03-06-2023 09:34 AM
Yes, the cookie for authentication bypass is signed by a certificate on the PA. You can find the options to generate and/or accept a cookie for authentication to the Portal and Gateway under:
Network -> GlobalProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Authentication
Network -> GlobalProtect -> Gateways -> <gateway_config> -> Agent -> Client Settings -> <agent_config> -> AuthenticationOverride
When the cookie is generated by the Portal or Gateway it is signed using a certificate with a private key on the PA (either a self-signed CA or a certificate signed by your CA infrastructure) and handed to the GlobalProtect client. The client then presents the bypass cookie back to the Portal/Gateway the next time it logs in. If the cookie signature is valid then the PA allows the connection without the normal authentication steps. If you need to allow cookie authentication bypass on multiple Gateways you simply copy the signing certificate across the PAs so all have the same copy.
