Export the Authentication Override Cookie for Connecting to an On-Premises NGFW Gateway (Coexistence Tenant)

Table of Contents

Configure a Certificate to Decrypt the Authentication Override Cookie (Panorama Managed NGFW)

Push the Prisma Access Agent Configuration

Export the Authentication Override Cookie for Connecting to an On-Premises NGFW Gateway (Coexistence Tenant)

For the Prisma Access Agent to connect to an NGFW on-premises gateway, export the authentication override cookie from Strata Cloud Manager and import it to Panorama.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)	Prisma Access 5.1 Preferred or Innovation Prisma Access license with the Mobile User subscription Prisma Access Agent version: 25.1.0.14

In a deployment that uses the authentication override certificate on a coexistence-enabled tenant, for the Prisma Access Agent to use an on-premises NFGW gateway as an external gateway, you need to export the Prisma Access Agent authentication override cookie (certificate) from Strata Cloud Manager and import it to Panorama.

Export the authentication override certificate from Strata Cloud Manager.
1. In Strata Cloud Manager, select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetupPrisma Access Agent.
2. Edit the Global Agent Settings.
3. In the Authentication Override section, note the name of the Certificate to Encrypt/Decrypt cookie and Cancel out of the Global Agent Settings.
  
  In the example below, the authentication override certificate is called custom-cookie-cert.
4. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentObjectsCertificate Management.
5. Select the check box for the custom certificate that matches the one used in the Authentication Override settings and Export Certificate. In our example, select custom-cookie-cert.
6. Select the Encrypted Private Key and Certificate (PKCS12) format.
7. Enter a Passphrase for the certificate and Confirm Passphrase.
8. Save the export settings. The certificate is downloaded to your computer.
Import the authentication override certificate to Panorama.
1. Log in to Panorama as the administrator and click Panorama.
2. Select DeviceCertificate ManagementCertificatesDevice Certificates.
3. Click Import Certificate.
4. Enter the Certificate Name for the authentication override certificate that you exported from Strata Cloud Manager.
  
  In our example, the certificate name is custom-cookie-cert.
5. Browse to the location where you downloaded the certificate. Select the certificate and click Open to upload it.
  
  The certificate filename must begin with a letter or number, and can have alphanumeric characters, spaces, commas, dashes, and underscores. If the filename has other characters, rename it to include only the valid characters and upload the file again.
6. Ensure that the file format is Encrypted Private Key and Certificate (PKCS12).
7. Enter the same Passphrase that you used for the authentication override certificate that you imported and Confirm Passphrase.
8. Click OK and wait for the certificate to upload.
Configure the external gateway that you want the Prisma Access Agent to access with the authentication override certificate.
1. In Panorama, select NetworkGlobalProtectGateways.
2. Select the gateway for which you want to configure the authentication override.
3. Select AgentClient Settings<gateway configuration>.
4. Select Authentication Override, and in Certificate to Encrypt/Decrypt Cookie, select the certificate that you uploaded to Panorama.
5. Click OK to save the configuration and then click OK to save the GlobalProtect gateway configuration settings.
6. Commit and push your configuration by selecting CommitCommit and Push.
7. Click Commit and Push.