https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577578#M4979 <P>Hello,<BR />I implementing GlobalProtect as our main VPN Solution and got it working so far.&nbsp;<BR /><BR />When I stress-test the GlobalProtect Client (imitating a stressed busy user who clicks on reconnect / "erneut verbinden in a short time frame) I get "no acces to site / kein zugriff auf seite" error in the integrated browser.&nbsp;<BR />I have to close the "kein zugriff auf seite" window because global protect awaits the window to be closed to continue working.<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_0-1708177392123.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57698iDF4786769285635F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_0-1708177392123.png" alt="BilertJulian_systemo_0-1708177392123.png" /></span><BR /><BR />If I now close the "kein zugriff auf seite" window&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_2-1708177910134.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57700iA77BB316D93ACA9D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_2-1708177910134.png" alt="BilertJulian_systemo_2-1708177910134.png" /></span></P> <P>When I press "connect / verbinden" the windows with "kein zugriff auf seite" appears by a 50:50 chance. But mostly the connection works than...&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_0-1708182174749.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57702iD586362C67E46D28/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_0-1708182174749.png" alt="BilertJulian_systemo_0-1708182174749.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR />If I press "disconnect / trennen" and than on "connect / verbinden"&nbsp; instead of "reconnect / erneut verbinden"&nbsp; the same page with "kein zugriff auf seite" opens sometimes but not as often as when I try a reconnect....<BR /><BR />--&gt; the connection itself can be established if I retry closing the windows and pressing connect once or twice thats not the big deal...<BR />--&gt; the big problem at all is, that global protect stops working until the Window "kein zugriff auf seite" is closed...&nbsp;<BR />It would be perfect to display a custom error message: please close this window and try reconnect again ... because with the "kein zugriff auf seite" error page we will get a huge and never ending load of tickets and support calls I guess<BR /><BR /><BR /><BR /></P> <P><BR /><BR />PS: I already changed the setting in the gateway "app ribbon" already to the "default browser" and testet it -&gt; the auth site opens at least, but sometimes (in case the browser is in the background the user does not even see the auth page)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_1-1708182234659.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57703i4FD5967BE0F6B297/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_1-1708182234659.png" alt="BilertJulian_systemo_1-1708182234659.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Side-Notes:<BR />1. For successfull connected users the whole microsoft IP ranges are split tunneled (I can confirm this when I inspect the routes on the windows clients)<BR />2. in case the integrated browser of global protect runs over our infrastructure I created some policys to the FQDN login.microsoftonline.com with no IDS, URL filtering etc) and application / service any -&gt; the result stays the same "no access to site / kein zugriff auf seite) when the integrated browser appears.<BR />3. I stopped the PanGPS Service on a test client and deleted the folder&nbsp;(C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect)&nbsp; -&gt; error appears again if I reconnect shortly after connecting<BR />4. I tested with different global protect clients (5.x, 6.2.0, but mostly i am testing with 6.2.2) -&gt; same effects.<BR /><BR /></P> <P>Any other ideas I can optimize the user experience ?<BR /><BR /><BR />and: Is there a way to edit the Design of Global Protect with company branding or the response page for the global protect saml auth ? (see the last screenshot)<BR /><BR />thank you very much&nbsp;<BR /><BR /><BR /></P> Sat, 17 Feb 2024 15:04:14 GMT Blyat_tschuli 2024-02-17T15:04:14Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577578#M4979 <P>Hello,<BR />I implementing GlobalProtect as our main VPN Solution and got it working so far.&nbsp;<BR /><BR />When I stress-test the GlobalProtect Client (imitating a stressed busy user who clicks on reconnect / "erneut verbinden in a short time frame) I get "no acces to site / kein zugriff auf seite" error in the integrated browser.&nbsp;<BR />I have to close the "kein zugriff auf seite" window because global protect awaits the window to be closed to continue working.<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_0-1708177392123.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57698iDF4786769285635F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_0-1708177392123.png" alt="BilertJulian_systemo_0-1708177392123.png" /></span><BR /><BR />If I now close the "kein zugriff auf seite" window&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_2-1708177910134.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57700iA77BB316D93ACA9D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_2-1708177910134.png" alt="BilertJulian_systemo_2-1708177910134.png" /></span></P> <P>When I press "connect / verbinden" the windows with "kein zugriff auf seite" appears by a 50:50 chance. But mostly the connection works than...&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_0-1708182174749.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57702iD586362C67E46D28/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_0-1708182174749.png" alt="BilertJulian_systemo_0-1708182174749.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR />If I press "disconnect / trennen" and than on "connect / verbinden"&nbsp; instead of "reconnect / erneut verbinden"&nbsp; the same page with "kein zugriff auf seite" opens sometimes but not as often as when I try a reconnect....<BR /><BR />--&gt; the connection itself can be established if I retry closing the windows and pressing connect once or twice thats not the big deal...<BR />--&gt; the big problem at all is, that global protect stops working until the Window "kein zugriff auf seite" is closed...&nbsp;<BR />It would be perfect to display a custom error message: please close this window and try reconnect again ... because with the "kein zugriff auf seite" error page we will get a huge and never ending load of tickets and support calls I guess<BR /><BR /><BR /><BR /></P> <P><BR /><BR />PS: I already changed the setting in the gateway "app ribbon" already to the "default browser" and testet it -&gt; the auth site opens at least, but sometimes (in case the browser is in the background the user does not even see the auth page)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BilertJulian_systemo_1-1708182234659.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57703i4FD5967BE0F6B297/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BilertJulian_systemo_1-1708182234659.png" alt="BilertJulian_systemo_1-1708182234659.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Side-Notes:<BR />1. For successfull connected users the whole microsoft IP ranges are split tunneled (I can confirm this when I inspect the routes on the windows clients)<BR />2. in case the integrated browser of global protect runs over our infrastructure I created some policys to the FQDN login.microsoftonline.com with no IDS, URL filtering etc) and application / service any -&gt; the result stays the same "no access to site / kein zugriff auf seite) when the integrated browser appears.<BR />3. I stopped the PanGPS Service on a test client and deleted the folder&nbsp;(C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect)&nbsp; -&gt; error appears again if I reconnect shortly after connecting<BR />4. I tested with different global protect clients (5.x, 6.2.0, but mostly i am testing with 6.2.2) -&gt; same effects.<BR /><BR /></P> <P>Any other ideas I can optimize the user experience ?<BR /><BR /><BR />and: Is there a way to edit the Design of Global Protect with company branding or the response page for the global protect saml auth ? (see the last screenshot)<BR /><BR />thank you very much&nbsp;<BR /><BR /><BR /></P> Sat, 17 Feb 2024 15:04:14 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577578#M4979 Blyat_tschuli 2024-02-17T15:04:14Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577652#M4983 <P>If you need to account for very nervous users, you could consider enabling authentication cookies on the gateway</P> <P>The minimum value you can set these to is 5 minutes which should allow for nervousness but not interfere with SAML conditional access</P> <P>&nbsp;</P> <P>the SAML login page can be branded, but this needs to be done on the SAML IdP side as this page is served by the IdP instead of the palo</P> <P>that last page you display can't be changed I think, only the welcome, help and portal login/home pages</P> Mon, 19 Feb 2024 12:01:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577652#M4983 reaper 2024-02-19T12:01:09Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577813#M4998 <P>Hi, try set the TCP handshake to 60, it helped me.&nbsp; (PAN-227368 bug)</P> Tue, 20 Feb 2024 23:58:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/577813#M4998 RadekStejnar 2024-02-20T23:58:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/579924#M5106 <P>Im running into the same issue but we are still on PanOS 10.1.x and GlobalProtect 5.2.13.</P> <P>I first want to upgrade PanOS to 10.2.8 and GP to 6.0.8 or 6.1.4 before i start troubleshooting this issue.</P> <P>&nbsp;</P> <P>Which PanOS are you running on Portal/Gateway Firewalls?</P> <P>10.2.6: Did you maybe tried already to increase the TCP Handshake to 60 like mentioned in&nbsp;<SPAN>PAN-227368 ?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>thanks,</P> <P>&nbsp;</P> Mon, 11 Mar 2024 14:53:40 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-external-gateway-saml-reconnect-issue/m-p/579924#M5106 Adrian_Moechel 2024-03-11T14:53:40Z