One-Time Password (OTP) Authentication for VPN connections (Palo Alto GlobalProtect)

In response to the great interest in OTP, we have added another producer of VPN solutions and expanded the module with new functionalities.

Palo Alto is another platform after Pulse Secure and FortiGate, for which we enable integration with NACVIEW. A new feature is a support for the Google Authenticator application to use the codes it generates. This is the second option next to one-time SMS passwords that we can use to authorize users' access to the VPN.

How does it work?

Two conditions must be met for the OTP service to work. First, Palo Alto must be configured in NACVIEW as a network device. The second condition is that the user has the GlobalProtect application.

The first stage of verifying the user's identity is checking his credentials in the local NACIEW database or in an external, e.g. Active Directory. If the login and password are correct, and the account is active and the resource is properly configured, the second stage of validation takes place. NACVIEW sends the user an SMS with a verification code, or the code from the Google Authenticator app is used which must be entered into the GlobalProtect application. After correct verification of the code and its validity, access to specific network resources is granted.  OTP - Palo Alto - flow chartThe administrator can choose additional parameters while he configuring OTP in NACVIEW, for example, code lifetime or message content. The OTP module is equipped with the ability to create object groups and display logs from authorization events.

If your company uses a different VPN solution, write to us at and ask for integration.

All posts