05-07-2024 07:11 AM
Hi, i wonder if anyone can help! We have a customer who reported that ever since they have upgraded the firewalls to 10.1.12 a few weeks ago, users are receiving two DUO push notifications. The config was set with Authentication Override on the Portal (Generate cookie for authentication override - checked, Accept cookie for authentication override - checked) and everything worked for fine for years.
Global Protect client on version 6.0.7
The tunnel type is IPSEC
The timeouts are configured as described in this link:
>> https://help.duo.com/s/article/2054?language=en_US
The config was altered last week as described in this link:
>> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY
However, before this I had the Portal and Gateway config set up as in the screenshots, with the override cookie for the Portal, and no override for the Gateway. This way they would only receive a single 2FA request for the gateway.
A few weeks after upgrading this firewall, the customer also upgraded their other firewall at their other site to the same PAN-OS. After this upgrade, users connecting to this firewall also started to receive multiple prompts.
As far as I can tell, there is no known or addressed issue or article for this issue in Knowledge Base.
Thank you for coming up with some ideas.
05-07-2024 07:41 AM - edited 05-07-2024 07:42 AM
Generally portal needs to generate cookie and gateway needs to accept cookie (unless you want everyone with credentials to get access to portal and be able to establish VPN only after 2FA while connecting to gateway).
From your explanation it seems that you are missing override on the gateway "with the override cookie for the Portal, and no override for the Gateway".
Under "Monitor > Logs > GlobalProtect" look at "AUTH METHOD" and "ERROR" columns for "portal-auth" and "gateway-auth" events.
Do you see Cookie being used for gateway?
05-07-2024 09:12 AM
We believe it's been configured correctly now (as per How to have only one push prompt in Global Protect DUO MFA with... - Knowledge Base - Palo Alto Netw...) - see screenshots - can you comment please?
Cookie has not been used since April 30 - when customer altered the config as shown above. Customer has increased the timeout, but even when he was getting people to test within this 24hr timeframe, they were still getting two notifications.
05-07-2024 09:37 AM
image007 shows "accept cookie" setting in gateway config unchecked.
image002_2 on the other hand shows it checked.
So which config is it?
05-09-2024 01:16 AM
image002_2 shows the portal config - should this be amended?
05-09-2024 10:32 AM
We had a ticket open for a similar issue. This was their response...
The issue has been reported internally and this is Fixed in 10.1.14, 10.1.13-h1, Currently, 10.1.13-h1 is released.
The Portal generates a cookie and the Gateway accepts the cookie No cookie is sent back to the client in the portal get config although the cookie generation GP log is generated.
05-10-2024 04:37 AM
Thank you all for your contribution. Our customer will do a PAN-OS upgrade to 10.1.13-h1 as soon as it becomes the Preferred version. Currently 10.1.13-h1 status is "New".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
