11-21-2018 08:40 AM
Happy Thanksgiving all,
I just updated from 8.0.12 to 8.1.4 on 11/20. I was able to connect to GlobalProtect from the time I upgraded until about 6 hours later. I now get the error "You are not authorized to connect to GlobalProtect Portal". Initially, I thought this may be licensing, but it is not system wide. It currently only affects myself and one other user. Looking at the PanGP Agent logs, I find the Agent is not updating the portal configuration. On the Firewall itself, I see an Auth success event, followed immediately by an Auth Failure event in the portal. No changes have been made on the firewall or my computer.
I have an open case with Palo, but it hasn't been resolved as of yet.
Any help is greatly appreciated.
Snippet of log:
<response>
<type>portal</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error>You are not authorized to connect to GlobalProtect Portal.</error>
<product-version>4.1.4-13</product-version>
<product-code>"{6364C46E-8960-4FCC-A5A6-0BDDB3253850}"</product-code>
<portal-status>No portal configuration</portal-status>
<user-name>ebrookman</user-name>
<username-type>sso</username-type>
<state>Disconnected</state>
<check-version>no</check-version>
<portal>vpn.***********.org</portal>
<mdm-is-enabled>no</mdm-is-enabled>
</response>
11-30-2018 12:53 PM
I ran across this not that long ago and because I was using an AD group I had to add it under User-Id/Group Mapping Settings. Once I did that I stopped getting the error. Not sure if that is your case.
11-21-2018 09:27 AM
Can you attach the configuration of the actual Portal, XML preferable if you have it available. During updates the spacing sometimes gets screwed up and causes things to stop functioning.
11-30-2018 12:53 PM
I ran across this not that long ago and because I was using an AD group I had to add it under User-Id/Group Mapping Settings. Once I did that I stopped getting the error. Not sure if that is your case.
01-09-2019 01:20 PM
That is exactly what the problem was.
Thanks,
Eric
03-17-2020 08:18 AM
I had this similar issue and engaged TAC but couldnt find any definitive root cause as to why this issue popped up after we upgraded from 7.1 to 8.1, following the two steps resolved issue for us.
1. Remove User Domain from Group Mapping
2. Removed AD Group in Portal > Agent > User/User Group
Root cause is still under investigation but I suspect this has something to do with the way firewall had normalized usernames(Group Mapping) in previous OS.
If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in the domain\username format as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed as username@domain , not domain\username
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
