To get Duo working with Palo Alto Networks for GlobalProtect, you need to setup a RADIUS proxy for Duo.

A great document can be found here.

• Setup a RADIUS server profile (type = PAP). Set the timeout to 30 seconds rather than 3 seconds to give users time to reach for their phones.
• In the authentication profile, set the user domin to example rather than example.local. Set the username modifier to %USERINPUT%. You will probably have to set a user group as well under the advanced tab.
• Use the RADIUS profile when setting up authentiation with GlobalProtect.
• On each firewall doing GlobalProtect with Duo, you will need to run set authentication radius-vsa-on client-source-ip.
• You will be able to use a username/password combination when logging in to GlobalProtect. The Duo app on you phone should then ask you to authorise the connection.