Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-27-2024 02:04 PM
Hello,
I'm trying to understand the difference between 'Generate cookie for authentication override' and 'Accept cookie for authentication override' on both portals and gateways. I went through all the official guides but still can't seem to understand. Suppose we have MFA set up for both the portal and the gateway. Every time someone tries to connect to GP, there will be two MFA prompts. The guide says I need to tick the first box on the portal and the second box on the gateway. But what cookie lifetime should we use? Should we set it to around 2 minutes so the first MFA will be valid for the next two minutes, and within this time, the gateway authentication will succeed?
Here is the guide - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&lang=en_US%E2%80%A...
The screenshot shows 24 hour for the gateway cookie life time, what does that mean? TIA
06-27-2024 04:07 PM
Hi @vsurresh ,
An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community. Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.
Setting the portal to generate the cookie means that it will require username/password/MFA every time. Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted. (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.) If the portal only generates the cookie, the lifetime is not as critical. Two minutes probably should be fine. If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.
It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.
Thanks,
Tom
06-27-2024 04:07 PM
Hi @vsurresh ,
An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community. Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.
Setting the portal to generate the cookie means that it will require username/password/MFA every time. Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted. (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.) If the portal only generates the cookie, the lifetime is not as critical. Two minutes probably should be fine. If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.
It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.
Thanks,
Tom
06-29-2024 01:00 PM
Thank you for the response.
"Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted."
Here, am I right in thinking that, when we set the lifetime to 2 minutes and the gateway, if the cookie portal generated is more than 2 minutes for example, then the gateway don't accept it? TIA
06-30-2024 02:35 PM
Hi @vsurresh ,
That is correct. I can't think of any scenario where the GP client would take longer than 2 minutes after authenticating in the portal to authenticate to the gateway. You can also set it higher if you are concerned.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
