Two Factor Authentication for Customer Support Portal

Two Factor Authentication for Customer Support Portal

301499
Created On 09/25/18 18:07 PM - Last Modified 10/17/24 06:33 AM


Symptom


Two Factor Authentication (2FA) Overview

Two Factor Authentication (2FA) is required for users to log into Palo Alto Networks apps, such as Customer Support Portal (CSP). To increase your security posture, Domain Admins are no longer able administer 2FA for users in their account.

If you have problems logging in, please:

  1. Select Need Help on the SSO password page


Login To Customer Support Portal (CSP)

2FA Methods Depend on Your Account Type

If your account is FedRAMP (federal), single sign-on (SSO) supports the following 2FA methods:

  • Email
    • Okta validation email is generated in an AWS SES environment and your email server may block it as spam.  If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
      • 23.249.212.62
        23.249.212.63
        23.249.212.64
        23.249.212.65 
    • For additional Okta IP addresses please see  https://support.okta.com/help/s/article/Allowlist-of-IP-Addresses-for-processing-email-delivery?language=en_US
      • Note:  Okta recommends using the other MFA options for enhanced security. 
      • Note: PANW  currently does not have plans to implement the restriction of using Email as MFA form on account level (forcing the users to choose other MMFA forms).
  • Okta Verify

If your account is not FedRAMP, SSO supports the following 2FA methods:

  • Email
    • Okta validation email is generated in an AWS SES environment and your email server may block it as spam.  If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
      • 23.249.212.62
        23.249.212.63
        23.249.212.64
        23.249.212.65 
        • Note:  Okta recommends using the other MFA options for enhanced security.
  • Okta Verify
  • Google Authenticator (can be used with any form of two factor authentication by scanning the QR code for your chosen application)

If you are unsure about your account type, ask your Domain Administrator.
 


Login to Customer Support Portal

To login to Customer Support Portal (CSP), click CSP login link  (https://support.paloaltonetworks.com/).  Then, enter your user ID.
 

image.png

Followed by your password.

image.png

The next step depends on the 2FA methods configured for your account.


2FA Methods

Email 2FA
Note: Effective from September 1st week, New users will no longer have the option to use email as a form of MFA.
No change for existing users who are using email.

If your account is configured for email 2FA, click Send me the code.

image.png

Check. your email.   SSO sends you an email with a six-digit code.  A sample email follows.
 

image.png

Enter the six-digit code, 324262 in this case to login.

image.png


Okta Verify 2FA

If your account is configured for Okta Verify 2FA, follow directions to verify your identity.  Or, you can choose to push a notification to your Okta Verify mobile app.  In the following illustration, the user set the option to always send a push automatically.

image.png

Open Okta Verify app on your phone, and tap on the number displayed above to login.


Google Authenticator 2FA

If your account is configured for Google Authenticator 2FA, go to Google Authenticator app on your phone to get a new six-digit code.  Enter the code to login.

image.png

Note:   Google Authenticator  can be used with any form of two factor authentication by scanning the QR code for your chosen application.

If you have changed to another phone and would like to re-enroll your google authenticator, select Need Help on the SSO password page (logging in to the Support Portal is NOT required here to create a support case)

Multiple 2FA Methods

If your account is configured for multiple 2FA methods, you can decide which 2FA method to use during login.  In the following sample illustration, CSP initially prompts for an Okta Verify code or push.

To change your 2FA method during login, click on the down arrow to select another 2FA method.

image.png

image.png





Configure 2FA Methods

Manage Account Settings

To manage your account settings, e.g., change password, set up 2FA, go to:

https://sso.paloaltonetworks.com/enduser/settings

IMPORTANT!  Please use the link above to configure your 2FA settings.  Configuring 2FA is no longer done in CSP My Profile.  Your DNS will need to resolve sso.paloaltonetworks.com to reach the Okta service. 

image.png

 

2FA Methods Depend on Your Account Type

If your account is FedRAMP (federal), single sign-on (SSO) supports the following 2FA methods:

  • Email
  • Okta Verify

If your account is not FedRAMP, SSO supports the following 2FA methods:

  • Email
  • Okta Verify
  • Google Authenticator

If you are unsure about your account type, ask your Domain Administrator.


Okta Verify

Okta Verify does not support multi-device authentication. 
To configure Okta Verify as your 2FA method, click Set up button for Okta Verify. 

image.png

Click Setup button to set up Okta Verify.

image.png

Select your phone type.  And, download Okta Verify to your phone.  Click Next button.

image.png

CSP displays a QR code.  Use Okta Verify on your phone to scan the QR code.

image.png


On your phone, go to Okta Verify app, and click '+' icon.  Choose Organization for account type, and click Yes, Ready to Scan button. Point your phone camera at the QR code.  Okta Verify will scan the QR code, and add your account.

When you login next, CSP enables you to enter a six-digit code from Okta Verify app.  Or, prompt Okta Verify to send a push; confirm your identity by clicking Yes, It's Me.

 

Google Authenticator

Google Authenticator supports multi-device authentication. See the details here
Note:  Google Authenticator can be used with any form of two factor authentication by following these instructions but downloading and scanning the QR code for your chosen application).
To configure Google Authenticator as your 2FA method, click Set up button for Google Authenticator. 

image.png

Click Setup button to set up Google Authenticator for 2FA.

image.png

Select your phone type.  And, download Google Authenticator to your phone.  Click Next button.


image.png

CSP displays a QR code.  Use Google Authenticator on your phone to scan the QR code.

image.png

Select Scan a QR code in Google Authenticator.  Point your phone camera at the QR code.  Google Authenticator will scan the QR code, and add your account.  Click Next button.

To verify Google Authenticator is set up correctly, enter a new six-digit code from Google Authenticator.

image.png

When you login next, enter a six-digit code from Google Authenticator app. 

If you have changed to another phone and would like to re-enroll your google authenticator, select Need Help on the SSO password page (logging in to the Support Portal is NOT required here to create a support case)


Email

Email is set up as your default 2FA.  To remove email 2FA, click Remove button.

image.png

To confirm you want to disable email 2FA, click Yes button.  Use the same procedure to configure all 2FA methods.

image.png

Getting an Error?
Error.png
Confirm that these URLs are white listed: NOTE:  It is not possible to disable MFA for security reasons. We want to harden the way each user authenticates to our environment and align more closely with NIST guidance so that we can further improve our security posture. 


Environment


Customer Support Portal

Additional Information


Please refer to the Mimecast - Configuring Greylisting Policies 
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN9CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language