activated global protect portal page although only gateway was configured

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

activated global protect portal page although only gateway was configured

L2 Linker

Hi,

I observed that our PaloAltos in our branches host the website shown in the screenshot, although only a gateway and NO portal was configured on this PaloAltos. The website looks very strange, especially with the login dialog hanging at the top of the page. We use only one global protect portal at our main location and the portal website has been deactivated and this worked fine.

 

PANOS 10.2.9-h1

 

Best regards,

Chris

1 accepted solution

Accepted Solutions

L2 Linker

Hi @kiwi,

 

answer from PA support:

The issue is known, but has not been added to the known issue list yet...

Fix should include in 11.2.3, 10.2.10, 11.1.5 and 10.2.4-h20

 

Best regards,

Chris

View solution in original post

5 REPLIES 5

Community Team Member

Hi @HW-ChrisME ,

 

This sound like somewhat similar behaviour as seen in PAN-183981.

The thing is that this bug was fixed in 10.1.9 (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-9-known-and-addressed...).  So you might be running into a regression somehow.  I suggest to contact support to confirm if you're hitting a regression of this bug or an entirely new issue.

 

You could try the workaround that was suggested for the bug (prior to the fix):

For the workaround you could configure a dummy portal and set it to disabled state like this:

  1. Go to Network > Global Protect > Portals > Add.
  2. You need to define a name and interface on the General tab and a SSL/TLS service profile on the Authentication tab at minimum to be able to save the Portal.
  3. Since there is no Client Authentication or Agent Authentication configuration, no one should be able to login to this portal no matter what. This can be considered a dummy portal.
  4. On the General tab > Appearance > Portal Login Page, open the dropdown menu and change it from "Factory-Default" to "Disable".

This should return you the expected error 404, even if you try to open https://x.x.x.x/global-protect/login.esp.

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi @kiwi 

thanks for your response and the reference to PAN-183981.

It could be a new bug, because i dont need the exact link for accessing the portal website.

Port 80 with redirect to Port 443 and redirect to the /global-protect/login.esp Site are enabled. 

 

I will speak with our support technican to test the workaround and open a support ticket.

 

Best regards,

Chris

 

L2 Linker

Hi @kiwi,

 

answer from PA support:

The issue is known, but has not been added to the known issue list yet...

Fix should include in 11.2.3, 10.2.10, 11.1.5 and 10.2.4-h20

 

Best regards,

Chris

Not seeing a fix for this on 10.2.10, anyone try to upgrade to fix this?


@kiwi wrote:

2. You need to define a name and interface on the General tab and a SSL/TLS service profile on the Authentication tab at minimum to be able to save the Portal.

3. Since there is no Client Authentication or Agent Authentication configuration, no one should be able to login to this portal no matter what. This can be considered a dummy portal.

 


This is incorrect, commit will fail with

  • Error: GlobalProtect portal interface 'Portal-namel' must define client cert profile and/or auth profile

 

  • 1 accepted solution
  • 2319 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!