Two Factor Authentication (2FA) Overview
Two Factor Authentication (2FA) is required for users to log into Palo Alto Networks apps, such as Customer Support Portal (CSP). To increase your security posture, Domain Admins are no longer able administer 2FA for users in their account.
- To learn how to login with a 2FA method, read Section Login To Customer Support Portal (CSP) .
- To learn how to configure 2FA methods, read Section Configure 2FA Methods .
- Note - To reach the Okta service, your DNS will need to resolve sso.paloaltonetworks.com
If you have problems logging in, please:
- Select Need Help on the SSO password page
Login To Customer Support Portal (CSP)
2FA Methods Depend on Your Account Type If your account is FedRAMP (federal), single sign-on (SSO) supports the following 2FA methods:
- Email
- Okta validation email is generated in an AWS SES environment and your email server may block it as spam. If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
- 23.249.212.62
23.249.212.63
23.249.212.64
23.249.212.65
- 23.249.212.62
- For additional Okta IP addresses please see https://support.okta.com/help/s/article/Allowlist-of-IP-Addresses-for-processing-email-delivery?language=en_US
- Note: Okta recommends using the other MFA options for enhanced security.
- Note: PANW currently does not have plans to implement the restriction of using Email as MFA form on account level (forcing the users to choose other MMFA forms).
- Okta validation email is generated in an AWS SES environment and your email server may block it as spam. If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
- Okta Verify
If your account is not FedRAMP, SSO supports the following 2FA methods:
- Email
- Okta validation email is generated in an AWS SES environment and your email server may block it as spam. If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
- 23.249.212.62
23.249.212.63
23.249.212.64
23.249.212.65- Note: Okta recommends using the other MFA options for enhanced security.
- 23.249.212.62
- Okta validation email is generated in an AWS SES environment and your email server may block it as spam. If you don't receive the email or the link is no longer valid when you receive it, please have your email admin whitelist the below:
- Okta Verify
- Google Authenticator (can be used with any form of two factor authentication by scanning the QR code for your chosen application)
If you are unsure about your account type, ask your Domain Administrator.
Login to Customer Support Portal
To login to Customer Support Portal (CSP), click CSP login link (https://support.paloaltonetworks.com/). Then, enter your user ID.
Followed by your password.
The next step depends on the 2FA methods configured for your account.
2FA Methods
If your account is configured for email 2FA, click Send me the code.
Check. your email. SSO sends you an email with a six-digit code. A sample email follows.
Enter the six-digit code, 324262 in this case to login.
If your account is configured for Okta Verify 2FA, follow directions to verify your identity. Or, you can choose to push a notification to your Okta Verify mobile app. In the following illustration, the user set the option to always send a push automatically.
Open Okta Verify app on your phone, and tap on the number displayed above to login.
Google Authenticator 2FA
If your account is configured for Google Authenticator 2FA, go to Google Authenticator app on your phone to get a new six-digit code. Enter the code to login.
Note: Google Authenticatorcan be used with any form of two factor authentication by scanning the QR code for your chosen application. If you have changed to another phone and would like to re-enroll your google authenticator, select Need Help on the SSO password page (logging in to the Support Portal is NOT required here to create a support case)
Multiple 2FA Methods
If your account is configured for multiple 2FA methods, you can decide which 2FA method to use during login. In the following sample illustration, CSP initially prompts for an Okta Verify code or push.
To change your 2FA method during login, click on the down arrow to select another 2FA method.
Configure 2FA Methods
Manage Account Settings
To manage your account settings, e.g., change password, set up 2FA, go to:
https://sso.paloaltonetworks.com/enduser/settings
IMPORTANT! Please use the link above to configure your 2FA settings. Configuring 2FA is no longer done in CSP My Profile. Your DNS will need to resolve sso.paloaltonetworks.com to reach the Okta service.
2FA Methods Depend on Your Account Type If your account is FedRAMP (federal), single sign-on (SSO) supports the following 2FA methods:
- Okta Verify
If your account is not FedRAMP, SSO supports the following 2FA methods:
- Okta Verify
- Google Authenticator
If you are unsure about your account type, ask your Domain Administrator.
Okta Verify does not support multi-device authentication.
To configure Okta Verify as your 2FA method, click Set up button for Okta Verify.
Click Setup button to set up Okta Verify.
Select your phone type. And, download Okta Verify to your phone. Click Next button.
CSP displays a QR code. Use Okta Verify on your phone to scan the QR code.
On your phone, go to Okta Verify app, and click '+' icon. Choose Organization for account type, and clickYes, Ready to Scan button. Point your phone camera at the QR code. Okta Verify will scan the QR code, and add your account.
When you login next, CSP enables you to enter a six-digit code from Okta Verify app. Or, prompt Okta Verify to send a push; confirm your identity by clicking Yes, It's Me.
Google Authenticator supports multi-device authentication. See the details here .
Note: Google Authenticatorcan be used with any form of two factor authentication by following these instructions but downloading and scanning the QR code for your chosen application).
To configure Google Authenticator as your 2FA method, click Set up button for Google Authenticator.
Click Setup button to set up Google Authenticator for 2FA.
Select your phone type. And, download Google Authenticator to your phone. Click Next button.
CSP displays a QR code. Use Google Authenticator on your phone to scan the QR code.
Select Scan a QR code in Google Authenticator. Point your phone camera at the QR code. Google Authenticator will scan the QR code, and add your account. Click Next button.
To verify Google Authenticator is set up correctly, enter a new six-digit code from Google Authenticator.
When you login next, enter a six-digit code from Google Authenticator app.
If you have changed to another phone and would like to re-enroll your google authenticator, select Need Help on the SSO password page (logging in to the Support Portal is NOT required here to create a support case)
Email is set up as your default 2FA. To remove email 2FA, click Remove button.
To confirm you want to disable email 2FA, click Yes button. Use the same procedure to configure all 2FA methods.
Getting an Error?
Confirm that these URLs are white listed:
- https://sso.paloaltonetworks.com
- https://sso.paloaltonetworks.com/.well-known/webfinger
- Clear cache and cookies to see if issue is resolved.
NOTE: It is not possible to disable MFA for security reasons. We want to harden the way each user authenticates to our environment and align more closely with NIST guidance so that we can further improve our security posture.
