MFA for Palo Alto GlobalProtect
GlobalProtect terminates remote users on your Palo Alto firewall, and its portal and gateway are exposed to the internet by design. PAN-OS can authenticate against RADIUS but leaves MFA to an external service. Authnull plugs into that RADIUS path and enforces a phishing-resistant factor on both the portal and gateway logins, with no agent changes for end users. You create a RADIUS server profile pointing at Authnull, wrap it in an authentication profile, and assign it to the GlobalProtect configuration so every connection is challenged.
Palo Alto GlobalProtect forwards the login; Authnull adds the factor.
PAN-OS sends the login to Authnull over RADIUS; Authnull checks the primary credential, challenges for the factor, and returns Access-Accept. Set the authentication profile timeout high enough to cover push approval.
Configure MFA for Palo Alto GlobalProtect
Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 20 minutes.
Create a RADIUS server profile
Add Authnull as a RADIUS server profile with the connector IP and shared secret.
Build an authentication profile
Create an authentication profile that uses the RADIUS server profile, and set the user domain and timeout.
Assign it to GlobalProtect
Apply the authentication profile to the GlobalProtect portal and gateway so both enforce the factor.
Commit and test
Commit the configuration, then connect with the GlobalProtect app using a test account. Expect a password prompt followed by an MFA challenge.
Closes the MFA gap auditors look for
Enforcing MFA on Palo Alto GlobalProtect gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.
Add MFA to Palo Alto GlobalProtect — free to start.
Spin up Authnull, point Palo Alto GlobalProtect at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.