We have a PaloAlto-820 providing Global Protect for remote access to four empolyees. What they can access inside our network remotely is very limited. Our cyber-security insurance now requires MFA for anyone who can remote in to any server/desktop. Currently these users have username/passwords on the PA-850, because there are only 4 to manage.
What is the easiest way to meet this requirement? We already use both Google Workspace and Azure for our employees, but neither is tied to their user account on the PA and neither requires MFA for everytime they access it.
If you already use Azure, just tie it in there with either SAML or NPS with Azure plug-in and if you go with SAML just setup a conditional access policy for it to always MFA
If you want to continue using local accounts, I believe you will need to create a new Authentication Profile / Certificate Profile and an MFA server profile. I think that only works with four vendors currently - PingID, Duo, Okta, and RSA SecurID. So you would have to use one of those third party vendors, but each of them has a fairly straightforward instruction set on how to set up their product for the use case.
Your other somewhat straightforward option would be to set up Azure SSO with Globalprotect, and then whatever MFA options you wrap around the account in Azure will apply to signing in with Globalprotect. Since you don’t have MFA required for sign in right now with Azure, you’d need to deploy that at least to your admin group. You could either do that on their normal accounts, or create “admin” accounts for them to log into Globalprotect. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial
My team is looking for an on-premises solution. I’m toying with PrivacyIDEA, KeyCloak, and Yubikeys right now. Has anyone else gotten anything to work that’s on prem?
Duo is amazing but will require a proxy server to be in place for it to work. Super easy to set up and get working and very reasonably priced.
If you think that team is going to grow and you take cyber security seriously, getting Okta in place now would also be a smart thing to do and it will handle MFA for you.
Of all suggestions DUO will undoubtedly be the easiest method for this. You can sign up online and have it done by tmrw with great documentation to do it without even talking to Cisco