GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

David_Avery · ‎06-03-2017

I was trying some different settings out on my Global Protect portal app config and now when I commit from panorama I get these warnings:

Details:
. Config 'fw-portal-agent':
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-listening-port'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-trusted-host-list'.
. GlobalProtect App Dynamic Configuration misses informaion for 'mfa-notification-msg'.
. (Module: sslvpn)
. Configuration committed successfully
Warnings:

I can see the mfa-listening-port, mfa-trusted-host-list, and mfa-notification-msg, but I can't see the mfa-enabled setting.

Is there some way of configuring the portal so I can see that and turn it off? or am I going to have to export this out to XML, purge my template and import it back in?

It's not impeding my ability to update my firewalls but it seems like a unique problem as I haven't found it anywhere online and thought before I contact support I'd post it to the live community discussion in case it helps anyone else in the future.

I was thrilled to see the "misses informaion for" ... I miss it too and hope it comes back 😉

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

David_Avery · ‎06-14-2017

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

View solution in original post

ansharma · ‎06-03-2017

David,

These are the MFA settings in your Portal->Agent tab-Config>App:

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

David_Avery · ‎06-07-2017

Thanks Anurag, I see the same settings, but I'm unsure why if I'm not configuring those settings why is my push state showing warnings

in my panorama I see the values:

.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-enabled
mfa-enabled {
  value no;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-listening-port
mfa-listening-port {
  value 4501;
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-notification-msg
mfa-notification-msg {
  value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
[edit]                                                                                                                                                                                                                                                          
.@Panorama# show template <template> config vsys <vsys> global-protect global-protect-portal raven-gp-portal client-config configs <gw>-portal-agent gp-app-config config mfa-trusted-host-list
[edit]                                                                                                                                                                                                                                                        
.@Panorama#

but I can't find the corresponding info on my firewalls, so I'm wondering if these are an 8.0 train setting only because my firewalls are on 7.1.x train

It also seems to only be affecting my one site which I recently downloaded and activated the 4.0.2 global protect client on

Thanks

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

ansharma · ‎06-07-2017

I think it's the version discrepancy. These features are only available in PAN OS 8.0+

================================================================
ACE 7.0, 8.0, PCNSE 7

David_Avery · ‎06-14-2017

TAC was able to confirm the issue was due to panorama being at 8.0.2 and my firewalls being at 7.1.9 and said I basically need to upgrade to get the error to go away

however I was able to resolve the commit warnings by just deleting from the CLI in panorama:

.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-enabled 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-listening-port 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-notification-msg 
.@Panorama# delete template <template> config vsys <vsys#> global-protect global-protect-portal <portal> client-config configs <portal-agent> gp-app-config config mfa-trusted-host-list 
.@Panorama# commit

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

David_Avery · ‎06-14-2017

I should note: on my Managed Devices screen the Last Commit State still shows the warnings but the tasks for my commits completed successfully without the warnings so I'm not sure what that is about hopefully with my next commits they will update on the managed devices screen

--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛

Unlock your full community experience!

GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

GlobalProtect App Dynamic Configuration misses informaion for 'mfa-enabled'.

Show your appreciation!