Global Protect two MFA prompts for Portal and Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect two MFA prompts for Portal and Gateway

L1 Bithead

Hello,

 

I'm trying to understand the difference between 'Generate cookie for authentication override' and 'Accept cookie for authentication override' on both portals and gateways. I went through all the official guides but still can't seem to understand. Suppose we have MFA set up for both the portal and the gateway. Every time someone tries to connect to GP, there will be two MFA prompts. The guide says I need to tick the first box on the portal and the second box on the gateway. But what cookie lifetime should we use? Should we set it to around 2 minutes so the first MFA will be valid for the next two minutes, and within this time, the gateway authentication will succeed?

 

Here is the guide - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&lang=en_US%E2%80%A...

 

The screenshot shows 24 hour for the gateway cookie life time, what does that mean? TIA

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @vsurresh ,

 

An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community.  Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.

 

Setting the portal to generate the cookie means that it will require username/password/MFA every time.  Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted.  (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.)  If the portal only generates the cookie, the lifetime is not as critical.  Two minutes probably should be fine.  If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.

 

It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @vsurresh ,

 

An authentication cookie is created on your device - very similar to the browser authentication cookie used for this community.  Some times you have to enter your username and password, and sometimes the browser detects the cookie and you login without being prompted for credentials.

 

Setting the portal to generate the cookie means that it will require username/password/MFA every time.  Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted.  (On a side note, even without MFA the portal caches the username and password and forwards it to the gateway.)  If the portal only generates the cookie, the lifetime is not as critical.  Two minutes probably should be fine.  If the portal and gateway both accepted the cookie, the user could connect/disconnect/connect again within the lifetime and not have to enter credentials or use MFA.

 

It is also good to know that some IdPs such as Entra use their own authentication cookies where you do not have to set those options on the portal or gateway.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you for the response. 

"Setting the gateway to accept the cookie means that after the portal generates it, the user can login to the gateway without being prompted."

 

Here, am I right in thinking that, when we set the lifetime to 2 minutes and the gateway, if the cookie portal generated is more than 2 minutes for example, then the gateway don't accept it? TIA

Cyber Elite
Cyber Elite

Hi @vsurresh ,

 

That is correct.  I can't think of any scenario where the GP client would take longer than 2 minutes after authenticating in the portal to authenticate to the gateway.  You can also set it higher if you are concerned.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 1349 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!