GlobalProtect Portals Agent Authentication Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
GlobalProtect Portals Agent Authentication Tab
- NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Authentication
Select the Authentication tab to configure
the authentication settings that apply to the agent configuration.
GlobalProtect Portal
Client Authentication Configuration Settings | Description |
|---|---|
Authentication Tab | |
Name | Enter a descriptive name for this configuration
for client authentication. |
Client Certificate | (Optional) Select the source that distributes
the client certificate to an endpoint, which then presents the certificate
to the gateways. A client certificate is required if you are configuring
mutual SSL authentication. If you include a client certificate
in the portal configuration for mobile devices, you can only use
client certificate authentication in the gateway configuration because
the client certificate passphrase is saved in the portal configuration.
Additionally, the client certificate can only be used after the
certificate is retrieved from the portal configuration. If
SCEP is configured for pre-logon in the portal client configuration,
the portal generates a machine certificate that is stored in the
system certificate store for gateway authentication and connections. To
use a certificate that is Local to the firewall
instead of a generated certificate from the PKI through SCEP,
select a certificate that is already uploaded to the firewall. If
you use an internal CA to distribute certificates to endpoints,
select None (default). When you select None,
the portal does not push a certificate to the endpoint. |
Save User Credentials | Select Yes to save
the username and password on the app or select No to
force the users to provide the password—either transparently via
the endpoint or by manually entering one—each time they connect.
Select Save Username Only to save only the
username each time a user connects. Select Only with
User Fingerprint to allow biometric sign-in. When biometric
sign-on is enabled on an endpoint, GlobalProtect uses the saved
user credentials when a finger-print scan matches a trusted finger-print
template on the endpoint. Don’t save
user credentials because it makes it easier for unauthorized users
to gain access to sensitive resources and confidential information. Users
should manually enter their credentials each time they connect to
GlobalProtect. |
Authentication
Override | |
Generate cookie for authentication override | Select this option to configure the portal
to generate encrypted, endpoint-specific cookies. The portal sends
this cookie to the endpoint after the user first authenticates with
the portal. |
Accept cookie for authentication override | Select this option to configure the portal
to authenticate endpoints through a valid, encrypted cookie. When
the endpoint presents a valid cookie, the portal verifies that the
cookie was encrypted by the portal, decrypts the cookie, and then
authenticates the user. |
Cookie Lifetime | Specify the hours, days, or weeks that the
cookie is valid. The typical lifetime is 24 hours. The ranges are
1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires,
the user must enter login credentials and the portal subsequently
encrypts a new cookie to send to the user endpoint. |
Certificate to Encrypt/Decrypt Cookie | Select the certificate to use for encrypting
and decrypting the cookie. Ensure that the portal and
gateways use the same certificate to encrypt and decrypt cookies. (Configure
the certificate as part of a gateway client configuration. See Network
> GlobalProtect > Gateways). |
Components that Require Dynamic
Passwords (Two-Factor Authentication) | |
To configure GlobalProtect
to support dynamic passwords—such as one-time passwords (OTPs)—specify
the portal or gateway types that require users to enter dynamic
passwords. Where two-factor authentication is not enabled, GlobalProtect
uses regular authentication using login credentials (such as AD)
and a certificate. When you enable a portal or a gateway type
for two-factor authentication, that portal or gateway prompts the
user after initial portal authentication to submit credentials and
a second OTP (or other dynamic password). However, if you
also enable authentication override, an encrypted cookie is used
to authenticate the user (after the user is first authenticated
for a new session) and, thus, preempts the requirement for the user
to re-enter credentials (as long as the cookie is valid). Therefore,
the user is transparently logged in whenever necessary as long as
the cookie is valid. You specify the lifetime of the cookie. | |
Portal | Select this option to use dynamic passwords
to connect to the portal. |
Internal gateways - all | Select this option to use dynamic passwords
to connect to internal gateways. |
External gateways - manual only | Select this option to use dynamic passwords
to connect to external gateways that are configured as Manual gateways. |
External gateways-auto discovery | Select this option to use dynamic passwords
to connect to any remaining external gateways that the app can automatically
discover (gateways which are not configured as Manual). |