cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Yes, the cookie for authentication bypass is signed by a certificate on the PA. You can find the options to generate and/or accept a cookie for authentication to the Portal and Gateway under:

Network -> GlobalProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Authentication

Network -> GlobalProtect -> Gateways -> <gateway_config> -> Agent -> Client Settings -> <agent_config> -> AuthenticationOverride

 

When the cookie is generated by the Portal or Gateway it is signed using a certificate with a private key on the PA (either a self-signed CA or a certificate signed by your CA infrastructure) and handed to the GlobalProtect client. The client then presents the bypass cookie back to the Portal/Gateway the next time it logs in. If the cookie signature is valid then the PA allows the connection without the normal authentication steps. If you need to allow cookie authentication bypass on multiple Gateways you simply copy the signing certificate across the PAs so all have the same copy.

Who rated this post