Configure Multiple Portals in Prisma Access (Strata Cloud Manager)
Focus
Focus
Prisma Access

Configure Multiple Portals in Prisma Access (Strata Cloud Manager)

Table of Contents


Configure Multiple Portals in Prisma Access (Strata Cloud Manager)

Learn how to configure multiple portals with multiple authentication methods in Prisma Access (Managed by Strata Cloud Manager).
  1. Contact the Palo Alto Networks support to activate this functionality.
  2. Configure a mobile user and the authentication method for it.
  3. Enable multiple portals for the same gateway.
    1. Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect SetupInfrastructure.
    2. Edit the Infrastructure Settings.
    3. Enable Multiple Portal for Multiple Authentication Methods.
      The new portal appears for the 8443 port for the same tenant. This portal inherits the configuration settings from the original port, which is port 443.
  4. Edit the portal configurations to update the authentication settings.
    You can edit only the portal's Authentication Settings and Certificate Profile authentication settings.
    If you use certificate-based authentication in both portals, ensure that both portals use the same client certificate profile for authentication.
    This feature enables the authentication override settings to generate cookie for both portals in the GlobalProtect app settings.
    This feature enables the authentication override settings to generate and accept cookie for both portals in the tunnel settings.
  5. Save all your changes and Push the configuration changes to Prisma Access.
  6. Add the portals manually or using endpoint management software in the GlobalProtect app.
  7. Verify if you can connect to both portals with different authentication profiles for the gateway.
    1. Log in to your Windows machine.
    2. Connect to the portals in your GlobalProtect app.
      When you change the connection between portals of different authentication methods, authenticate the user login.
      If the authentication cookie expires when you connect to the 8443 portal and switch to the manual gateway, GlobalProtect connects to the Best Available Gateway.
      If your GlobalProtect app uses cached portal configurations, fallback to portal does not work.
If you're using SAML-based authentication for the secondary portal, enter the values as follows while integrating:
  • Single sign on URL: Enter https://Portal-FQDN:443/SAML20/SP/ACS
    Portal-FQDN is the FQDN for the Prisma Access portal
    Use portal 443 even if you have configured the secondary portal (8443).
  • Audience URI (SP Entity ID): Enter https://Portal-FQDN:443/SAML20/SP