Network Security
Policy Object: Authentication
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Policy Object: Authentication
Specifies the method and service to use for authenticating end users who access your
network resources.
Where Can I Use This? | What Do I Need? |
---|---|
|
An authentication enforcement object specifies the method and
service to use for authenticating end users who access your network
resources. You assign the object to Authentication security rules,
which invoke the authentication method and service when traffic
matches a rule.
The following are the predefined, read-only authentication enforcement
objects:
- default-browser-challenge—The user authentication credentials are transparently obtained. If you select this action, you must enable Kerberos Single Sign-On (SSO) or NT LAN Manager (NTLM) authentication when you configure the Authentication Portal. If Kerberos SSO authentication fails, the falls back is the NTLM authentication. If you did not configure NTLM, or NTLM authentication fails, then the fall back is to the authentication method specified in the predefined default-web-form object.
- default-web-form—To authenticate users, the certificate profile or authentication profile you specified when configuring the Authentication Portal is used. If you specified an authentication profile, any Kerberos SSO settings in the profile is used and an Authentication Portal page is presented for the user to enter authentication credentials.
- default-no-captive-portal—Security policy is authenticated without authenticating users.
Before creating a custom authentication enforcement object:
- Configure a server profile that specifies how to connect to the authentication service.
- Assign the server profile to an authentication profile that specifies authentication settings such as Kerberos single sign-on parameters.
To configure authentication, go to:
- ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthentication on Cloud Managed deployments.
- PoliciesAuthentication on PAN-OS and Panorama Managed deployments.
A custom authentication enforcement object, consists of the following
fields:
Authentication Enforcement
Settings | Description |
---|---|
Name | Enter a descriptive name (up to 31 characters)
to help you identify the object when defining Authentication rules.
The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores. |
Shared (Panorama only) | Select this option if you want the object
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this authentication enforcement
object in device groups that inherit the object. This selection
is cleared by default, which means administrators can override the
settings for any device group that inherits the object. |
Authentication Method | Select a method:
|
Authentication Profile | Select the authentication profile that specifies
the service to use for validating the identities of users. |
Message | Enter instructions that tell users how to
respond to the first authentication challenge that they see when
their traffic triggers the Authentication rule. The message displays
in the Authentication Portal Comfort Page.
If you don’t enter a message, the default Authentication
Portal Comfort Page displays. The Authentication
Portal Comfort Page is displayed only for the first
authentication challenge (factor), which you define in the Authentication tab
of the Authentication profile. For multi-factor authentication (MFA)
challenges that you define in the Factors tab
of the profile, the MFA Login Page is displayed. |