# Palo Alto SSL VPN Integration

Palo Alto Networks GlobalProtect Integration

## General Overview

This guide explains the instructions on configuring Mirket multi-factor authentication for Palo Alto Networks GlobalProtect. Prior configuration and deployment of GlobalProtect are required before setting up MFA with Mirket.

## Preparation Steps

Before proceeding with these procedures, ensure the following:

* You've completed the installation and configuration of the Mirket (go to <mark style="color:blue;">Mirket Installation Steps</mark>).
* You've completed the initial setup (included vpn settings) of your Palo Alto NGFW.
* You've installed Palo Alto GlobalProtect on your client PC. &#x20;

## Configuring Palo Alto

Follow these steps to configure Palo Alto:

### RADIUS Service Configuration

* Select the **Device** tab and go to **Service Profiles > Radius** from the menu.
* Click on **Add** to create a new profile.

<figure><img src="/files/mI7vksSnSlO5yQSE8LoT" alt=""><figcaption></figcaption></figure>

Enter a name in the **Profile Name** field; for instance, "MirketRadius".

* Input "**60**" in the **Timeout** field.
* Input "**1**" in the **Retries** field.
* Choose **PAP** option from the **Authentication Protocol** dropdown list.
* Click on **Add** to add a Radius server, in the **Servers** section.
* Enter a name for the Radius server; for instance "MirketGW".
* Input the IP address of the server where the "**Mirket Radius**" is installed in the **RADIUS Server** field.
* Input a shared secret key to communicate with the RADIUS server in the **Secret** field (Mirket Radius). In Mirket use this same secret key when [configuring a RADIUS client resource](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules/radius-clients.md).
* Input "**1812**" in the **Port** field. You should define your own port here. Then click on **OK** to confirm settings.

<figure><img src="/files/wMTrSwIiiPRhfLZgV6ME" alt=""><figcaption></figcaption></figure>

* Return to the **Device** tab and go to **Setup**, from the menu. Then select the **Services** tab.

<figure><img src="/files/wjOzuqy7eAdglyPSgDaw" alt=""><figcaption></figcaption></figure>

* &#x20;Click on **Service Route Configuration** under the **Service Feature**.
* Check the IP address Palo Alto connect for radius request and make sure radius packets  (Udp 1812 and Udp 1813) are allowed between Palo Alto and Mirket.&#x20;

<figure><img src="/files/6rCnLmVPya5yEgbqAdod" alt=""><figcaption></figcaption></figure>

### Authentication Profile Configuration

* Select the **Device** tab and go to **Authentication Profile**, from the menu.
* Then, click on **Add** to create a new profile.

<figure><img src="/files/GpDxNef9VryKaPMOtE9r" alt=""><figcaption></figcaption></figure>

* Enter a name for the authentication profile; for instance, RadiusMirketProfile.
* Choose "**RADIUS**" option from the **Type** dropdown list.
* Choose the previously created [RADIUS service](#radius-service-configuration) profile from the **Server Profile** dropdown list(e.g., Mirket Radius profile).
* Enter a  domain  name in the **User Domain** field. If the username formats used  in policies  are domain\username then select '**%USERDOMAIN%\\%USERINPUT%**', in the **Username Modifier**.
* Click on the **Advanced** tab.

<figure><img src="/files/0d3PoR9wBKcXsbRsVjTb" alt=""><figcaption></figcaption></figure>

* Then, choose "**all**" option in the **Allow List**.
* Then, click on **OK** to confirm settings.&#x20;
* Go to **Authentication Sequence**, from the menu. Then click on **Add** to create a new sequence.

<figure><img src="/files/aBIJdQBE6DpoSH3ibytk" alt=""><figcaption></figcaption></figure>

* Enter a name for the authentication sequence; for instance, VPN\_Authentication\_Sequence.
* Then click on the **Add** option to add the authentication profile that you created from the **Authentication Profiles** dropdown list.
* Priorities of the profiles progress from top to bottom. To move a profile upwards, hover over it, hold it, and drag it upwards. The same process is applied to move the rule profile downwards.
* Then click on **OK** to confirm settings.

### GlobalProtect Portal Configuration

* Select the **Network** tab and go to **GlobalProtect > Portals**, from the menu. Edit Portal Configuration and go to the **Agent tab**. &#x20;

<figure><img src="/files/yBy40BhAPfm7WOjfIQP6" alt=""><figcaption></figcaption></figure>

* Check the "**Generate cookie for authentication override**" checkbox.&#x20;
* Click on **OK** to confirm settings.&#x20;

### GlobalProtect Gateway Configuration

* Select the **Network** tab and go to **GlobalProtect > Gateways**, from the menu. Go to the **Agent** Tab.
* Select the **Agent** tab and then select the **Client Settings** tab.
* Edit client settings. Then select the **Authentication Override** tab.

<figure><img src="/files/6k7gdv5PuJJm21BMOvvX" alt=""><figcaption></figcaption></figure>

* Check the "**Accept cookie for authentication override**" checkbox.
* In the **Cookie Lifetime** section, choose the "**Minutes**" option from the dropdown list and input "**1**".
* Choose the certificate that you created from the **Certificate to Encrypt/Decrypt Cookie** dropdown list.
* Click on **OK** to confirm settings.&#x20;
* Make sure you allow VPN users in the firewall policy.
* Click on **OK**.&#x20;
* Access the administration shell of the PA device via SSH and activate the transmission of the PaloAlto-Client-Source-IP attribute for client IP addresses by comment below.&#x20;

`set authentication radius-vsa-on client-source-ip`

* Then click on **Commit** to save settings on the top right side.

## Configure Mirket

To enable Mirket to receive authentication requests from GlobalProtect, follow these steps:

### Add a Palo Alto as Resource in Mirket with Mirket Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:

* First, navigate to the directory `C:\MirketRadius` and open the `config.json` file.&#x20;

<figure><img src="/files/khJnvyWEAXx5jWcEuaAR" alt=""><figcaption></figcaption></figure>

* Fill in the <kbd>gateway</kbd> and <kbd>radiusClientList</kbd> fields according to the provided specifications to ensure accurate and secure network configuration.
  * **samName**: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.
  * **authenticationPort**: Enter the authentication port value you set for the gateway. The default value is 1812.
  * **accountingPort**: Enter the accounting port value you specified for the gateway. The default value is 1813.
  * **gatewayIp**: Enter the IP address of the server where the Mirket is installed.
  * **ipAddress**: Enter the IP address of your firewall.
  * **secretKey**: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.

<figure><img src="/files/XXashWhbXtFHLbzzPqP3" alt=""><figcaption></figcaption></figure>

* Once you've made the necessary changes to the config.json file, save and close it. **Note**: You can add multiple RADIUS clients.
* After completing the configuration, restart the 'Mirket Radius Gateway Service'.

<figure><img src="/files/JrQvFsUxyh98qTV1Iq1G" alt=""><figcaption></figcaption></figure>

### User and Group configuration on Mirket&#x20;

To set up multifactor authentication, make sure you have at least one user group in Mirket.

If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.

* [Create a Local Group to add users manually.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-group-configuration.md)
* [Add local Mirket users manually.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-users-configuration.md)

If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.

* [Create a LDAP group to include LDAP users.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-group-configuration.md)
* [Sync users from an external user database.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-users.md)

### Add a Radius Rules to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).

First, you should follow these steps:

* Select **Rules > Radius Rules**.
* Click on **Add New**.
* Enter a rule name in the **Name** field.
* Enter the rule description in the **Description** field.
* Select the group to which the rule applies from the **Group** dropdown list.
* Select the provider to which the rule applies from the **Provider** dropdown list.
* Click on **Save** to confirm settings.

<figure><img src="/files/cdyLfELsTmGXAqpB1ZqW" alt=""><figcaption></figcaption></figure>

### Test the Integration

To validate the integration between Mirket MFA and your Palo Alto GlobalProtect, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

* To begin, download and install the GlobalProtect App. For guidance, please refer to <https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide>.
* Launch the GlobalProtect App.

<figure><img src="/files/cnvQWNRb7aO9Y19fePNK" alt=""><figcaption></figcaption></figure>

* Input the IP address of your Palo Alto ethernet interface. Then click on **Connect**.

<figure><img src="/files/lUwnrRXyOfghfhd4Vak9" alt=""><figcaption></figcaption></figure>

* Enter your Mirket username in the **Username** field.
* Input your password in the **Password** field.

<figure><img src="/files/aAw8Q6HCt763LUco3sTD" alt=""><figcaption></figcaption></figure>

* Click on **Connect**. Then, select the '**Approve**' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

<figure><img src="/files/tZbr9BMVcdxfhhpslHbN" alt=""><figcaption></figcaption></figure>

#### Related Topics

[Palo Alto MFA for Admin Accounts](/mirket-help-center/mirket-help-center/mirket-on-premise/integrations/palo-alto-mfa-for-admin-accounts.md)

[Radius Clients](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules/radius-clients.md)

[Radius Rules](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules.md)

[Local Group Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-group-configuration.md)

[Local Users Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-users-configuration.md)

[LDAP Group Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-group-configuration.md)

[LDAP Users](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-users.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/integrations/palo-alto-ssl-vpn-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.