Purpose of Authen Profile under Global Protect Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Purpose of Authen Profile under Global Protect Gateway

Cyber Elite
Cyber Elite

 

We have configured MFA using CP and using RSA as Second  authen.

 

Under Network

 

Portal                   Authen--------------Radius

 

Gateway             Authen ----------------Radius

 

Under Device

 

CP  -  Authen ---------RSA

 

Why we need Authen profile under Gateway??????????

should Authen profile under Portal and Gateway have to be same?????

 

Why we use same authen Radius on both 

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

L7 Applicator

Hi @MP18

 

This would give you the possibility to assign different authentication profiles for portal and gateway, but as you are using the same one for both, it makes sure that users alwaya have to login with MFA (just in case the access to the portal isn't possible for whatever reason). In this situation with a not working portal the GP clients will try to connect ditectly to the gateway.

So you have now secured the access with MFA, but to make the login process for the users a little easier (so that they don't need to log in twice for establishing the connection) you should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

Regards,

Remo

View solution in original post

L7 Applicator

--> https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

The article explain the use of cookies for authentication override and the general purpose of these. The time these cookies are valid can go up to a year but if you only want to improve the user experience while maintaining a secure as possible authentication you should configure the lifetime to only 1 minute. This way the cookie can only be used for this one minute and connection attempts after this minute need to do again the full MFA authentication.

 

Hope this helps.

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @MP18

 

This would give you the possibility to assign different authentication profiles for portal and gateway, but as you are using the same one for both, it makes sure that users alwaya have to login with MFA (just in case the access to the portal isn't possible for whatever reason). In this situation with a not working portal the GP clients will try to connect ditectly to the gateway.

So you have now secured the access with MFA, but to make the login process for the users a little easier (so that they don't need to log in twice for establishing the connection) you should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

Regards,

Remo

Hi Remo,

 

Always good to get reply from you.

I did not understand this 

 

should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

can you please explain this in more detail?

 

Best Regards

Mike

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

--> https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

The article explain the use of cookies for authentication override and the general purpose of these. The time these cookies are valid can go up to a year but if you only want to improve the user experience while maintaining a secure as possible authentication you should configure the lifetime to only 1 minute. This way the cookie can only be used for this one minute and connection attempts after this minute need to do again the full MFA authentication.

 

Hope this helps.

  • 2 accepted solutions
  • 1869 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!