Some legacy applications may have weak security, or the adoption of the Zero Trust model may require security to be buttoned up on sensitive systems. If additional authentication needs to be added, this can be accomplished by enabling an authentication policy and leveraging the Authentication Portal mechanism to inject an authentication request via a web page or even via GlobalProtect. Below are the steps to configure an MFA enabled web authentication for browser based access to sensitive resources, and GlobalProtect enabled MFA authentication for other protocols (like SSH and Remote Desktop).
Preparing MFA
Palo Alto Networks currently supports 4 built-in MFA providers but may add more in the future. Duo offers a free version for up to 10 users, which is a great way to play around with MFA.
Create an account and then create the "Palo Alto SSL VPN" application. You'll need the Integration Key, Secret Key and API hostname in a moment, so don't close this page just yet.
Next, we need to collect the certificates used by Duo so the firewall knows which ones to trust when it interfaces with Duo to authenticate a user. These certificates can be collected by opening a browser and navigating to the API hostname assigned in the Duo application, and adding the path /auth/v2.
We will end up on an error message, but we can collect the root CA from here.
Next, import the root certificate into Device > Certificate Management > Certificates, and then create a new Certificate Profile in Device > Certificate Management > Certificate Profile.
We can now create an MFA profile in Device > Server Profiles > Multi Factor Authentication by filling in the Integration Key, Secret key and API hostname, plus the Certificate Profile we just created.
The MFA profile can now be added to an authentication profile in Device > Authentication Profile by accessing the Factors tab. Add the MFA profile and enable Enable Additional Authentication Factors.
The factor(s) will be applied in addition and right after the 'regular' (LDAP, SAML, RADIUS, etc.) authentication method. Multiple factors can be added to a single authentication profile, which will cause factors to be presented to a user in sequence from top to bottom, each time requiring the previous factor to succeed before continuing to the next factor.
Now that the authentication profile is ready, we need to configure Authentication Portal
Authentication Portal
To set up Authentication Portal, we will need to create a server certificate and import it and it's private key onto the firewall and then create an SSL/TLS Profile in Device > Certificate Management > SSL/TLS Service Profile. This profile is used by the TLS service that serves the web interface to the user and requires a certificate the browser is willing to trust so there is no error message when the user is redirected.
We can then go ahead and enable Authentication Portal in Device > User Identification > Authentication Portal Settings
Check the Enable Authentication Portal box
Add the SSL/TLS Service Profile
Add the Authentication Profile we added the Duo factor to earlier
Adjust Idle Timer and Timer (session time before re-authentication) appropriately
GlobalProtect Network Port is used by GlobalProtect, see GlobalProtect as MFA interface below
I prefer to use Redirect Mode as this provides a nice landing page for authentication and is most likely to support a wide variety of browsers. Transparent mode will inject the authentication into the original session which some browsers don't like.
Session cookies allow for a session to be re-authenticated after the Timer has expired by means of the cookie rather than the authentication profile. Disable cookies to force renewed MFA after the Timer expires.
Roaming allows a user to switch networks (wired to WiFi etc.) without needing to re-authenticate, Disable roaming to force re-authentication when a user moves to a new IP.
the Redirect Host IP or FQDN needs to match the certificate in the SSL/TLS Service Profile
Certificate Authentication can be set up to add client certificates in addition to MFA
Next, we need to enable User-ID on the ingress zone where the users are located, if this hasn't been done already
Also, an interface management profile needs to be added to the ingress interface, with 'Response Pages' enabled. Add the profile in Network > Network Profiles > Interface Mgmt
Next, add the profile to the Advanced tab in the appropriate (user ingress) interface.
Now that everything's been set up, a few more rules need to be created
Rules required for authentication injection
If the resource that needs to be protected is a TLS enabled web frontend (https:// ) SSL decryption needs to be configured in Policies > Decryption before the authentication page can be presented.
In Objects > Authentication, create a new Authentication Enforcement profile that uses the Authentication Profile we created earlier and serves a web-form when triggered.
And finally, create a new rule in Policies > Authentication
Set appropriate destination Zone and Addresses
Add Service ports and (custom) URL Categories if needed
Set the Authentication Enforcement to the Enforcement Profile we just created and set an Timeout before authentication is required again (default is 60)
Commit
Connections to the resource will now require additional authentication
Outcome
Web based requests will now be redirected to a Multi Factor authentication page
This mechanism can also be applied to non-web-based connections like Remote Desktop connections or SSH sessions by using GlobalProtect
GlobalProtect as MFA interface
the GlobalProtect agent can be set to listen for authentication messages, sent from the Authentication Portal (default UDP 4501) if a web interface is not available for a session that requires additional authentication. In Network > GlobalProtect > Portals > <portal name> > Agent > Agent Config > App MFA can be enabled and redirected to the authentication portal. Note that the Trusted MFA Gateways attribute is set to the Authentication portal URL with port 6082 for Captive Portal.
once enabled, GlobalProtect will pop up as seen below whenever a protected resource is accessed
Check out a live demo I did for the @DataEquipment brukerforum 2021
Reach out to tom@pangurus.com if you'd like to discuss Palo Alto consultancy needs
Comments