Device > User Identification > Authentication Portal
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > User Identification > Authentication Portal
Edit (
) the Authentication Portal
Settings to configure
the firewall to authenticate users whose traffic matches an Authentication
policy rule.
If Authentication Portal uses an SSL/TLS Service profile
(Device
> Certificate Management > SSL/TLS Service Profile), authentication
profile (Device
> Authentication Profile), or Certificate Profile (Device
> Certificate Management > Certificate Profile), then configure
the profile before you begin. The complete procedure
to configure Authentication
Portal requires additional tasks in addition to configuring these
profiles.
You must Enable Authentication Portal to
enforce Authentication policy (see Policies
> Authentication).
Field | Description |
---|---|
Enable Authentication Portal | Select this option to enable Authentication
Portal. |
Idle Timer (min) | Enter the user time-to-live (TTL) value
in minutes for a Authentication Portal session (range is 1 to 1,440;
default is 15). This timer resets every time there is activity from
an Authentication Portal user. If idle time for a user exceeds the Idle
Timer value, PAN-OS removes the Authentication Portal
user mapping and the user must log in again. |
Timer (min) | This is the maximum TTL in minutes, which
is the maximum time that any Authentication Portal session can remain
mapped (range is 1 to 1,440; default is 60). After this duration
elapses, PAN-OS removes the mapping and users must re-authenticate
even if the session is active. This timer prevents stale mappings
and overrides the Idle Timer value. You should always set the expiration Timer higher
than the Idle Timer. |
SSL/TLS Service Profile | To specify a firewall server certificate
and the allowed protocols for securing redirect requests, select
an SSL/TLS service profile (Device
> Certificate Management > SSL/TLS Service Profile). If you
select None, the firewall uses its local
default certificate for SSL/TLS connections. In
the SSL/TLS Service Profile, set the Min Version to TLSv1.2 and set
the Max Version to Max to
provide the strongest security against SSL/TLS protocol vulnerabilities. Setting
the Max Version to Max ensures
that as stronger protocols become available, the firewall always
uses the latest version. To transparently redirect
users without displaying certificate errors, assign a profile associated
with a certificate that matches the IP address of the interface
to which you are redirecting web requests. |
Authentication Profile | You can select an authentication profile
(Device
> Authentication Profile) to authenticate users when their
traffic matches an Authentication policy rule (Policies
> Authentication). However, the authentication profile you
select in the Authentication Portal Settings applies only to rules
that reference one of the default authentication enforcement objects
(Objects
> Authentication). This is typically the case right after
an upgrade to PAN-OS 8.0 because all Authentication rules initially
reference the default objects. For rules that reference custom authentication
enforcement objects, select the authentication profile when you
create the object. |
GlobalProtect Network Port for Inbound Authentication Prompts (UDP) | Specify the port that GlobalProtect™ uses
to receive inbound authentication prompts from multi-factor (MFA)
gateways. (range is 1 to 65,536; default is 4,501). To support multi-factor
authentication, a GlobalProtect endpoint must receive and acknowledge
UDP prompts that are inbound from the MFA gateway. When a GlobalProtect
endpoint receives a UDP message on the specified network port and
the UDP message comes from a trusted firewall or gateway, GlobalProtect
displays the authentication message (seeCustomize the GlobalProtect App |
Mode | Select how the firewall captures web requests
for authentication:
Redirect mode is
required if Authentication Portal uses Kerberos SSO because the
browser provides credentials only to trusted sites. Redirect mode
is also required if Authentication Portal uses multi-factor authentication (MFA). |
Session Cookie (Redirect mode only) |
|
Redirect Host (Redirect
mode only) | Specify the intranet hostname that resolves
to the IP address of the Layer 3 interface to which the
firewall redirects web requests. If users authenticate
through Kerberos single sign-on (SSO), the Redirect Host must
be the same as the hostname specified in the Kerberos keytab. |
Certificate Profile | You can select a Certificate Profile (Device
> Certificate Management > Certificate Profile) to authenticate
users when their traffic matches any Authentication policy rule
(Policies
> Authentication). For this authentication type, Authentication
Portal prompts the endpoint browser of the user to present a client
certificate. Therefore, you must deploy client certificates to each
user system. Furthermore, on the firewall, you must install the
certificate authority (CA) certificate that issued the client certificates and
assign the CA certificate to the Certificate Profile. This is the
only authentication method that enables Transparent authentication
for macOS and Linux endpoints. |