How to Enforce MFA for Non-Browser Traffic Using GlobalProtect Across Separate Palo Alto Firewalls

• GlobalProtect gateway and the firewall applying the MFA policy reside on different Palo Alto Networks firewalls.
• Users are connected through Prisma Access gateway with MFA enforcement handled by an on-premises firewall.
• This article outlines the steps required to enforce multi-factor authentication (MFA) for non-browser-based traffic in the above scenario.
• Refer to the topology below. MFA is enforced on a firewall that does not terminate GlobalProtect (GP) gateway connections.
• The GlobalProtect gateway itself may reside on an on-premises firewall or a Prisma Access gateway.

• Next Gen Firewalls or Prisma Access Firewalls
• GlobalProtect (GP) Gateway
• Multi Factor Authentication (MFA)

1. On the firewall where the GlobalProtect (GP) gateway is terminating, configure an inbound security policy rule to allow the application "paloalto-gp-mfa-notification".
2. This rule should permit traffic from the Captive Portal redirect IP to the GP IP pool (the IP subnet assigned to GlobalProtect users under the GP gateway).
3. The source and destination zone names in the policy should be determined based on the routing perspective of the GP gateway firewall.
4. In addition, the GP portal must be configured with the following settings:

• • Set "Enable Inbound Authentication Prompts from MFA Gateways" to Yes.
  • Configure the "Trusted MFA Gateways" field with the redirect URL and the port on which the Captive Portal redirect is served.

Caveats:

• This configuration will not work if source NAT is applied on the GP gateway firewall or any intermediate devices before the traffic reaches the MFA firewall.
• There is no option to change the port number used by the MFA firewall to send the Captive Portal redirect notification. The default port number 4501 should be used for inbound authentication prompts.