Prisma Access 3.2, Global Protect Internal Host Detection using Azure SAML MFA.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Prisma Access 3.2, Global Protect Internal Host Detection using Azure SAML MFA.

L0 Member

Hi,

I am trying to setup internal host detection for Global Protect within Prisma Access 3.2.

 

Global Protect authentication is using SAML with MFA.

 

Due to the Portal requiring login before internal host detection can take place, how do I stop the MFA prompt being presented with I am joining my device to the corporate network?

I have this working with my physical PA's by defining LDAP for authentication to the Portal (doesn't present MFA prompt), and then SAML MFA for Gateway authentication.

How would I do this with Prisma?

So far very unimpressed with Prisma Access functionality in many respects.

6 REPLIES 6

L6 Presenter

Well this is a community and maybe if you have some idea about Prisma Access improvments, better suggest them to the vendor as this help us the other users as well 🙂

 

 

 

About this issue, this sounds more like Azure AD bad config, so better involve your Microsoft team as they can simply register another application with the Azure AD for the Portal and under conditional access policies you can stop the Azure MFA for this Application but not change anything for the gateways. Basically you will have 1 more server and 1 more authentication profile on the firewall and one more registered Application in Azure Ad for the SAML connection that will not want MFA.

 

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...

 

 

Another option is try to use an Authentication profile to the cloud identity engine and the cloud identity engine will be the one to start the SAML but I can't say if this will trigger before or after the internal host detection as I have not tested this myself.

 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/identity-se...

 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-b...

 

https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-...

 

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-cloud-identity...

 

 

A final option could be to use radius server as MFA:

 

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

 

 

 

Maybe also see if disabling "Use Default Browser for SAML Authentication" helps to triger SAML after the host detection as that is my final idea.

 

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

L6 Presenter

Also I forgot to add that with the cloud identity engine you can use an LDAP sync to the on-prem AD as a workaround even for Cloud-Only Prima Access.

 

Still you may address this to the support as even with the workarounds I metioned that you can try still the host detection is better to be triggered before anything else.

 

 

If some of my suggestions help you, please Accept the reply as an answer to your question 🙂

L1 Bithead

One option maybe could be to have a longer portal cookie timer to reduce the MFA prompts for Portal auths. 

L0 Member

It would be best to configure Conditional Access Policies on Azure to suppress MFA prompts on Prisma Access connections sourced from the Corporate public IP space. This way the behavior is controlled by the IDP team.

L1 Bithead

Hi, old treat thread but I am curious if you were able to come up with a solution adjusting setting on MS or portal configuration?

L1 Bithead

One way to tackle this:

 

* Use certificate-based authentication via pre-logon to auth to Prisma Access portal on machine startup.

* Internal Gateway authentication method can by None, and you pass the username in the Auth config.

  • 3304 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!