GlobalProtect Portals Agent Authentication Tab

Select
Network
GlobalProtect
Portals
<GlobalProtect-portal-config>
Agent
<agent-config>
Authentication
to configure the authentication settings that apply to the agent configuration.
GlobalProtect Portal Client Authentication Configuration Settings
Description
Authentication Tab
Name
Enter a descriptive name for this configuration for client authentication.
Client Certificate
(
Optional
) Select the source that distributes the client certificate to a client, which then presents the certificate to the gateways. A client certificate is required if you are configuring mutual SSL authentication.
If SCEP is configured for pre-logon in the portal client configuration, the portal generates a machine certificate that is stored in the system certificate store for gateway authentication and connections.
To use a certificate that is
Local
to the firewall instead of a generated certificate from the PKI through
SCEP
, select a certificate that is already uploaded to the firewall.
If you use an internal CA to distribute certificates to clients, select
None
(default). When you select
None
, the portal does not push a certificate to the client.
Save User Credentials
Select
Yes
to save the username and password on the agent or select
No
to force the users to provide the password—either transparently via the client or by manually entering one—each time they connect. Select
Save Username Only
to save only the username each time a user connects.
Authentication Override
Generate cookie for authentication override
Select this option to configure the portal to generate encrypted, endpoint-specific cookies. The portal sends this cookie to the endpoint after the user first authenticates with the portal.
Accept cookie for authentication override
Select this option to configure the portal to authenticate clients through a valid, encrypted cookie. When the endpoint presents a valid cookie, the portal verifies that the cookie was encrypted by the portal, decrypts the cookie, and then authenticates the user.
Cookie Lifetime
Specify the hours, days, or weeks that the cookie is valid. The typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires, the user must enter login credentials and the portal subsequently encrypts a new cookie to send to the user endpoint.
Certificate to Encrypt/Decrypt Cookie
Select the certificate to use for encrypting and decrypting the cookie.
Ensure that the portal and gateways use the same certificate to encrypt and decrypt cookies. (Configure the certificate as part of a gateway client configuration. See Network > GlobalProtect > Gateways).
Components that Require Dynamic Passwords (Two-Factor Authentication)
To configure GlobalProtect to support dynamic passwords—such as one-time passwords (OTPs)—specify the portal or gateway types that require users to enter dynamic passwords. Where two-factor authentication is not enabled, GlobalProtect uses regular authentication using login credentials (such as AD) and a certificate.
When you enable a portal or a gateway type for two-factor authentication, that portal or gateway prompts the user after initial portal authentication to submit credentials and a second OTP (or other dynamic password).
However, if you also enable authentication override, an encrypted cookie is used to authenticate the user (after the user is first authenticated for a new session) and, thus, preempts the requirement for the user to re-enter credentials (as long as the cookie is valid). Therefore, the user is transparently logged in whenever necessary as long as the cookie is valid. You specify the lifetime of the cookie.
Portal
Select this option to use dynamic passwords to connect to the portal.
Internal gateways - all
Select this option to use dynamic passwords to connect to internal gateways.
External gateways -manual only
Select this option to use dynamic passwords to connect to external gateways that are configured as
Manual
gateways.
External gateways-auto discovery
Select this option to use dynamic passwords to connect to any remaining external gateways that the agent can automatically discover (gateways which are not configured as
Manual
).

Related Documentation