Testing non-http mfa feature with GP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Testing non-http mfa feature with GP

L3 Networker

Hi there.


Documentation is rather slim here. I've set ut MFA for web site access, and it works. When testing it for non-http, accessing a SSH server, it kills the SSH connects, but no 2FA challenge on my GP. 


What am I doing wrong? What's needed?


I've done this: "Set Enable Inbound Authentication Prompts from MFA Gateways to Yes"




Nothing on port 4501 in the logs. No pop-up on the GP client.


Community Team Member

Hi @gtomte,


I haven't played with that myself but here are a few things you could check :


When GP receives the UDP notification message from firewall with the Captive Portal URL link in it, GP compares this URL with the configured IP/FQDNs in the Trusted MFA Gateways list.  GP will drop the message if the URL doesn’t match this list.  So check if it matches.


Is UDP 4501 open on your client ?


Can you confirm if the firewall is sending out the UDP MFA notification messages ?

This should be visible in the global counters :



> show counter global filter delta yes | match mfa

appid_mfa_gp_notification 1 0 info appid pktproc notification message sent to GP client for MFA


On the GP client side you can check the GP Service client logs and GP Agent client logs (with debug level) for more details on how the GP client is handling this (if received).


Cheers !


LIVEcommunity team member, CISSP
Don't forget to hit that Like button if a post is helpful to you!

hi @kiwi 


i have tested this feature using SSH and my GP did prompt me to authenticate. However, after successful MFA authentication, the SSH client (using putty) will get an timeout error.  When I try to trigger the SSH session again, I get another notification for MFA authentication. Despite successful MFA authentication, I never get to access my server via SSH. 


If I am using RDP, the RDP session immediately gets terminated with the following error but I still get a MFA authentication notice on GP. Seems like RDP and SSH is unable to hold the session while waiting for the MFA authentication to complete. MFA for http service is working fine.  Any idea what is wrong here? 

Screen Shot 2017-07-26 at 12.08.44 PM.png   

Hi, were you able to make this working ?

L4 Transporter

I am having the same issue I believe. I have 8.1.3 and 4.0.7 GP and 4.1.5 GP clients all the same. If I packet capture I do see a UDP packet recevied on client over port 4501 as configured. However the source IP address appears to be the IP address of the protected resource, not of the trusted MFA Gateway.


I had this all working many many months ago and during the Beta of 8.0. I refreshed my MFA token knowning it was expired and then found it no longer works to prompt via GlobalProtect.


Everything is working just fine if it is a web site protected resource and use the standard man-in-the-middle style response page method.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!