MFA for remote access via Global Protect

We have a PaloAlto-820 providing Global Protect for remote access to four empolyees. What they can access inside our network remotely is very limited. Our cyber-security insurance now requires MFA for anyone who can remote in to any server/desktop. Currently these users have username/passwords on the PA-850, because there are only 4 to manage.

What is the easiest way to meet this requirement? We already use both Google Workspace and Azure for our employees, but neither is tied to their user account on the PA and neither requires MFA for everytime they access it.

Thanks in advance!

If you already use Azure, just tie it in there with either SAML or NPS with Azure plug-in and if you go with SAML just setup a conditional access policy for it to always MFA

Are these AD accounts? DUO ties into Palo Alto very well for getting MFA at VPN login.

If you use Azure, then configure SAML and use conditional access policies.

If you want to continue using local accounts, I believe you will need to create a new Authentication Profile / Certificate Profile and an MFA server profile. I think that only works with four vendors currently - PingID, Duo, Okta, and RSA SecurID. So you would have to use one of those third party vendors, but each of them has a fairly straightforward instruction set on how to set up their product for the use case.

Your other somewhat straightforward option would be to set up Azure SSO with Globalprotect, and then whatever MFA options you wrap around the account in Azure will apply to signing in with Globalprotect. Since you don’t have MFA required for sign in right now with Azure, you’d need to deploy that at least to your admin group. You could either do that on their normal accounts, or create “admin” accounts for them to log into Globalprotect.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial

We did a PA, Clearpass, DUO combo

My team is looking for an on-premises solution. I’m toying with PrivacyIDEA, KeyCloak, and Yubikeys right now. Has anyone else gotten anything to work that’s on prem?

We used Duo with the proxy server but had trouble with it. Abandoned that and went to Duo with SAML. Been absolutely solid ever since.

OKTA integrates really well with the firewall. I have set this up in my lab using local users on the firewall.

We used Duo with the Proxy server as well. Very easy to set up and works well.

Try Cisco Duo, you can create free account for 10 people. Here is the link for integeation with Palo Alto.
https://duo.com/docs/paloalto

Use PUSH authentication on mobile phone.

Usual_Danger is spot-on with Azure and Conditional Access.

NPS is going to require that the users be in AD. OP states they are local Palo users.

Duo is amazing but will require a proxy server to be in place for it to work. Super easy to set up and get working and very reasonably priced.

If you think that team is going to grow and you take cyber security seriously, getting Okta in place now would also be a smart thing to do and it will handle MFA for you.

Of all suggestions DUO will undoubtedly be the easiest method for this. You can sign up online and have it done by tmrw with great documentation to do it without even talking to Cisco

How does DUO work with Win Server 2019/22 using AD auth?

RCDevs works fine and it’s easy to set up.

We use RSA SecurID authentication manager.

I think you could also use DUO with ADFS and use that for GP authentication. No proxy server required in that case.

I actually did this before and used Okta. Can confirm, it works.