Interesting ideas, we do manage our DNS so that helps. Can I assign two external IPs to the Eth 1/1 interface like in this post? Does it take a reboot? https://live.paloaltonetworks.com/t5/general-topics/multiple-addresses-in-the-same-ethernet-interface/m-p/66635#M39262
... View more
Howdy all, Relatively new to PA and GP, spent more time with Fortigate and Cisco at previous jobs. Work at a small company and until the pandemic and snowpoclypse VPN access was only given to select people, we all just came to work. I've been tasked with getting Duo Security two factor authentication set up for vpn users. Problem is we cant just roll it out to all users at one time and we want time to test it with IT staff and then others. It was suggested I set up another gateway and portal. For example, we use vpn.amce.com, I should set up 2favpn.acme.com, then we can test at that address, work out the kinks etc, then replicate the settings to the production gateway/portal after training the uses. I've read plenty of links in the live community about people trying similar things but nothing quite the same. As I read more and more, I'm wondering if that will actually work. I would need to assign a second IP to the ETH 1/1 interface, and would that cause havoc, need a firewall reboot etc. It just sounds like a mess in the making. Would a better way be to set up an authentication profile that uses the 2FA mechanism and sync an AD group for users? Im struggling with this, facing a deadline and would appreciate your thoughts. I've contacted support, and have been told they are more break fix, not implementation and to contact our rep for implementation services engagement. I've reached out numerous ways, but have not heard back yet. Help! And thanks!
... View more