"You are not authorized to connect to GlobalProtect Portal"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"You are not authorized to connect to GlobalProtect Portal"

L3 Networker

Hello Everyone,

 

I had global-protect working perfectly.  Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore.  I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!

 

I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message!  I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!

 

Any help you can provide would be much appreciated!  Thanks!!

18 REPLIES 18

L3 Networker

And if you don't mind, one more question.  (see screenshot below)

 

Is it best practice to check all of these boxes on the cert profile for the GP and GP Client certs?  Or are there any that could break the system if left checked?

 

Thanks!

Screen Shot 2021-06-02 at 4.42.04 AM.png

Hi @RSteffens 

Do you use a local CA on the firewall which signed your clientcertificate? Actually it doesn't even matter if an internal corporate or firewall CA is used. Depending on the configuration all of these four checkboxes on the right side of the screenshot could break/prevent a successful connection. In your case (one gp user and also one firewall admin) I wouldn't check these four. But if you'd like to activate these too, go for it 😉 but as I mentionned maybe you need to adjust some settings with the existing CA certificate used.

OK Thanks!  Yes I use a local firewall CA.  I'll just experiment then.  Again, thank you very much!

In this case you don't need to install these certificates on the client - specially with only one user. This option is intended to be used in cases where you use a public cert for the portal and a selfsigned cert for the gateway. In this situation the selfsigned CA is required that the clients trust the gatewaycert. Another usecase is, if you configured tls decryption, where also a CA cert is required on the client in order to avoid certificate warnings in the browsers.

  • 17416 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!