Palo alto firewall with DUO MFA

I was thinking about the title for this post, should it be MFA or just use Radius authentication? For most network guys the choice will simply fall on radius authentication, while for most IT-Pros, not being network guys, they will probably prefer MFA (multi-factor authentication) as its the new buzz word. Anyhow, in this post we are going to configure two radius servers in failover mode, along side with Palo alto networks firewalls using Globalprotect.

VPN design with Globalprotect

Normally you design a VPN solution or frankly speaking, any critical production system with redundancy so that if one component fails another one can overtake the assigned tasks without causing disruption or down time for end users.

In terms of Palo alto network firewalls VPN solution being Globalprotect we would require following components

  1. At least 2 firewalls in an active passive cluster
  2. At least 2 independent internet connections connected with both firewalls
  3. At least 2 independent MFA (radius) servers to accept authentication requests

Normally point 3 from the above list is forgotten or overseen causing down time when least expected and desired. In order to achieve this in Palo alto network firewalls this is a very trivial task, only if you are aware and remember to do it.

Fun fact or call it ironi of “Palo alto firewall with DUO MFA” is that Cisco bought DUO security for quite some time ago, as they were merging as an solid and innovative MFA supplier. The reason I find this sort of amusing is because Palo alto networks firewalls and Cisco ASA next generation firewalls with firepower are competitors.

Palo alto firewall mfa configuration with duo traffic view ELK
Palo alto firewall mfa configuration with duo traffic view ELK

The image above shows radius traffic being sent to two radius servers. This traffic is not sent simultaneously, but rather only sent when a timeout value has been reached. You might be thinking, yeah but you could just have used radius proxy to perform this action. And the answer is yes, but then you would have required at least two of those to have redundant components. And to be honest you would not be making the solution any less complex. Now let us look at what configuration needs to be done in order to achieve these results or to simply set up a similar solution.

Palo alto firewall with DUO MFA failover

We will not be focusing on how to configure a DUO MFA server as that process is very well documented several places. If you need a good starting point have a look at https://duo.com/docs/getting-started

When you have configured two Duo security MFA servers you can start creating/defining these in Palo alto networks firewall. This is done under Device tab under Server profiles and under Radius Server Profile.

Palo alto firewall duo mfa radius 1
Palo alto firewall duo mfa radius 1

There are a couple of important things to consider here. The timeout value which is defined in seconds and the retries value. You can test the exact value you want to use, however, 15 seconds should be adequate time for the radius server to respond. If it does not respond to the request sent by Palo alto networks firewall the request should be sent to next MFA / Radius server. Windows server have newly been provided a feature that if some updates are stuck i.e. require restart or have been installed and are pending actions from user the server might stop responding on network requests. In this or similar cases there is no use waiting for a non-responding server, hence you have your set up two MFA / Radius server. I hope you caught the sarcasm in the last feature description. On the second MFA / Radius server you can use default values

Palo alto firewall duo mfa radius 2
Palo alto firewall duo mfa radius 2

You can set timeout to 60 seconds and retries to 3. You might even increase the number of retries. However the idea is that at least one of the 2 MFA / Radius servers will be responding to radius request being made by the Palo alto networks firewalls. The next step in the configuration is to create and authentication sequence. This is done under the tabs Device – Authentication Sequence.

Palo alto firewall duo mfa authentication sequence 1
Palo alto firewall duo mfa authentication sequence 1

Provide a name for the authentication sequence and then add your MFA / Radius servers. Be sure to add them in the right sequence or order, i.e. the one with one retry and 15 seconds timeout should be placed at the top.

Palo alto firewall duo mfa authentication sequence 2
Palo alto firewall duo mfa authentication sequence 2

Now that you are done creating the authentication sequence you can start adding this to your global protect configuration. Remember to include it both for the Portal and for the gateway profiles. You do not want to leave out any component being single point of failure.

Palo alto firewall duo mfa globalprotect portal
Palo alto firewall duo mfa globalprotect portal

The GlobalProtect portal setting are configured under tabs Network – GlobalProtect and under Portals. Here again, remember to add the Duo-Radius-Sequence at the top i.e. the first sequence in the order to be applied. You can or might have other authentication profiles as well, but they should be evaluated afterwards. The next step is to apply the same configuration for Gateways

Palo alto firewall duo mfa globalprotect gateway
Palo alto firewall duo mfa globalprotect gateway

Gateway configuration is placed just beneath Portals. Same rules and principals apply here, add the Duo-Radius-Seq which is the authentication sequence first and then any other remaining sequences. When this has been done your Palo alto networks firewalls should be sending MFA / Radius request to both servers if the first one does not reply or responds slowly. In either case, this means nothing for the user, besides that a push message has to be responded to, which enables the establishment of globalprotect VPN session. The traffic can be monitored under the monitoring tab

Palo alto firewall duo mfa traffic
Palo alto firewall duo mfa traffic

Even though I would prefer and strongly advise you to use Elastic search with Kibana to view these events rather than using resources from your Palo alto network firewall’s management plane resources. If you do not have configured ELK stack for your Palo alto networks firewalls, you should really consider that assuming that you are not using Panorama. To view a detailed description of how you can configure Syslog forwarding of Palo alto networks firewall to ELK you can read my blog post

Monitoring Palo alto networks firewall with ELK

Leave a Reply

Your email address will not be published. Required fields are marked *