Q: Currently, we are using a local user database to access GloablProtect in PA 850 firewall. We are migrating Local user database to AD user database. We have created two Authentications, one for Local user and another for AD user. only the top is working.
Can we have both Authentication Local User and AD user to access GlobalProtect? If so, how do you make them work?
A: Yes, you can use Authentication Sequence, where you enter all Authentication profiles to be use for login. Go to Device > Authentication sequence.
Create new sequence and select all needed profiles and use this sequence-entry in GP (Portal/Gateway).
Click on the Device, and navigate to Server Profiles, then RADIUS.
2. Click the Add button to add a new RADIUS server profile.
3. Enter the information such as Name, Timeout, Retries, Authentication Protocol.
4. Under the “Servers” section, click the Add button to add a RADIUS server, and enter the information such as Name, RADIUS SERVER IP, SECRET, PORT.
Step 2: Add an Authentication Profile
On the Device, navigate to Authentication Profile.
2. Click the Add button to add a new authentication profile, and enter the following information:
3. Enter the information such as Name, Type, Server Profile, User Domain, Username Modifier.
4. Click the Advanced tab. In the “Allow List” section click the drop-down and select the all group (or, if you want to restrict which users may authenticate with the Duo profile, select the group of your choice).
5. Click OK to save the authentication profile.
Step 3: Configure GlobalProtect Gateway
On the Network tab, navigate to GlobalProtect then Gateways.
2. Click on Add to create a Gateway.
3. Enter the information such as Name, Interface, IP Address Type, IPv4 Address.
4. Click on the Authentication and then Add to add the Duo authentication profile created before.
5. Click OK (twice if you also enabled authentication override cookies) to save the GlobalProtect Gateway settings.
Step 4: Configure GlobalProtect Portal
If the GlobalProtect Portal is configured for Duo two-factor authentication, users may have to authenticate twice when connecting the GlobalProtect Gateway Agent. For the best user experience, Duo recommends leaving your GlobalProtect Portal set to use LDAP or Kerberos authentication, or if you do add Duo to your GlobalProtect Portal that you also enable cookies for authentication override on your GlobalProtect portal to avoid multiple Duo prompts for authentication when connecting.
Note that if Duo is applied only at the GlobalProtect Gateway then users may not append a factor or passcode to their password when logging in.
If your organization would like to protect the GlobalProtect Portal with Duo follow these instructions.
Click on the Network tab, navigate to GlobalProtect then Portal.
2. Click on your configured GlobalProtect Portal to bring up the properties window.
3. On the Authentication tab of the GlobalProtect Portal Configuration, select the Duo authentication profile created before.
2. Launch the Authentication Proxy installer on the Windows server which will be DUOP Proxy Server. Click Yes in the popup: Do you want to allow this app to make changes to your device?
3. Click Next.
4. In Choose Components page, check Proxy Manager and click on Install.
service_account_username=member username of domain admins
service_account_password=The password corresponding to service_account_username
search_dn=The LDAP distinguished name (DN) of an Active Directory/LDAP container or organizational unit (OU) containing all of the users you wish to permit to log in.
You may have multiple option to configure Palo Alto GlobalProtect MFA. This article shows you how to configure Palo Alto GlobalProtect to use Active Directory (AD) accounts with Multi-Factor Authentication (MFA) step-by-step:
Step 1: Create an Active Directory (AD) group for the users who will be using GlobalProtect.
Step 2: Download and install DUO Proxy Server – We use DUO as example.
Step 3: Create a new Authentication Profile in the Palo Alto Networks firewall
Log in to the firewall’s web interface.
Go to the Device tab, then select Authentication Profile.
Click the “+” button to create a new profile.
Give the profile a name, then select the Active Directory option for the “Authentication Method” field.
Provide the necessary information for the AD server and the group you created in step 1.
Click OK to save the profile.
Step 4: Enable Multi-Factor Authentication (MFA) for the Authentication Profile
1. Select the profile you created in step 3.
2. Click on the “MFA” tab.
3. Select the MFA provider you want to use (e.g. RADIUS, Okta, Microsoft Azure).
4. Provide the necessary information for the MFA provider.
5. Click OK to save the changes.
Step 5: Assign the Authentication Profile created in step 2 to the GlobalProtect Gateway
1. Go to the Network tab, then select GlobalProtect.
2. Select the Gateway, then click on the “Auth” tab.
3. Select the Authentication Profile you created in step 2 from the list.
4. Click OK to save the changes.
Step 6: Assign the Authentication Profile created in step 2 to the GlobalProtect Portal
1. Go to the Network tab, then select GlobalProtect.
2. Select the Portal, then click on the “Auth” tab.
3. Select the Authentication Profile you created in step 2 from the list.
4. Click OK to save the changes.
Step 7: Verify that the users in the AD group can successfully log in to GlobalProtect using their AD credentials and MFA
1. Try logging in to GlobalProtect using the AD credentials of a user in the group you created in step 2.
2. Verify that the user is prompted for MFA before being granted access.
You can use ping on two planes: the Management Plane (MP) and the Data Plane (DP). You have the ability to use the Ping command from both depending on how you use the Ping command.
You must activate PA licenses for each of the services you purchased before you can start using the firewall to secure the traffic on your network. This article shows how to do so.
•You have two options: Register device using Serial Number or Authorization Code and Register usage-based VM-Series models (hourly/annual) purchased from public cloud Marketplace or Cloud Security Service Provider (CSSP) •Check the option you want and click Next.
* Enter the Device information such as Serial Number, Device Name, and Device Tag.
•Enter Location Information and then click on Agree and Submit.
Step 2: Run day 1 Configuration
* After registering the device, you have an
option to Run Day 1 config.
* Please enter the Serial Number of
the device you just registered to create a Day 1 Configuration
Note: Placing a Day 1 Configuration
on your firewall will replace any other configurations currently in place
* Click Confirm Serial Number to continue.
* Enter the Setup information such
as S/N, Device Type, PAN-OS Version, and Hostname.
•Enter
the Management Type and info.
•Enter Logging info.
* Click General
Config file.
Step 3: Active the PA support license * Login PA Firewall web interface * Device>Support
* Click Activate support using authorization code.
* Enter your Authorization Code which you receive email “Order Summary for Cloud Harmonics SO#” from Palo Alto networks.
and then click OK
* Now, Support page shows Support ExpiryDate, Level,
and Description.
Step 4: Activate purchased license
•Go to Device>Licenses •Retrieve license keys from license server—Use this option if you activated your license on the Customer Support portal.
•Enter authorization code to activate other features.
* This is what look like after activate the license and features, which confirms that the license is successfully activated