mixed authentication methods added for Global Protect

In Palo Alto Networks latest release 9.0.0, a new feature was added that allows you to have mixed authentication methods to the same Global Protect portal and/or gateway.

When this feature is enabled it will basically allow your users to authenticate with user credentials and/or client certificates. The options are to either to require both user credentials and client certificates or you can allow user credentials or client certificates.

On top of this you can also set different requirements depending on what OS the user connects from. Below are the current list for available operating systems you can set policies on:

  • Andriod
  • Chrome
  • iOS
  • Linux
  • Mac
  • Satellite
  • Windows
  • WindowsUWP
  • X-Auth

With this you could create an authentication-profile that requires Windows-users to authenticate with both user credentials and client certificates.

Then create another that allows your Android-users to authenticate with either user credentials or client certificates.

This feature could be used in some different cases, for example if you already have two different portals and one of them only requires user credentials for authentication. In that case you could put the two configurations together and save the public IP that was used for the other portal/gateway.

More information can be found on: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/globalprotect-features/mixed-authentication-method-support-for-certificates-or-user-credentials.html 

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.