GlobalProtect Portals Agent Authentication Tab
Select NetworkGlobalProtectPortals<GlobalProtect-portal-config>Agent<agent-config>Authentication to configure the authentication settings that apply to the agent configuration.
GlobalProtect Portal Client Authentication Configuration Settings
Enter a descriptive name for this configuration for client authentication.
(Optional) Select the source that distributes the client certificate to an endpoint, which then presents the certificate to the gateways. A client certificate is required if you are configuring mutual SSL authentication.
If SCEP is configured for pre-logon in the portal client configuration, the portal generates a machine certificate that is stored in the system certificate store for gateway authentication and connections.
To use a certificate that is Local to the firewall instead of a generated certificate from the PKI through SCEP, select a certificate that is already uploaded to the firewall.
If you use an internal CA to distribute certificates to endpoints, select None (default). When you select None, the portal does not push a certificate to the endpoint.
Save User Credentials
Select Yes to save the username and password on the app or select No to force the users to provide the password—either transparently via the endpoint or by manually entering one—each time they connect. Select Save Username Only to save only the username each time a user connects.
Don’t save user credentials because it makes it easier for unauthorized users to gain access to sensitive resources and confidential information. Users should manually enter their credentials each time they connect to GlobalProtect.
Generate cookie for authentication override
Select this option to configure the portal to generate encrypted, endpoint-specific cookies. The portal sends this cookie to the endpoint after the user first authenticates with the portal.
Accept cookie for authentication override
Select this option to configure the portal to authenticate endpoints through a valid, encrypted cookie. When the endpoint presents a valid cookie, the portal verifies that the cookie was encrypted by the portal, decrypts the cookie, and then authenticates the user.
Specify the hours, days, or weeks that the cookie is valid. The typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires, the user must enter login credentials and the portal subsequently encrypts a new cookie to send to the user endpoint.
Certificate to Encrypt/Decrypt Cookie
Select the certificate to use for encrypting and decrypting the cookie.
Ensure that the portal and gateways use the same certificate to encrypt and decrypt cookies. (Configure the certificate as part of a gateway client configuration. See Network > GlobalProtect > Gateways).
Components that Require Dynamic Passwords (Two-Factor Authentication)
To configure GlobalProtect to support dynamic passwords—such as one-time passwords (OTPs)—specify the portal or gateway types that require users to enter dynamic passwords. Where two-factor authentication is not enabled, GlobalProtect uses regular authentication using login credentials (such as AD) and a certificate.
When you enable a portal or a gateway type for two-factor authentication, that portal or gateway prompts the user after initial portal authentication to submit credentials and a second OTP (or other dynamic password).
However, if you also enable authentication override, an encrypted cookie is used to authenticate the user (after the user is first authenticated for a new session) and, thus, preempts the requirement for the user to re-enter credentials (as long as the cookie is valid). Therefore, the user is transparently logged in whenever necessary as long as the cookie is valid. You specify the lifetime of the cookie.
Select this option to use dynamic passwords to connect to the portal.
Internal gateways - all
Select this option to use dynamic passwords to connect to internal gateways.
External gateways -manual only
Select this option to use dynamic passwords to connect to external gateways that are configured as Manual gateways.
External gateways-auto discovery
Select this option to use dynamic passwords to connect to any remaining external gateways that the app can automatically discover (gateways which are not configured as Manual).
Enable Two-Factor Authentication Using One-Time Passwords (...
Enable Two-Factor Authentication Using One-Time Passwords (OTPs) Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a ...
Cookie Authentication on the Portal or Gateway
Cookie Authentication on the Portal or Gateway Cookie authentication simplifies the authentication process for end users because they will no longer be required to log ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect Gateway After you have completed the prerequisite tasks, configure the GlobalProtect Gateways : Add a gateway. Select Network GlobalProtect Gateways , and ...
Client Settings Tab
Client Settings Tab Select Network GlobalProtect Gateways Agent Client Settings to configure settings for the virtual network adapter on the endpoint when the GlobalProtect app ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
How Does the App Know What Credentials to Supply?
How Does the App Know What Credentials to Supply? By default, the GlobalProtect app attempts to use the same login credentials for the gateway that ...
Define the GlobalProtect Agent Configurations
Define the GlobalProtect Agent Configurations After a GlobalProtect user connects to the portal and is authenticated by the GlobalProtect portal, the portal sends the agent ...
Set Up LDAP Authentication
Set Up LDAP Authentication LDAP is often used by organizations as an authentication service and a central repository for user information. It can also be ...
Portal Configuration Configure the Connect Method as Always-on (User logon) . See Customize the GlobalProtect App . Set Use Single Sign-On (Windows only) to Yes ...