I am having users complain that after installing Global Protect, their machine is taking a lot logger to login. We have Global Protect set up as an "always on" solution. So if your machine has access to the internet it will automatically connect. We are using certificate authentication at the machine and the user level. When a user's is not logged in, they press CTRL + ALT + DEL , enter in username and password and then wait for a long time for Windows to load their session. If they turn wireless off and Global Protect can't connect, login time is a lot faster.
Can you provide details about what your PAN-OS version and GP versions are? Also make sure that the gateways configured are specified by IP address. Could you also let me know what is the configured Cutoff time on the Gateways configuration (Network > GlobalProtect > Portals > Client Configuration > Gateways)? I suggest you leave the default (5).
You can try to speed up the GlobalProtect connection using auth cookies on PAN-OS 6.x.
To enable this, go to Network > Portal > edit your portal > Client Confguration > edit your client config. Set Authentication Modifier to "cookie authentication for config refresh". Set the Cookie Lifetime as desired (0, the default, means the cookie does not expire. If you prefer the cookie to expire, I suggest adjusting the setting to about a week's time).
Can you explain to me please, what the purpose of this cookie is and what the pros and cons are of having it 7 days vs 1 day?
The cookie is used to provide cookie-based agent authentication. The value is used to specify the number of days that the agent can use the cookie to authenticate to the portal for a configuration refresh; a value of 0 (the default) indicates that the cookie never expires. This document shows an example and and explains more about this feature: GlobalProtect Prelogon Using Cookie Based Authentication
"Cutoff time" specifies the amount of time (in seconds) the agent will wait for gateways to respond before determining the best gateway to connect to. The agent will then attempt to connect to only those gateways that responded within the specified Cutoff Time. The default value is 5. A value of 0 indicates that there is no cutoff time; the agent will wait until the TCP timeout
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!