Authentication Policy
Authentication policy enables you to authenticate end
users before they can access services and applications. Whenever
a user requests a service or application (such as by visiting a
web page), the firewall evaluates Authentication policy. Based on
the matching Authentication policy rule, the firewall then prompts
the user to authenticate using one or more methods (factors), such
as login and password,
Voice, SMS, Push, or One-time Password (OTP)
authentication. For the first factor, users authenticate
through a Captive Portal web form. For any additional factors, users
authenticate through a
Multi-Factor
Authentication (MFA) login page.
To implement Authentication policy for GlobalProtect, refer
to Configure
GlobalProtect to facilitate multi-factor
authentication notifications.
After the user authenticates for all factors, the firewall evaluates
Security
Policy to determine whether to allow access to the service
or application.
To reduce the frequency of authentication challenges that interrupt
the user workflow, you can specify a timeout period during which
a user authenticates only for initial access to services and applications,
not for subsequent access. Authentication policy integrates with
Captive Portal to record the timestamps used to evaluate the timeout
and to enable user-based policies and reports.
Based on user information that the firewall collects during authentication, User-ID
creates a new IP address-to-username mapping or updates the existing mapping
for that user (if the mapping information has changed). The firewall generates
User-ID logs to record the additions and updates. The firewall also generates
an Authentication log for each request that matches an Authentication
rule. If you favor centralized monitoring, you can configure reports
based on User-ID or Authentication logs and forward the logs to
Panorama or external services as you would for any other log types.