Proposed [00000002] Deploy Multi-Factor Authentication for VPN
·Change Summary
Enforce multi-factor authentication (MFA) on all SSL-VPN connections through the Palo Alto GlobalProtect gateway. Authentication will be delegated to the institutional SAML IdP, which already supports TOTP and push-notification MFA for all staff and faculty accounts.
Change Type: Standard
Risk Level: Medium–High (user-facing; requires user action before cutover)
Rollback Available: Yes (MFA enforcement flag can be disabled in under 5 minutes)
Business Justification
Password-only VPN access is identified as a critical gap in the institution’s security posture. Five of the last eight reported credential compromise incidents involved VPN credentials obtained through phishing. Enforcing MFA closes this vector and aligns with NIST SP 800-63B Level 2 assurance requirements.
Scope
- Affected Users: All ~2,400 staff and faculty who use SSL-VPN
- Affected Systems: Palo Alto GlobalProtect gateway (both nodes)
- Not Affected: Students on the guest VPN pool (separate policy)
Pre-Change Requirements
All VPN users must have an MFA method registered in the identity portal before the cutover date. The following communication plan has been approved:
| Date | Action |
|---|---|
| April 1–10 | Email campaign prompting users to register an MFA method |
| April 12 | Reminder email; MFA portal linked prominently on the VPN landing page |
| April 18 | Final warning email; Help Desk staffed for extended hours |
| April 20 | MFA enforcement enabled at 8:00 PM |
Implementation Steps
- Enable SAML authentication profile on GlobalProtect gateway
- Set authentication policy order: SAML IdP before local password fallback
- Enable MFA enforcement flag in the GlobalProtect policy
- Confirm authentication events appear in SIEM within 5 minutes
- Validate with a test account using TOTP and push notification
Rollback Plan
Disable the MFA enforcement flag in the GlobalProtect policy (estimated 5 minutes). Local password authentication will resume immediately. Rollback is available for 72 hours post-change.
Testing
- Tested in non-production VPN environment with 15 volunteer users ✓
- Confirmed TOTP and push notification flows work correctly ✓
- Confirmed failed MFA attempts are logged to SIEM ✓
- Help Desk briefed on common user issues and resolutions ✓
Open Items
- CAB review scheduled for April 5, 2026
- User communication emails require final approval from Communications
