GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

L2 Linker

I was trying some different settings out on my Global Protect portal app config and now when I commit from panorama I get these warnings:

Details:
. Config 'fw-portal-agent':
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-listening-port'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-trusted-host-list'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-notification-msg'.
. (Module: sslvpn)
. Configuration committed successfully
Warnings:

 

 

I can see the mfa-listening-port, mfa-trusted-host-list, and mfa-notification-msg, but I can't see the mfa-enabled setting.

 

Is there some way of configuring the portal so I can see that and turn it off? or am I going to have to export this out to XML,  purge my template and import it back in?

 

It's not impeding my ability to update my firewalls but it seems like a unique problem as I haven't found it anywhere online and thought before I contact support I'd post it to the live community discussion in case it helps anyone else in the future.

 

I was thrilled to see the "misses informaion for"  ... I miss it too and hope it comes back 😉

 

 

 


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛
1 accepted solution

Accepted Solutions

L2 Linker

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

 

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

View solution in original post

5 REPLIES 5

L4 Transporter

David,

 

These are the MFA settings in your Portal->Agent tab-Config>App:

Capture1.JPGCapture2.JPG

 

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

Thanks Anurag, I see the same settings, but I'm unsure why if I'm not configuring those settings why is my push state showing warnings

2017-06-07_15-30-54.jpg

 

in my panorama I see the values:

.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-enabled
mfa-enabled {
  value no;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-listening-port
mfa-listening-port {
  value 4501;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-notification-msg
mfa-notification-msg {
  value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-trusted-host-list
[edit]                                                                                                                                                                                                                                                        
.@Panorama# 

 but I can't find the corresponding info on my firewalls, so I'm wondering if these are an 8.0 train setting only because my firewalls are on 7.1.x train

 

It also seems to only be affecting my one site which I recently downloaded and activated the 4.0.2 global protect client on

 

 

Thanks


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

I think it's the version discrepancy. These features are only available in PAN OS 8.0+
================================================================
ACE 7.0, 8.0, PCNSE 7

L2 Linker

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

 

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

I should note: on my Managed Devices screen the Last Commit State still shows the warnings but the tasks for my commits completed successfully without the warnings so I'm not sure what that is about hopefully with my next commits they will update on the managed devices screen


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛
  • 1 accepted solution
  • 8891 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!