To configure two Duo proxy servers for Palo Alto Firewall MFA Redundancy, you can follow these steps:
A. Configure the second DUO Proxy Servers
Please follow this post:
Download and install DUO Proxy Server on Windows Server
Note: 1. Set up the second Duo proxy server with the same configuration.
Note 2: The second DUO proxy server can setup different host IP address which could be the second Domain Controller for redundancy.
B. Configure Palo Alto Firewall to intergrade with the two DUO Proxy servers for redundancy
- Configure the Palo Alto Firewall to use both Duo proxy servers in the RADIUS profile. This ensures that if the primary Duo proxy server is down, the Palo Alto Firewall will automatically use the backup server to authenticate users.
- Go to DEVICE>Server Profile>RADIUS.
- Click on Add
- Enter the info such as profile Name, Timeout (Note: 120 sec Is by default. We recommend reducing it to 30 sec. Otherwise, failover may not work because the GlobalProtect may be timeout before 120 sec), Radius Server IP address, Secret key which must match DUO Secret key.
- Create two for redundancy.
- Create two MFA server profiles
- Go to the DEVICE>Authentication Profile
- Click on Add
- Enter the Authentication Profile information.
- Click on Advanced and select the AD group for accessing Gloableprotect VPN.
- Create two Authentication Profiles for redundancy.
3. Configure Authentication Sequence for redundancy
- Go to DEVICE>Authentication Sequence
- Click Add.
- Add two Authentication Profiles you created before.
4. Test it
Please refer to this post to test it.
How to Test the Authentication Configuration in Palo Alto Firewall
Note: Apply the DUO MFA to GlobalProtect Gateway or Portal, please refer to this post: