Authentication Policy
Authentication policy enables you to authenticate end
users before they can access services and applications. Whenever
a user requests a service or application (such as by visiting a
web page), the firewall evaluates Authentication policy. Based on
the matching Authentication policy rule, the firewall then prompts
the user to authenticate using one or more methods (factors), such
as login and password,
Voice, SMS, Push, or One-time Password (OTP)
authentication. For the first factor, users authenticate
through a Authentication Portal web form. For any additional factors,
users authenticate through a
Multi-Factor
Authentication (MFA) login page.
To implement Authentication policy for GlobalProtect, refer
to Configure
GlobalProtect to facilitate multi-factor
authentication notifications.
After the user authenticates for all factors, the firewall evaluates
Security
Policy to determine whether to allow access to the service
or application.
To reduce the frequency of authentication challenges that interrupt
the user workflow, you can specify a timeout period during which
a user authenticates only for initial access to services and applications,
not for subsequent access. Authentication policy integrates with
Authentication Portal to record the timestamps used to evaluate
the timeout and to enable user-based policies and reports.
Based on user information that the firewall collects during authentication,
User-ID creates a new IP address-to-username mapping or updates
the existing mapping for that user (if the mapping information has
changed). The firewall generates User-ID logs to record the additions
and updates. The firewall also generates an Authentication log for
each request that matches an Authentication rule. If you favor centralized
monitoring, you can configure reports based on User-ID or Authentication
logs and forward the logs to Panorama or external services as you
would for any other log types.