Purpose of Authen Profile under Global Protect Gateway

Reply
Highlighted
Cyber Elite

Purpose of Authen Profile under Global Protect Gateway

 

We have configured MFA using CP and using RSA as Second  authen.

 

Under Network

 

Portal                   Authen--------------Radius

 

Gateway             Authen ----------------Radius

 

Under Device

 

CP  -  Authen ---------RSA

 

Why we need Authen profile under Gateway??????????

should Authen profile under Portal and Gateway have to be same?????

 

Why we use same authen Radius on both 

MP

Accepted Solutions
Highlighted
Cyber Elite

Hi @MP18

 

This would give you the possibility to assign different authentication profiles for portal and gateway, but as you are using the same one for both, it makes sure that users alwaya have to login with MFA (just in case the access to the portal isn't possible for whatever reason). In this situation with a not working portal the GP clients will try to connect ditectly to the gateway.

So you have now secured the access with MFA, but to make the login process for the users a little easier (so that they don't need to log in twice for establishing the connection) you should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

Regards,

Remo

View solution in original post

Highlighted
Cyber Elite

--> https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

The article explain the use of cookies for authentication override and the general purpose of these. The time these cookies are valid can go up to a year but if you only want to improve the user experience while maintaining a secure as possible authentication you should configure the lifetime to only 1 minute. This way the cookie can only be used for this one minute and connection attempts after this minute need to do again the full MFA authentication.

 

Hope this helps.

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @MP18

 

This would give you the possibility to assign different authentication profiles for portal and gateway, but as you are using the same one for both, it makes sure that users alwaya have to login with MFA (just in case the access to the portal isn't possible for whatever reason). In this situation with a not working portal the GP clients will try to connect ditectly to the gateway.

So you have now secured the access with MFA, but to make the login process for the users a little easier (so that they don't need to log in twice for establishing the connection) you should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

Regards,

Remo

View solution in original post

Highlighted
Cyber Elite

Hi Remo,

 

Always good to get reply from you.

I did not understand this 

 

should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

 

can you please explain this in more detail?

 

Best Regards

Mike

MP
Highlighted
Cyber Elite

--> https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

The article explain the use of cookies for authentication override and the general purpose of these. The time these cookies are valid can go up to a year but if you only want to improve the user experience while maintaining a secure as possible authentication you should configure the lifetime to only 1 minute. This way the cookie can only be used for this one minute and connection attempts after this minute need to do again the full MFA authentication.

 

Hope this helps.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!