Migrating a Cisco fw to a Palo Alto and the Cisco has the ability to authenticate users to external Radius for FTP transfers based upon policy rules - the end user simply gets a user name and pass prompt which works across all platforms and can be scripted for automation. I know the Palo Alto has the ability to auth requests that are web based with Captive Portal in conjunction with Global Protect Client installed on the end users device, but this requires an install of the GP Client and user response. Given the high number of users and the various ways they have implemented FTP i.e. mix of remote servers running scripts 24 x 7 along with different system OS's etc.. utilizing the GP Client is not an option. Is there a way to authenticate services other than Web such as Telnet and FTP without using the GP Client? I've tried to configure authentication for FTP utilizing an auththentication policy and local user - but it seem the PA FW sends a udp packet to the source on port 4501 which I'm assuming is to determine if the GP client is present. Was wondering if anyone has found a solultion or has any feedback. Thanks!
... View more