GlobalProtect with MFA - Always On

Reply
L3 Networker

GlobalProtect with MFA - Always On

I was wondering if anyone here using GlobalProtect with MFA, such as Duo, Okta or Ping.

 

Currently, clients portal app is set to User-Logon (Always On).  I'd like to implement MFA for GP, but also keeping the always on functionality.

 

The question is if the user does not enter their OTP, then GP will not connect. This would circumvent the always on functionality.

 

There is the option (currently disabled) to "Enforce GlobalProtect Connection for Network Access".   With this option set to yes,  it should prevent someone from circumventing the VPN connection. However, what about when the user is in a hotel or using public wifi and needs to access to accept terms and conditions before wireless connection is established?

 

 

Tags (2)
Highlighted
L4 Transporter

Re: GlobalProtect with MFA - Always On

Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0 details: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...

 

Pre-Logon Followed By Two-Factor and SAML Authentication
The GlobalProtect app for Windows and Mac endpoints now supports pre-logon followed by two-factor or SAML authentication for user login. After the pre-logon tunnel is established, the user can log in to the endpoint and authenticate using the configured authentication method. If authentication is successful on Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel and the GlobalProtect connection is established. If authentication is successful on macOS endpoints, a new tunnel is created and the GlobalProtect connection is established.

 

L7 Applicator

Re: GlobalProtect with MFA - Always On


@hshawn wrote:

Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0


More precisely, this was added with GP 5.0. This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x.

 

@MikeC

There are quite a few things that you need to consider. Mainly the question of how much security you need? I am asking this because with your current configuration it is already (easily) possible to circumvent the VPN connection - a User only needs to block connections to your VPN Gateway and he is able to connect wherever he wants without the VPN.

This problem can be solved with the enforce option as you mentionned, but enabling this option also requires a change from user-logon to pre-logon, because otherwise the network connections in the internal network are blocked until the user is logged in (access is blocked until the internal host detection is done and this check takes place when GP becomes active).

For the public wifis and captive portals you can configure a timeout where access to these captive portals is allowed for the specified time and as soon the user loggs in to the caprive portal or accepts terms of service GP kicks in and asks for the MFA authentication.

 

L3 Networker

Re: GlobalProtect with MFA - Always On

thank you @hshawn  and @vsys_remo 

 

So a few things, yes, currently it easy to circumvent, but most users don't know how to do that.  The goal (for now) is for all internet traffic from corp devices to be full tunnel for inspection

 

We are also looking at switching to pre-logon for other reasons.  This may actually work out better.  GP set to pre-logon, this will allow to internal resources, such as AD. Then, after user authenticates, they will be prompted for MFA from chosen provider (okta, duo, ping, etc)? The caveat being it has to be PAN OS9.   Until firewalls are upgraded to os9, we can use this user-logon with the exception that you can't enforce gp for connectivity

 

Do I have this correct?

L7 Applicator

Re: GlobalProtect with MFA - Always On

Hi @MikeC 

 

Actually you need at least Global Protect 5.0.0, but this works also with PAN-OS 8 as it is a feature of GP and not something that you need to configure on rhe firewall.

L3 Networker

Re: GlobalProtect with MFA - Always On

Thanks @vsys_remo 

 

I read this statement you made wrong "This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x."

 

I understand correctly now.  I'm actually upgrading to 5.0.1 this week.  Thanks so much

 

 

L7 Applicator

Re: GlobalProtect with MFA - Always On

Hi @MikeC 

 

Just a little hint ... wait a few more days until 5.0.2 will be released. Of course I cannot guarantee that there are no bugs but right now I have 10 open cases because of problems in 5.0.0 and 5.0.1 and most of the problems seem to be solved with 5.0.2 - even though I don't use MFA with Duo/Ping/... but with RADIUS. And at some of the problems are general ones like connection problems after resuming from hibernation mode.

L3 Networker

Re: GlobalProtect with MFA - Always On

@vsys_remo  you have 10 open cases? Are you a palo employee?

 

Thanks for the tip, I will wait a few days :)

L1 Bithead

Re: GlobalProtect with MFA - Always On


@vsys_remo wrote:

Hi @MikeC 

 

Just a little hint ... wait a few more days until 5.0.2 will be released. Of course I cannot guarantee that there are no bugs but right now I have 10 open cases because of problems in 5.0.0 and 5.0.1 and most of the problems seem to be solved with 5.0.2 - even though I don't use MFA with Duo/Ping/... but with RADIUS. And at some of the problems are general ones like connection problems after resuming from hibernation mode.


+1 on waiting til 5.0.2. We have several cases open as well that 5.0.2 supposedly has fixes for. Trying to do pre-logon always-on with GP Enforcer turned on and SAML auth. Not a great experience in 5.0.0/5.0.1 (especially Mac side, but Windows is not bug free either)

L3 Networker

Re: GlobalProtect with MFA - Always On

thanks @cnygaard 

 

Sounds like I'll be waiting for 5.0.2.  Right now, until I get the MFA vendor integration going, I use user certs as well as AD auth.  Not sure if this is also a problem with 5.0.1, but I'll wait for 5.0.2 anyway :)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!