Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mattscratt
L1 Bithead

Two Portals, or two authentication profiles or better idea to test 2FA with global protect.

Howdy all,

 

Relatively new to PA and GP, spent more time with Fortigate and Cisco at previous jobs. Work at a small company and until the pandemic and snowpoclypse VPN access was only given to select people, we all just came to work. 

 

I've been tasked with getting Duo Security two factor authentication set up for vpn users. Problem is we cant just roll it out to all users at one time and we want time to test it with IT staff and then others. It was suggested I set up another gateway and portal. For example, we use vpn.amce.com, I should set up 2favpn.acme.com, then we can test at that address, work out the kinks etc, then replicate the settings to the production gateway/portal after training the uses. 

 

I've read plenty of links in the live community about people trying similar things but nothing quite the same. As I read more and more, I'm wondering if that will actually work. I would need to assign a second IP to the ETH 1/1 interface, and would that cause havoc, need a firewall reboot etc. It just sounds like a mess in the making. 

 

Would a better way be to set up an authentication profile that uses the 2FA mechanism and sync an AD group for users? Im struggling with this, facing a deadline and would appreciate your thoughts. 

 

I've contacted support, and have been told they are more break fix, not implementation and to contact our rep for implementation services engagement. I've reached out numerous ways, but have not heard back yet. Help! And thanks! 

MickBall
L7 Applicator

Hi @mattscratt .

i can feel your dilemma but you do have a few options as you are already aware...

it will depend on other factors as all options will eventually work but its more to do with what  suits you and your org.

 

do you have a wildcard certificate, do you manage your own DNS, do you allow users to change portal address, how tekkie are your users... and on and on....

 

for me...   create a new portal on a secondary address, no restart required.  Keep the existing gateways but allow cookie auth to them. 

 

This will keep one completely separate from the other, no AD group stuff, keep it simple...

 

the portal can be resolved by DNS or editing host file.....

 

this is how we currently test new rollouts but we have wildcard certs, self DNS management, a stack of available addresses and 16 gateways to choose from....  i go for this cos any balls up only affects the user group and not our other 6k plus user base.

 

HTH.

 

 

mattscratt
L1 Bithead

Interesting ideas, we do manage our DNS so that helps. 

 

Can I assign two external IPs to the Eth 1/1 interface like in this post? Does it take a reboot? https://live.paloaltonetworks.com/t5/general-topics/multiple-addresses-in-the-same-ethernet-interfac...

MickBall
L7 Applicator

Are the addresses within a range with the same subnet mask.

 

 

mattscratt
L1 Bithead

yes 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!