GlobalProtect with RSA OTP behavior change from PAN-OS 7.0.1 or later

Prior to Pan-OS 7.0, the server generates a cookie after successful portal authentication. This cookie can be used to authenticate to gateway that is same as portal so user will not get prompted for OTP challenge.

Starting with PAN-OS 7.0, this cookie is gone and we need to configure Authentication Modifier (under Network > GlobalProtect > Portals > Client Configuration > General) to "Cookie authentication for config refresh" (also known as CACR). 

The GlobalProtect client gets CACR cookie after successful portal authentication. CACR cookie is only used for portal authentication. With CACR configured, the very first time GP connects, user still gets prompt for OTP challenge for both portal and gateway. The subsequent GP connection may only prompt the user to enter OTP challenge for gateway, if GP has valid CACR cookie to login to portal.

Process Flow:

1. When connecting to the Portal for the first time, use OTP to authenticate.
2. The Portal will generate an encrypted cookie and sent to the GlobalProtect client.
3. The GlobalProtect client will then connect to the gateway, and has to use OTP again.
4. In the future, when the user wants to connect to GlobalProtect again, GlobalProtect client will use the cookie that was received from Portal in step 2, and will only use OTP when it connects to the gateway. The lifetime of this cookie is configurable, so you can set it as you want.