Building Blocks of an Authentication Policy Rule
Table of Contents
Building Blocks of an Authentication Policy Rule
Whenever a user requests a resource (such as when visiting
a web page), the firewall evaluates Authentication policy. Based on
the matching policy rule, the firewall then prompts the user to
respond to one or more challenges of different factors (types),
such as login and password, voice, SMS, push, or one-time password
(OTP) authentication. After the user responds to all the factors,
the firewall evaluates Security policy (see Policies
> Security) to determine whether to allow access to the resource.
The firewall does not prompt users to authenticate if they
access non-web-based resources (such as a printer) through a GlobalProtect™ gateway
![]()
that is internal
or in tunnel mode. Instead, the users will see connection failure
messages. To ensure users can access these resources, set up an
authentication portal and train users to visit it when they see
connection failures. Consult your IT department to set up an authentication
portal.
The following table describes each building block or component
in an Authentication policy rule. Before you Add a
rule, complete the prerequisites described in Create
and Manage Authentication Policy.
Building Blocks in an Authentication
Rule | Configured In | Description |
|---|---|---|
Rule number | N/A | Each rule is automatically numbered and
the order changes as rules are moved. When you filter rules to match
specific filters, the page lists each
rule with its number in the context of the complete set of rules
in the rulebase and its place in the evaluation order. For details,
see rule sequence and its evaluation order
|
Name |
General
| Enter a name to identify the rule. The name
is case-sensitive and can have up to 63 characters, which can be
letters, numbers, spaces, hyphens, and underscores. The name must
be unique on a firewall and, on Panorama, unique within its device group
and any ancestor or descendant device groups. |
Description | Enter a description for the rule (up to
1024 characters). | |
Tag | Select a tag for sorting and filtering rules
(see Objects
> Tags). | |
Group Rules by Tag | Enter a tag with which to group
similar policy rules. The group tag allows you to view your policy rule
base based on these tags. You can group rules based on a Tag. | |
Audit Comment | Enter a comment to audit the
creation or editing of the policy rule. The audit comment is case-sensitive
and can have up to 256 characters, which can be letters, numbers,
spaces, hyphens, and underscores. | |
Audit Comment Archive | View previous Audit Comments for
the policy rule. You can export the Audit Comment Archive in CSV format. | |
| Bypass Web Proxy Authentication | Select this option to allow traffic that matches this policy rule to
Bypass Web Proxy Authentication traffic. If you select this option, you must select an address object that contains the source IP addresses
of your trusted devices, a custom URL category that contains the destination IP
addresses of your trusted devices, or both. | |
Source Zone | Source | Add zones to apply the
rule only to traffic coming from interfaces in the zones that you
specify (default is any). To define
new zones, see Network
> Zones. |
Source Address | Add addresses or address
groups to apply the rule only to traffic originating from the sources
that you specify (default is any). Select Negate to choose
any address except the selected ones. To define new address
or address groups, see Objects
> Addresses and Objects
> Address Groups. | |
Source User | User | Select the source users or user groups to which
the rule applies:
If
the firewall collects user information from a RADIUS, TACACS+, or
SAML identity provider server and not from the User-ID™ agent, the
list of users does not display; you must enter user information
manually. |
Source HIP Profile | Add host information profiles
(HIP) to enable you to collect information about the security status
of your end hosts, such as whether they have the latest security
patches and antivirus definitions. For details and to define new HIPs,
see Objects
> GlobalProtect > HIP Profiles. | |
Destination Zone | Destination | Add zones to apply the
rule only to traffic going to interfaces in the zones that you specify
(default is any). To define new zones, see Network
> Zones. |
Destination Address | Add addresses or address
groups to apply the rule only to the destinations that you specify
(default is any). Select Negate to choose
any address except the selected ones. To define new address
or address groups, see Objects
> Addresses and Objects
> Address Groups. | |
Service | Service/URL Category | Select from the following options to apply
the rule only to services on specific TCP and UDP port numbers:
|
URL Category | Select the URL categories to which the rule applies:
| |
Authentication Enforcement | Actions | Select the authentication enforcement object (Objects
> Authentication) that specifies the method (such as Authentication
Portal or browser challenge) and authentication profile that the
firewall uses to authenticate users. The authentication profile
defines whether users respond to a single challenge or to multi-factor authentication
(see Device
> Authentication Profile). You can select a predefined or custom
authentication enforcement object. If you must exclude
hosts or servers from a Authentication Portal policy, add them to
an Authentication Profile that specifies no-captive-portal as
the Authentication Enforcement. However,
Authentication Portal policies help the firewall learn user-to-IP-address mapping
and should be used when possible. |
Timeout | To reduce the frequency of authentication challenges
that interrupt the user workflow, you can specify the interval in
minutes (default is 60) when the firewall prompts the user to authenticate
only once for repeated access to resources. If the Authentication Enforcement object
specifies multi-factor authentication, the user must authenticate
once for each factor. The firewall records a timestamp and reissues
a challenge only when the timeout for a factor expires. Redistributing
Timeout is
a tradeoff between tighter security (less time between authentication
prompts) and the user experience (more time between authentication prompts).
More frequent authentication is often the right choice for access
to critical systems and sensitive areas such as a data center. Less
frequent authentication is often the right choice at the network perimeter
and for businesses for which the user experience is key. For
perimeter resources, set the value to 480 minutes (8 hours) and
for data center resources and critical systems, set a lower value
such as 60 minutes to tighten security. Monitor and adjust the values
as necessary. | |
Log Authentication Timeouts | Select this option (disabled by default)
if you want the firewall to generate Authentication logs
whenever the Timeout associated with an authentication
factor expires. Enabling this option provides more data to troubleshoot
access issues. In conjunction with correlation objects, you can
also use Authentication logs to identify suspicious activity on
your network (such as brute force attacks). Enabling
this option increases log traffic. | |
Log Forwarding | Select a Log Forwarding profile if you want
the firewall to forward Authentication logs
to Panorama or to external services such as a syslog server (see Objects
> Log Forwarding). | |
Any (target all devices) Panorama only | Target | Enable (check) to push the policy rule to
all managed firewalls in the device group. |
Devices Panorama only | Select one or more managed firewalls associated
with the device group to push the policy rule to. | |
Tags Panorama only | Add one or more tags
to push the policy rule to managed firewalls in the device group
with the specified tag. | |
Target to all but these specified devices
and tags Panorama only | Enable (check) to push the policy rule to
all managed firewalls associated with the device group except for
the selected device(s) and tag(s). |