GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

I was trying some different settings out on my Global Protect portal app config and now when I commit from panorama I get these warnings:

Details:
. Config 'fw-portal-agent':
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-listening-port'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-trusted-host-list'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-notification-msg'.
. (Module: sslvpn)
. Configuration committed successfully
Warnings:

 

 

I can see the mfa-listening-port, mfa-trusted-host-list, and mfa-notification-msg, but I can't see the mfa-enabled setting.

 

Is there some way of configuring the portal so I can see that and turn it off? or am I going to have to export this out to XML,  purge my template and import it back in?

 

It's not impeding my ability to update my firewalls but it seems like a unique problem as I haven't found it anywhere online and thought before I contact support I'd post it to the live community discussion in case it helps anyone else in the future.

 

I was thrilled to see the "misses informaion for"  ... I miss it too and hope it comes back ;-)

 

 

 


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it :-P

Accepted Solutions
Highlighted
L2 Linker

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

 

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it :-P

View solution in original post


All Replies
Highlighted
L4 Transporter

David,

 

These are the MFA settings in your Portal->Agent tab-Config>App:

Capture1.JPGCapture2.JPG

 

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L2 Linker

Thanks Anurag, I see the same settings, but I'm unsure why if I'm not configuring those settings why is my push state showing warnings

2017-06-07_15-30-54.jpg

 

in my panorama I see the values:

.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-enabled
mfa-enabled {
  value no;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-listening-port
mfa-listening-port {
  value 4501;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-notification-msg
mfa-notification-msg {
  value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-trusted-host-list
[edit]                                                                                                                                                                                                                                                        
.@Panorama# 

 but I can't find the corresponding info on my firewalls, so I'm wondering if these are an 8.0 train setting only because my firewalls are on 7.1.x train

 

It also seems to only be affecting my one site which I recently downloaded and activated the 4.0.2 global protect client on

 

 

Thanks


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it :-P
Highlighted
L4 Transporter

I think it's the version discrepancy. These features are only available in PAN OS 8.0+
================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L2 Linker

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

 

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it :-P

View solution in original post

Highlighted
L2 Linker

I should note: on my Managed Devices screen the Last Commit State still shows the warnings but the tasks for my commits completed successfully without the warnings so I'm not sure what that is about hopefully with my next commits they will update on the managed devices screen


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it :-P
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!