- [Matt] Hi, I'm Matt from Duo Security. In this video, I'm going
to show you how to protect your Palo Alto GlobalProtect VPN gateway with Duo two-factor authentication. This application uses RADIUS and the Duo Authentication Proxy. Before watching this video, please read the documentation
for this configuration at duo.com/docs/paloalto. Note that in addition to this
RADIUS-based configuration, you can also protect Palo
Alto SSO logins with Duo. Read about the options
for that configuration at duo.com/docs/paloalto-sso. Before setting up this Duo
integration with Palo Alto, you must have a working primary
authentication configuration for your SSL VPN users, such as LDAP authentication
to Active Directory. To integrate Duo with your Palo Alto VPN, you will need to install
a local proxy service on a machine within your network. Before proceeding, you should
locate or set up system on which you will install
the Duo Authentication Proxy. The proxy supports
Windows and Linux systems. In this video, we will use a
Windows Server 2016 system. Note that this Duo proxy server also acts as a RADIUS server. There is no need to deploy
a separate RADIUS server to use Duo. The Palo Alto device in this
video is running PAN-OS 8.0.6. The instructions for installing
Duo protection via RADIUS on devices running
older versions of PAN-OS differs slightly from what
is shown in this video. Reference the documentation
for more information. On the system you are going to install the Duo Authentication Proxy on, log in to the Duo Admin Panel. In the left sidebar,
navigate to Applications. Click Protect an Application. In the search bar, type palo alto. Next to the entry for Palo Alto SSL VPN, click Protect this Application. Note your integration key,
secret key, and API hostname. You will need these later during setup. Near the top of the page, click the link to open the Duo
documentation for Palo Alto. Next, install the Duo
Authentication Proxy. In this video, we will use a 64-bit Windows Server 2016 system. We recommend a system
with at least one CPU, 200 megabytes of disk space,
and four gigabytes of RAM. On the documentation page, navigate to the Install the Duo
Authentication Proxy section. Click the link to download
the most recent version of the proxy for Windows. Launch the installer on the server as a user with administrator rights and follow the on-screen prompts
to complete installation. After the installation completes, configure and start the proxy. For the purposes of this video, we assume that you have some familiarity with the elements that make up
the proxy configuration file and how to format them. Comprehensive descriptions
of each of these elements are available in the documentation. The Duo Authentication
Proxy configuration file is named authproxy.cfg and is located in the conf subdirectory
of the proxy installation. Run a text editor like
WordPad as an administrator and open the configuration file. By default, the file is located in C:\Program Files (x86)\ Duo Security Authentication Proxy\conf\ Since this is a completely
new installation of the proxy, there will be example content
in the configuration file. Delete this content. First, configure the proxy for
your primary authenticator. For this example, we will
use Active Directory. Add an [ad_client] section to the top of the configuration file. Add the host parameter
and enter the host name or IP address of your domain controller. Then add the
service_account_username parameter and enter the username of
a domain member account that has permission to bind to
your AD and perform searches. Next, add the
service_account_password parameter and enter the password that corresponds to the username entered above. Finally, add the search_dn parameter and enter the LDAP distinguished
name of an AD container or organizational unit containing all of the users
you wish to permit to log in. Additional optional
variables for this section are described in the documentation. Next, configure the proxy for your Palo Alto GlobalProtect gateway. Create a [radius_server_auto] section below the [ad_client] section. Add the integration key,
secret key, and API hostname from your Palo Alto
application's properties page in the Duo Admin Panel. Add the radius_ip_1 parameter
and enter the IP address of your Palo Alto GlobalProtect VPN. Below that, add the
radius_secret_1 parameter and enter a secret to be shared between the proxy and your VPN. Add the client parameter
and enter ad_client. Palo Alto does not send
the client IP address using the standard RADIUS
attribute Calling-Station-ID. A new RADIUS attribute
containing the client IP address PaloAlto-Client-Source-IP was introduced in PAN-OS version 7. To send the PaloAlto-Client-Source-IP
attribute to Duo, add the client_ip_attr
parameter and enter paloalto. Additional optional variables for this [radius_server_auto] section are described in the documentation. Save your configuration file. Open an administrator
command prompt and run net start DuoAuthProxy to
start the proxy service. Next, configure your Palo
Alto GlobalProtect gateway. First, we will add the Duo RADIUS server. Log in to the Palo Alto
administrative interface. Click the Device tab. In the left sidebar, navigate
to Server Profiles, RADIUS. Click the Add button to add
a new RADIUS server profile. In the name field, enter Duo RADIUS. Increase the timeout to at least 30. We recommend using 60 if you are utilizing push or phone authentication, so we will use 60 in this example. In the dropdown for authentication
protocol, select PAP. In the Servers section, click Add. In the Name field, enter Duo RADIUS. In the RADIUS Server
field, enter the hostname or IP address of your
Duo Authentication Proxy. In the Secret field, enter
the RADIUS shared secret used in the authentication
proxy configuration. Leave or set the port to 1812, as that is the default used by the proxy. If you used a different port during your Authentication Proxy setup, be sure to use that here. Click OK to save the new
RADIUS server profile. Now add an authentication profile. In the left sidebar. Navigate
to Authentication Profile. Click the Add button. In the Name field, enter Duo. In the Type dropdown, select RADIUS. In the Server Profile
dropdown, select Duo RADIUS. Depending on how your users
log in to GlobalProtect, you may need to enter your
authentication domain name in the User Domain field. This is used in conjunction with the Username Modifier field. If the Username Modifier
is left blank or is set to %USERINPUT%, then the
user's input is unmodified. You can prepend or append
the value of %USERDOMAIN% to preconfigure the username input. Learn more about both of these items in the GlobalProtect documentation hosted on Palo Alto's website, which is linked in the Duo documentation. Click the Advanced tab and click Add. Select the All group. Click OK to save the
authentication profile. Next, configure your
GlobalProtect gateway settings. In the Palo Alto administrative interface, click the Network tab. In the left sidebar, navigate
to GlobalProtect, Gateways. Select your configured
GlobalProtect gateway. Click the Authentication tab. In the entry for your
Client Authentication in the Authentication Profile dropdown, select the Duo authentication
profile you created earlier. If you are not using
authentication override cookies on your GlobalProtect gateway, you may want to enable them to minimize Duo authentication requests at client reconnection
during one gateway session. You will need a certificate
to use with the cookie. Click on the Agent tab. Click the Client Settings tab. Click on the name of your
configuration to open it. On the Authentication Override tab, check the boxes to
generate and accept cookies for authentication override. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificate
to use with the cookie. Click OK and then click OK again to save your gateway settings. Now configure your portal settings. If the GlobalProtect portal is configured for Duo two-factor authentication, users may have to authenticate twice when connecting to the
GlobalProtect gateway agent. For the best user experience, Duo recommends leaving
your GlobalProtect portal set to use LDAP or
Kerberos authentication. If you do add Duo to your
GlobalProtect portal, we also recommend that you enable cookies for authentication override on your portal to avoid multiple Duo
prompts for authentication when connecting. In the Palo Alto administrative interface, from the Network tab, navigate
to GlobalProtect, Portal. Click on your configured profile. Click the Authentication tab. In the entry for your
client authentication, in the Authentication Profile dropdown, select the Duo authentication profile you configured earlier. Click on the Agent tab. Click on the entry for your configuration. On the Authentication tab, in the Authentication Override section, check the boxes to
generate and accept cookies for authentication override. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificate
to use with the cookie. Click OK and then click OK again to save your gateway settings. To make your changes take effect, click the Commit button
in the upper-right corner of the Palo Alto administrative interface. Review your changes
and click Commit again. Now finish configuring
your Palo Alto device to send the client IP to Duo. Connect to the Palo Alto
device administration shell. Using the command from
step one of the client IP reporting section of the Duo
for Palo Alto documentation, enable sending the Palo
Alto client source IP client IP attribute. After installing and configuring Duo for your Palo Alto GlobalProtect
VPN, test your setup. Using a username that
has been enrolled in Duo and that has activated
the Duo Mobile application on a smartphone, attempt
to connect to your VPN with your GlobalProtect gateway agent. You will receive an automatic
push on the Duo Mobile app on your smartphone. Open the notification, check
the contextual information to confirm the login is legitimate, approve it, and you are logged in. Note that you can also
append a form factor to the end of your
password when logging in to use a passcode or manually select a two-factor
authentication method. Reference the documentation
for more information. You have successfully set up Duo for your Palo Alto GlobalProtect gateway.
