About rt_2018

Hello,    I am looking into enabling DUO for GlobalProtect. I am aware that DUO and Palo Alto supports three ways to enable MFA:   DUO's RADIUS proxy server DUO Access Gateway (DAG) SAML (e.g., Azure, Okta)   I tried all 3 of them, and I am leaning more towards SAML since it's just easier and supports the DUO prompts. I have a few questions and I was hoping someone could guide me:   1-Whenever I try to authenticate with either method above, I get prompted for DUO twice, one for the portal, and one for the gateway (which makes sense). Is there a way to get around this without using cookies?   2-Assuming that cookies are required for question 1, is it ok to use the same certificate to encrypt/decrypt cookies, and also install the certificate along with the private key on the client? Unfortunately we don't have a way of pushing the certs to endpoints, so I have to rely on the firewall doing the installation. I am going to assume yes since it should be the same? Any security risk associated?   3-If I have to use cookies + certificate, is it ok to simply use a self signed Root CA for this? Or should it be the root + intermediate + client cert, and use the client cert to install on the device, and the root cert to do the encryption/decryption?   Any help on this will be greatly appreciate it.   Thank you in advance!      ... View more