Hi,

Can the user profiles be logged into externally to override normal firewall rules?

e.g. could I create a user called "remote", and give this user permission to access port 3389 thereby providing 2FA for remote desktop?

Thanks.

Not in quite that way, but there is another, potentially more secure way that you can do that:

You could set up a VPN user, with MOTP for the password to achieve 2FA. Their IP can be fixed on the network and you can lock down what can be accessed for that IP with the filter rules.
To do that, set the rule direction as "LAN/RT/VPN to LAN/RT/VPN", Source IP would be the fixed local IP for the VPN profile. One rule to allow TCP 3389 for the machine to be accessed, another rule after that to block all other LAN traffic via the VPN's LAN IP.