Integrating FortiAuthenticator with PA Firewall for Multi-Factor Authentication on GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Integrating FortiAuthenticator with PA Firewall for Multi-Factor Authentication on GlobalProtect

L1 Bithead

Hello,

I need to integrate my FortiAuthenticator, which is located at a remote site, with my PA firewall to add additional authentication factors for users connecting to GlobalProtect.

 

I haven't been able to find the documentation and procedures to accomplish this. I would appreciate it if someone with experience in this could provide the necessary requirements and configuration steps.

 

Thank you in advance.

1 accepted solution

Accepted Solutions

Hi @hamza_d ,

 

Q: Could you clarify what you mean by "native MFA"?

A: Please check the link I provided earlier. I have never had an use case to use this, but my understanding is that FW is communicating with some kind of API with one of those IdP services (Okta, Duo etc) instead of the using additional auth protocol

 

Q: Based on your experience, which is recommended: using FortiAuthenticator

A: I would say this is heavilty depends on your requirements, environment and setup. Lately more people are prefering SAML mainly because it could provide great Single Sign-On experience for the end users. Also with RADIUS I am not sure you can have "push notification" for MFA, user will need to manually type the one-time-password. While with SAML you can have push notifcation, allowing the user just to click "approve" button

 

 

View solution in original post

5 REPLIES 5

Hi @hamza_d ,

 

I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...

 

There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support

 

However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.

 

You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.

 

Thanks,  @aleksandar.astardzhiev

 

 

Could you clarify what you mean by "native MFA"? Based on your experience, which is recommended: using FortiAuthenticator as a RADIUS server or as an IdP server (SAML)?

L1 Bithead

Hi @aleksandar.astardzhiev ,

I am waiting for your response.

Thank you. 


@aleksandar.astardzhiev wrote:

Hi @hamza_d ,

 

I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...

 

There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support

 

However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.

 

You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.

 



@aleksandar.astardzhiev wrote:

Hi @hamza_d ,

 

I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...

 

There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support

 

However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.

 

You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.

 




 

Native MFA means native multi factor authentication

Hi @hamza_d ,

 

Q: Could you clarify what you mean by "native MFA"?

A: Please check the link I provided earlier. I have never had an use case to use this, but my understanding is that FW is communicating with some kind of API with one of those IdP services (Okta, Duo etc) instead of the using additional auth protocol

 

Q: Based on your experience, which is recommended: using FortiAuthenticator

A: I would say this is heavilty depends on your requirements, environment and setup. Lately more people are prefering SAML mainly because it could provide great Single Sign-On experience for the end users. Also with RADIUS I am not sure you can have "push notification" for MFA, user will need to manually type the one-time-password. While with SAML you can have push notifcation, allowing the user just to click "approve" button

 

 

  • 1 accepted solution
  • 2279 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!