How to enforce MFA for browser based SSL traffic without enabling decryption

To enforce Multi-Factor Authentication (MFA) in environments where decryption is not used by leveraging GlobalProtect (GP) for MFA enforcement.

• GlobalProtect Portal
• GlobalProtect Gateway
• GlobalProtect(GP) App
• Multi Factor Authentication (MFA)
• Decryption

1. The firewall can enforce authentication policies for SSL traffic by leveraging the GlobalProtect (GP) app to complete multi-factor authentication (MFA).
2. In cases where SSL decryption is not enabled for the protected content requiring MFA, the firewall treats the SSL traffic as non-browser-based.
3. As a result, it uses the GlobalProtect app to prompt the user for MFA instead of relying on browser-based redirection. 
4. For such traffic, the firewall will trigger the global counter appid_mfa_gp_notification, indicating that the GlobalProtect app is being used to handle the MFA process.
5. The configuration for MFA enforcement in non-browser-based scenarios and for SSL traffic without decryption is identical. No additional configuration changes are required to support either use case.
6. To support this behavior, ensure the following settings are configured on the GlobalProtect Portal:

• • Enable "Inbound Authentication Prompts from MFA Gateway".
  • Under "Trusted MFA Gateways", add the redirect URL and port used for the MFA process.