Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect with MFA - Always On

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect with MFA - Always On

L3 Networker

I was wondering if anyone here using GlobalProtect with MFA, such as Duo, Okta or Ping.

 

Currently, clients portal app is set to User-Logon (Always On).  I'd like to implement MFA for GP, but also keeping the always on functionality.

 

The question is if the user does not enter their OTP, then GP will not connect. This would circumvent the always on functionality.

 

There is the option (currently disabled) to "Enforce GlobalProtect Connection for Network Access".   With this option set to yes,  it should prevent someone from circumventing the VPN connection. However, what about when the user is in a hotel or using public wifi and needs to access to accept terms and conditions before wireless connection is established?

 

 

1 accepted solution

Accepted Solutions


@hshawn wrote:

Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0


More precisely, this was added with GP 5.0. This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x.

 

@MikeC

There are quite a few things that you need to consider. Mainly the question of how much security you need? I am asking this because with your current configuration it is already (easily) possible to circumvent the VPN connection - a User only needs to block connections to your VPN Gateway and he is able to connect wherever he wants without the VPN.

This problem can be solved with the enforce option as you mentionned, but enabling this option also requires a change from user-logon to pre-logon, because otherwise the network connections in the internal network are blocked until the user is logged in (access is blocked until the internal host detection is done and this check takes place when GP becomes active).

For the public wifis and captive portals you can configure a timeout where access to these captive portals is allowed for the specified time and as soon the user loggs in to the caprive portal or accepts terms of service GP kicks in and asks for the MFA authentication.

 

View solution in original post

11 REPLIES 11

L4 Transporter

Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0 details: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...

 

Pre-Logon Followed By Two-Factor and SAML Authentication
The GlobalProtect app for Windows and Mac endpoints now supports pre-logon followed by two-factor or SAML authentication for user login. After the pre-logon tunnel is established, the user can log in to the endpoint and authenticate using the configured authentication method. If authentication is successful on Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel and the GlobalProtect connection is established. If authentication is successful on macOS endpoints, a new tunnel is created and the GlobalProtect connection is established.

 


@hshawn wrote:

Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0


More precisely, this was added with GP 5.0. This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x.

 

@MikeC

There are quite a few things that you need to consider. Mainly the question of how much security you need? I am asking this because with your current configuration it is already (easily) possible to circumvent the VPN connection - a User only needs to block connections to your VPN Gateway and he is able to connect wherever he wants without the VPN.

This problem can be solved with the enforce option as you mentionned, but enabling this option also requires a change from user-logon to pre-logon, because otherwise the network connections in the internal network are blocked until the user is logged in (access is blocked until the internal host detection is done and this check takes place when GP becomes active).

For the public wifis and captive portals you can configure a timeout where access to these captive portals is allowed for the specified time and as soon the user loggs in to the caprive portal or accepts terms of service GP kicks in and asks for the MFA authentication.

 

thank you @hshawn  and @Remo 

 

So a few things, yes, currently it easy to circumvent, but most users don't know how to do that.  The goal (for now) is for all internet traffic from corp devices to be full tunnel for inspection

 

We are also looking at switching to pre-logon for other reasons.  This may actually work out better.  GP set to pre-logon, this will allow to internal resources, such as AD. Then, after user authenticates, they will be prompted for MFA from chosen provider (okta, duo, ping, etc)? The caveat being it has to be PAN OS9.   Until firewalls are upgraded to os9, we can use this user-logon with the exception that you can't enforce gp for connectivity

 

Do I have this correct?

Hi @MikeC 

 

Actually you need at least Global Protect 5.0.0, but this works also with PAN-OS 8 as it is a feature of GP and not something that you need to configure on rhe firewall.

Thanks @Remo 

 

I read this statement you made wrong "This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x."

 

I understand correctly now.  I'm actually upgrading to 5.0.1 this week.  Thanks so much

 

 

Hi @MikeC 

 

Just a little hint ... wait a few more days until 5.0.2 will be released. Of course I cannot guarantee that there are no bugs but right now I have 10 open cases because of problems in 5.0.0 and 5.0.1 and most of the problems seem to be solved with 5.0.2 - even though I don't use MFA with Duo/Ping/... but with RADIUS. And at some of the problems are general ones like connection problems after resuming from hibernation mode.

@Remo  you have 10 open cases? Are you a palo employee?

 

Thanks for the tip, I will wait a few days 🙂


@Remo wrote:

Hi @MikeC 

 

Just a little hint ... wait a few more days until 5.0.2 will be released. Of course I cannot guarantee that there are no bugs but right now I have 10 open cases because of problems in 5.0.0 and 5.0.1 and most of the problems seem to be solved with 5.0.2 - even though I don't use MFA with Duo/Ping/... but with RADIUS. And at some of the problems are general ones like connection problems after resuming from hibernation mode.


+1 on waiting til 5.0.2. We have several cases open as well that 5.0.2 supposedly has fixes for. Trying to do pre-logon always-on with GP Enforcer turned on and SAML auth. Not a great experience in 5.0.0/5.0.1 (especially Mac side, but Windows is not bug free either)

--
Working with Palo Alto Networks products since 2015

thanks @cnygaard 

 

Sounds like I'll be waiting for 5.0.2.  Right now, until I get the MFA vendor integration going, I use user certs as well as AD auth.  Not sure if this is also a problem with 5.0.1, but I'll wait for 5.0.2 anyway 🙂

5.0.2 was released. @MikeC you can start 😉

I need to test the version tomorrow, but so far I have still the hope that this will be the most reliable GP version for years!

@Remo yes! I saw the email.  I'll be installing it tomorrow too (for testing)

 

 

  • 1 accepted solution
  • 13528 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!