Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect DUO users receiving two push notifications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect DUO users receiving two push notifications

L1 Bithead

Hi, i wonder if anyone can help! We have a customer who reported that ever since they have upgraded the firewalls to 10.1.12 a few weeks ago, users are receiving two DUO push notifications. The config was set with Authentication Override on the Portal (Generate cookie for authentication override - checked, Accept cookie for authentication override - checked) and everything worked for fine for years. 

 

Global Protect client on version 6.0.7

The tunnel type is IPSEC

 

The timeouts are configured as described in this link: 

>> https://help.duo.com/s/article/2054?language=en_US

 

The config was altered last week as described in this link:

>> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

 

However, before this I had the Portal and Gateway config set up as in the screenshots, with the override cookie for the Portal, and no override for the Gateway. This way they would only receive a single 2FA request for the gateway.

 

A few weeks after upgrading this firewall, the customer also upgraded their other firewall at their other site to the same PAN-OS. After this upgrade, users connecting to this firewall also started to receive multiple prompts.

 

As far as I can tell, there is no known or addressed issue or article for this issue in Knowledge Base.

Thank you for coming up with some ideas.

7 REPLIES 7

Cyber Elite
Cyber Elite

Generally portal needs to generate cookie and gateway needs to accept cookie (unless you want everyone with credentials to get access to portal and be able to establish VPN only after 2FA while connecting to gateway).

 

From your explanation it seems that you are missing override on the gateway "with the override cookie for the Portal, and no override for the Gateway".

 

Under "Monitor > Logs > GlobalProtect" look at "AUTH METHOD" and "ERROR" columns for "portal-auth" and "gateway-auth" events.

Do you see Cookie being used for gateway?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

We believe it's been configured correctly now (as per How to have only one push prompt in Global Protect DUO MFA with... - Knowledge Base - Palo Alto Netw...) - see screenshots - can you comment please?

Cookie has not been used since April 30 - when customer altered the config as shown above.  Customer has increased the timeout, but even when he was getting people to test within this 24hr timeframe, they were still getting two notifications.

Cyber Elite
Cyber Elite

image007 shows "accept cookie" setting in gateway config unchecked.

image002_2 on the other hand shows it checked.

 

So which config is it?

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

image002_2 shows the portal config - should this be amended?

 

 

We had a ticket open for a similar issue.  This was their response...

 

The issue has been reported internally and this is Fixed in 10.1.14, 10.1.13-h1, Currently, 10.1.13-h1 is released.

The Portal generates a cookie and the Gateway accepts the cookie No cookie is sent back to the client in the portal get config although the cookie generation GP log is generated.

Thank you all for your contribution. Our customer will do a PAN-OS upgrade to 10.1.13-h1 as soon as it becomes the Preferred version. Currently 10.1.13-h1 status is "New".

Do you have a bug number for this? Having a similar issue on 11.1 version of software.

  • 2661 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!