*REPASTING for BETTER FORMATTING:* Summary of the video: MFA supported for 4 vendors natively - PingID, RSA Secure ID, Okta and Duo. For other vendors MFA can still be supported using Radius. . Steps to setup MFA are as follows: 1. Create an MFA server profile using MFA certificates and specific vendor configurations. 2. Create Authentication profile using a some first factor authentication method and enable additional factors referencing the MFA profile in step 1. 3. Enable Captive portal under User-ID and reference certificates to be used for the portal and redirect requests to a L3 interface on the firewall. 4. Enable User-ID on the zone your requests will come in i.e. the ingress zone. 5. On the interface that zone is assigned to i.e the ingress interface , setup a management profile that allows Response Pages 6. Create an Authentication Enforcement Object that references the authentication method - webform aka captive portal and the authentication profile created in step 2. 7. Create an Authentication policy rule that defines which traffic will require authentication using the enforcement object that was created in step 6. Only unknown may be authenticated or any user may be authenticated. any traffic or specific service can be authenticated. . Step 1-2 sets up MFA . Step 3-5 sets up a captive portal. Step 6-7 maps the MFA with captive portal and defines user traffic match conditions. . In summary you use authentication policy rules to authenticate users which can use a captive portal that uses multiple factors to verify user identity and get a user-ip mapping.

Hi Paloalto Teams, This is a great video for them who wants to get deeper understanding on the concept of establishing MFA service on Paloalto Firewall. Thanks for the vid. Anyway. If I may suggest, it would be very helpful if we can be provided with the video for integrating paloalto MAF with RSA SecureID.

Regarding the order of operation, I assume Authentication Policy is evaluated first, then if pass, Security policy is checked?