by jvalentine on 07-26-2017 08:05 AM I've done this successfully with SSH (and having the GlobalProtect client installed). When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access. I click and authenticate, and can then connect to the SSH server. This single thread is nearly the only useful result of a search for MFA, SSH and Palo Alto @jvalentine , How did you get this working? I can't seem to find any documentation on this and how to configure it. We are being told that we must have MFA controlling our SSH access to the Palo Alto, and there is hardly any information on this. We would be fine using Duo or YubiKey, GlobalProtect would work as an access point as we have also been told that we need to limit SSH from all systems that are not fully FIPS-compliant, which the VPN clients would be as the Palo is in FIPS mode. So, in order to access our Palo over SSH we would be connecting to the VPN using GlobalProtect, and then if configured correctly GP would prompt us for our MFA creds, either Yubikey cert/pin or Duo? Thanks in advance for any information anyone can provide on this.
... View more