface, and would that cause havoc, need a firewall reboot etc. It just sounds like a mess in the making.

Would a better way be to set up an authentication profile that uses the 2FA mechanism and sync an AD group for users? Im struggling with this, facing a deadline and would appreciate your thoughts.

I've contacted support, and have been told they are more break fix, not implementation and to contact our rep for implementation services engagement. I've reached out numerous ways, but have not heard back yet. Help! And thanks!

Re: Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

Mick_Ball — Thu, 25 Feb 2021 19:13:10 GMT

Hi @mattscratt .

i can feel your dilemma but you do have a few options as you are already aware...

it will depend on other factors as all options will eventually work but its more to do with what suits you and your org.

do you have a wildcard certificate, do you manage your own DNS, do you allow users to change portal address, how tekkie are your users... and on and on....

for me... create a new portal on a secondary address, no restart required. Keep the existing gateways but allow cookie auth to them.

This will keep one completely separate from the other, no AD group stuff, keep it simple...

the portal can be resolved by DNS or editing host file.....

this is how we currently test new rollouts but we have wildcard certs, self DNS management, a stack of available addresses and 16 gateways to choose from.... i go for this cos any balls up only affects the user group and not our other 6k plus user base.

HTH.

Re: Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

mattscratt — Thu, 25 Feb 2021 19:25:24 GMT

Interesting ideas, we do manage our DNS so that helps.

Can I assign two external IPs to the Eth 1/1 interface like in this post? Does it take a reboot? https://live.paloaltonetworks.com/t5/general-topics/multiple-addresses-in-the-same-ethernet-interface/m-p/66635#M39262

Re: Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

Mick_Ball — Thu, 25 Feb 2021 19:48:32 GMT

Are the addresses within a range with the same subnet mask.

Re: Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

mattscratt — Thu, 25 Feb 2021 19:54:15 GMT

yes