Looking for assistance on a GP setup. I want to have a pre-logon tunnel (certificate, always on) and a portal, which uses SAML authentication. I also need the user to have to re-authenticate any time they disable, sign-out, reboot, etc. The problem I'm running into is because the portal uses SAML auth, the portal communication during pre-logon fails and therefore the pre-logon tunnel doesn't start. I thought I should be able to set the Generate and Authenticate cookie options on the pre-logon portal agent configuration but it's not working. I thought it would flow like this:
The portal auth by cookie after reboot is apparently not happening. PanGPS.log shows the messages "Unserialized empty cookie on portal..." and there are no attempts to connect to the portal in the FW Monitor log.
For my testing, I have my cookie lifetime set to 10 minutes. My reboots, logons, reboots are all occurring within 3 minutes.
PAN-OS 10.2.9-h1
GP 6.2.3
FYI, there are no certificate issues or anything like that. This is a modification of an existing setup where the pre-logon and portal use the machine certificate. I need to be able to have different portal agent configs for different groups of people, which means I need to know the user at the portal level so I can use AD groups. User certificates are not an option.
