You may have multiple option to configure Palo Alto GlobalProtect MFA. This article shows you how to configure Palo Alto GlobalProtect to use Active Directory (AD) accounts with Multi-Factor Authentication (MFA) step-by-step:
Step 1: Create an Active Directory (AD) group for the users who will be using GlobalProtect.
Step 2: Download and install DUO Proxy Server – We use DUO as example.
Step 3: Create a new Authentication Profile in the Palo Alto Networks firewall
- Log in to the firewall’s web interface.
- Go to the Device tab, then select Authentication Profile.
- Click the “+” button to create a new profile.
- Give the profile a name, then select the Active Directory option for the “Authentication Method” field.
- Provide the necessary information for the AD server and the group you created in step 1.
- Click OK to save the profile.
Step 4: Enable Multi-Factor Authentication (MFA) for the Authentication Profile
1. Select the profile you created in step 3.
2. Click on the “MFA” tab.
3. Select the MFA provider you want to use (e.g. RADIUS, Okta, Microsoft Azure).
4. Provide the necessary information for the MFA provider.
5. Click OK to save the changes.
Step 5: Assign the Authentication Profile created in step 2 to the GlobalProtect Gateway
1. Go to the Network tab, then select GlobalProtect.
2. Select the Gateway, then click on the “Auth” tab.
3. Select the Authentication Profile you created in step 2 from the list.
4. Click OK to save the changes.
Step 6: Assign the Authentication Profile created in step 2 to the GlobalProtect Portal
1. Go to the Network tab, then select GlobalProtect.
2. Select the Portal, then click on the “Auth” tab.
3. Select the Authentication Profile you created in step 2 from the list.
4. Click OK to save the changes.
Step 7: Verify that the users in the AD group can successfully log in to GlobalProtect using their AD credentials and MFA
1. Try logging in to GlobalProtect using the AD credentials of a user in the group you created in step 2.
2. Verify that the user is prompted for MFA before being granted access.