Does PAN-OS VPN functionality support MFA?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Does PAN-OS VPN functionality support MFA?

L1 Bithead

Hey guys,


I'm looking at moving off Sonicwall NSA 3600 and onto a PAN appliance. One factor is that I'm currently using Sonicwall's VPN functionality which has some simple, built-in MFA in the form of TOPT codes that the user must put in each time they connect to the VPN. Its not dependent on any other service so its kind of nice that way. I was just wondering what PAN has in the form of MFA on VPN?

1 accepted solution

L5 Sessionator

Isn't built in, integrates with anything that speaks SAML. Note, we can do this over VPN but also within the confines of your enterprise network/office as well for users accessing sensitive subnets/applications. 


See more here.

Help the community! Add tags and mark solutions please.

hmm, cool. So I could integrate PAN with MS Azure MFA and use that?

L6 Presenter

Yeah, the PA has a few built in MFA vendor connectors: DUO, Okta, PingID, and RSA SecureID. Additionally you can use a user/pass auth connection to an authentication server that issues MFA itself, via: Radius, TACACS, LDAP, Kerberos, or SAML.


In our case the PA does a Radius auth request to an inhouse DUO server, which authenticates user/pass against our AD and then sends the MFA code through a third party server. When the MFA succeeds the Radius returns a permit response. We are going to be moving to an Azure MFA and, although it isn't setup yet, I believe it will just be changing the auth profile to use a SAML connection and cert to Azure and receiving back the permit/deny response.

L1 Bithead

Awesome, thanks all!

  • 1 accepted solution
  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!