12-09-2024 12:05 AM
Hello everyone,
Could you tell me about the following?
1. Is FIDO2 authentication supported by Global Protect?
*According to the following website, it appears to be supported.
https://docs.paloaltonetworks.com/whats-new/new-features/june-2024/gp-webview2-63
2. If FIDO2 authentication by Global Protect is supported, what versions of the Global Protect client and PAN-OS support FIDO2 authentication?
3. According to the article below, it seems that there is a problem with FIDO2 authentication only in the built-in browser, but will it work normally in other browsers regardless of version?
12-10-2024 01:03 AM
Hello Tsushima-san
1. This is correct
2. This is also correct
3. Also correct. Most system browsers support FIDO2 with no extra effort. the GlobalProtect embedded browser did not support FIDO2 until recently
4. the PAN-OS version does not matter, FIDO2 happens at the client side. For the firewall this is 'normal' SAML authentication
Best regards
Tom
12-09-2024 01:40 AM
1. yes but id' probably recommend going with GlobalProtect 6.3
2. 6.2 appears to work as seen in the forum post you linked in 3. . I would aim or GP 6.3 as that has documented support
3. for FIDO2 the usual recommendation is to use the system browser which will always* support FIDO2
*unless your system browser's security has been set so thight it is unable to interface with the smartkey/smartcard/...
12-09-2024 07:19 PM
Hello Reaper-san,
My understanding is as follows. Could you please point out any errors?
1. FIDO2 authentication via Global Protect is supported.
2. The version of the Global Protect client that supports FIDO2 authentication is 6.3.
3. No issues with FIDO2 authentication have been reported with browsers other than the built-in browser.
It is recommended to use a browser that supports FIDO2.
Just to confirm, what version of PAN-OS supports FIDO2 authentication via Global Protect?
Regards,
Yusuke Tsushima
12-10-2024 01:03 AM
Hello Tsushima-san
1. This is correct
2. This is also correct
3. Also correct. Most system browsers support FIDO2 with no extra effort. the GlobalProtect embedded browser did not support FIDO2 until recently
4. the PAN-OS version does not matter, FIDO2 happens at the client side. For the firewall this is 'normal' SAML authentication
Best regards
Tom
12-10-2024 02:36 AM
Hello Tom-san,
Thank you.
1.~3. I understand that my understanding is correct.
4. I understand that FIDO2 authentication is available regardless of the PAN-OS version.
Regards,
Yusuke Tsushima
12-11-2024 11:54 PM
Hello Tom-san,
Could you please give me some additional information?
5. Is the use of the embedded browser not recommended even in GP6.3?
6. Does GP below 6.3 (6.2 or below) also support FIDO2 authentication?
In the following post, there is a comment that FIDO2 authentication does not work with the embedded browser in GP6.2.3, but works with the default browser.
7. If GP below 6.3 (6.2 or below) also supports FIDO2 authentication, to what extent is it supported and recommended?
- Are both the embedded browser and other browsers supported?
- Is the use of the embedded browser not recommended? (Because there are cases where it does not work properly)
- Is the use of browsers other than the embedded browser recommended? (Because no problems have been reported at this time)
Regards,
Yusuke Tsushima
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
