Deploying Two-Factor Authentication on Palo Alto GlobalProtect VPN

This guide shows how to enable two-factor authentication (2FA / MFA) for Palo Alto Networks VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Palo Alto GlobalProtect VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Palo Alto GlobalProtect VPN 2FA performs as a RADIUS server, and the Palo Alto Networks VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Palo Alto Networks VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Palo Alto Networks VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Palo Alto GlobalProtect VPN. 2FA will protect Palo Alto GlobalProtect VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Palo Alto GlobalProtect VPN works:

1. When a user initiates login to the Palo Alto GlobalProtect VPN protected with two-factor authentication, first of all, they will enter the first authentication factor — their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has — usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Palo Alto GlobalProtect VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Two-Factor Authentication (2FA) for Palo Alto Networks VPN

You can set up Palo Alto Networks VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Palo Alto Networks VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Palo Alto Global Protect VPN 2FA using RADIUS are available in our Protectimus RADIUS Server Installation Guide for Palo Alto Networks VPN 2FA.

2.3. Configure Palo Alto Networks RADIUS Server Profile

1. Log in to the Palo Alto Networks administrative interface.
2. On the Device tab, navigate to Server Profiles, then RADIUS.
3. Click the Add button to add a new RADIUS server profile. You will see the following window:

4. In the Profile Name field come up with a name for your RADIUS server, enter Protectimus RADIUS or any other name you wish.
5. Increase the Timeout to at least 30 seconds.
6. Change the Authentication Protocol to PAP.

PLEASE NOTE! PAN-OS 7.x users must set the protocol in the CLI with this command:

set authentication radius-auth-type pap

7. Click on Servers —> Add button, to add a RADIUS server. After this, enter the below information:

8. Click OK and save the new RADIUS server profile.

2.4. Create an Authentication Profile in Palo Alto Networks

1. Go to the Device tab and navigate to Authentication Profile.
2. Click on Add to create a new authentication profile, you will see the following window:

3. Enter the following data:

4. Keep the rest of the options on the current screen as their defaults.
5. Then click the Advanced tab and select the all group or choose a specific group to which this authentication profile will apply.
6. Click OK and save the Authentication profile you have created.

2.5. Assign the Authentication Profile to the GlobalProtect Portal and/or Gateway.

You can configure multiple client authentication configurations for the Palo Alto GlobalProtect portal and gateways. For each client authentication configuration, you can specify the Authentication Profile to apply to endpoints of a specific OS.

This step describes how to add the Authentication Profile to the Palo Alto GlobalProtect VPN portal or gateway configuration. For additional details on setting up these components, see the PaloAlto Networks documentation on GlobalProtect Portals and GlobalProtect Gateways.

1. Go to Network —> GlobalProtect —> Gateways or Portals.
2. Click on your configured GlobalProtect Gateway to bring up the properties window.
3. In the newly-opened window, select the Authentication tab.

4. Select an SSL/TLS Service Profile or Add a new one.
5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.
6. Fill in the Client Authentication form with the following information.

7. Click OK to save the configuration.

Integration of two-factor authentication (2FA/MFA) for your Palo Alto Networks VPN is now complete.

If you have other questions, contact Protectimus customer support service.