Global Protect Cookies Portal Gateway

Metgatz — Wed, 12 Oct 2022 21:59:11 GMT

Hello good afternoon, as always thank you very much for your time and collaboration.

I have a question, currently I have configured at the level of Global Protect, cookies in both Portal and Gateway.

The issue is that this was configured to keep the credentials and not have to be entering these manually, twice, ie for the portal and gateway.

-Now I would like to be able to use cookies but only to ask for the credentials in one instance, not in two, i.e. ask for them for the Portal, but for the Gateway simply use the authentication already done in the Portal.

To achieve this goal, how should I configure the cookies section?

Thank you, I remain attentive

Best regards

Re: Global Protect Cookies Portal Gateway

Adrian_Jensen — Thu, 13 Oct 2022 00:44:31 GMT

Configure your Portal to generate a cookie, but do not accept cookies, for authentication override:

GlobalProtect->Portals->[config]->Agent->[config]->Authentication

You will need a certificate on the PaloAlto with a private key to sign the cookie (either a self-generated or externally validated). You may also need to check Require Dynamic Passwords to force the GP client not to cache user/password and automatically log you in anyways.

Then configure your Gateway to accept cookies for authentication override, but do not generate cookies:

GlobalProtect->Gateways->[config]->Agent->Client Settings-<config]->Authentication Override

You may want to set a short cookie lifetime so if a user is disconnected from the Gateway, they must re-authenticate against the Portal (default is 24 hour cookie lifetime). If you have Portals and Gateways on separate PaloAltos, be sure to copy the certificate used to sign the cookie to the Gateway firewall.

topic Re: Global Protect Cookies Portal Gateway in GlobalProtect Discussions

Global Protect Cookies Portal Gateway

Re: Global Protect Cookies Portal Gateway