https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590643#M5516 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159288">@vsurresh</a> ,</P> <P>&nbsp;</P> <P>An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community.&nbsp; Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.</P> <P>&nbsp;</P> <P>Setting the portal to <EM>generate</EM> the cookie means that it will require username/password/MFA every time.&nbsp; Setting the gateway to <EM>accept</EM> the cookie means that after the portal generates it, the user can login to the gateway without being prompted.&nbsp; (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.)&nbsp; If the portal only generates the cookie, the lifetime is not as critical.&nbsp; Two minutes probably should be fine.&nbsp; If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.</P> <P>&nbsp;</P> <P>It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 27 Jun 2024 23:07:39 GMT TomYoung 2024-06-27T23:07:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590642#M5515 <P>Hello,</P> <P>&nbsp;</P> <P>I'm trying to understand the difference between 'Generate cookie for authentication override' and 'Accept cookie for authentication override' on both portals and gateways. I went through all the official guides but still can't seem to understand. Suppose we have MFA set up for both the portal and the gateway. Every time someone tries to connect to GP, there will be two MFA prompts. The guide says I need to tick the first box on the portal and the second box on the gateway. But what cookie lifetime should we use? Should we set it to around 2 minutes so the first MFA will be valid for the next two minutes, and within this time, the gateway authentication will succeed?</P> <P>&nbsp;</P> <P>Here is the guide -&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <P>The screenshot shows 24 hour for the gateway cookie life time, what does that mean? TIA</P> Thu, 27 Jun 2024 21:04:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590642#M5515 vsurresh 2024-06-27T21:04:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590643#M5516 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159288">@vsurresh</a> ,</P> <P>&nbsp;</P> <P>An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community.&nbsp; Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.</P> <P>&nbsp;</P> <P>Setting the portal to <EM>generate</EM> the cookie means that it will require username/password/MFA every time.&nbsp; Setting the gateway to <EM>accept</EM> the cookie means that after the portal generates it, the user can login to the gateway without being prompted.&nbsp; (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.)&nbsp; If the portal only generates the cookie, the lifetime is not as critical.&nbsp; Two minutes probably should be fine.&nbsp; If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.</P> <P>&nbsp;</P> <P>It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 27 Jun 2024 23:07:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590643#M5516 TomYoung 2024-06-27T23:07:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590747#M5519 <P>Thank you for the response.&nbsp;</P> <P><EM><STRONG>"Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted."</STRONG></EM></P> <P>&nbsp;</P> <P><SPAN>Here, am I right in thinking that, when we set the lifetime to 2 minutes and the gateway, if the cookie portal generated is more than 2 minutes for example, then the gateway don't accept it? TIA</SPAN></P> Sat, 29 Jun 2024 20:00:11 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590747#M5519 vsurresh 2024-06-29T20:00:11Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590772#M5521 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159288">@vsurresh</a> ,</P> <P>&nbsp;</P> <P>That is correct.&nbsp; I can't think of any scenario where the GP client would take longer than 2 minutes after authenticating in the portal to authenticate to the gateway.&nbsp; You can also set it higher if you are concerned.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sun, 30 Jun 2024 21:35:16 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-two-mfa-prompts-for-portal-and-gateway/m-p/590772#M5521 TomYoung 2024-06-30T21:35:16Z