GlobalProtect is not getting the configuration when user authenticates to the portal successfully
25686
Created On 04/15/21 14:02 PM - Last Modified 04/19/24 20:43 PM
Objective
Steps to troubleshoot and solve the issue when the users fail to get the configuration when they successfully authenticate to the portal.
Environment
- Palo Alto firewalls
- PAN-OS 9.1 or 10.1 --> appweb3 ssl-vpn
- PAN-OS 10.2 ----->> gpsvc
- GlobalProtect Portal with Authentication profile
- Group mapping settings with attributes defined under User and Group Attributes
Procedure
From FW Web UI:
-
Verify the GlobalProtect authentication setting
-
From Network > GlobalProtect > Portal > Authentication, please check the authentication profile set. For this article, we will consider SAML authentication which commonly uses email username format
- From Network > GlobalProtect > Portal > Agent > <portal-config-name> > Config Selection Criteria > User/User Group, check the group added to the tab
- From Device > User Identification > Group Mapping Settings > <group-mapping-setting-name> > User and Group Attributes, check the user attribute for the Primary Username field
From FW CLI:
- Troubleshooting
- In order to check out why the user-to-group match failed, we need to enable the following debugs and have the user reconnect to GlobalProtect:
For PAN-OS 10.1 or lower code:
> debug ssl-vpn global on debug
> debug ssl-vpn global show
From PAN-OS 10.2, collecting GlobalProtect for specific users from the server side could be done by enabling trace log matching specific portal, gateway, username, or source ip address:
> debug gp-broker gpsvc trace global-log debug
> debug gp-broker gpsvc trace show
- After the user fails to get the configuration, please turn off the debugs using the following commands:
> debug ssl-vpn global on info
> debug ssl-vpn global show
To disable trace log matching specific portal, gateway, username or source ip address
> debug gp-broker gpsvc trace global-log normal
> debug gp-broker gpsvc trace show
- Verify what username is learned through the authentication profile and if it is being normalized on sslvpn process. Username types that would be accepted as it is on sslvpn process are username only or domain\username. In this case, since the username learned is user1@plano.local, it is normalized to plano.local\user1, and this format would be used to match it to the group added to GlobalProtect Portal Agent configuration
> less mp-log appweb3-sslvpn.log
......
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1651): getting client config...
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1271): user(user1@plano.local) clientos(Mac) is_gp(yes) domain() csc_support(yes)
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:762): query useridd for user attrs and groups: vsys_id (1); user (user1@plano.local; domain ();
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:784): query useridd for users: out user attr (plano.local\user1);
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:784): query useridd for users: out user attr (user1@plano.local);
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:790): query useridd for users: 2 out user attrs;
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:805): query useridd for groups: out group (cn=IT Test GP Portal Agent User,ou=groups,dc=domain,dc=com);
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:805): query useridd for groups: out group (cn=IT Test Server User,ou=groups,dc=domain,dc=com);
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:805): query useridd for groups: out group (useridd-groupsready);
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:811): query useridd for groups: 2 out groups;
debug: globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:822): no 'uemail' object found for user user1@plano.local
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1308): found user group cn=IT Test GP Portal Agent User,ou=groups,dc=domain,dc=com
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1308): found user group cn=IT Test Server User,ou=groups,dc=domain,dc=com
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1308): found user group useridd-groupsready
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1110): found user attr plano.local\user1
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:482): no config found for plano.local\user1
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1110): found user attr user1@plano.local
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:482): no config found for user1@plano.local
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1122): found user group cn=IT Test GP Portal Agent User,ou=groups,dc=domain,dc=com
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:482): no config found for cn=IT Test GP Portal Agent User,ou=groups,dc=domain,dc=com
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1122): found user group cn=IT Test Server User,ou=groups,dc=domain,dc=com
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:482): no config found for cn=IT Test Server User,ou=groups,dc=domain,dc=com
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1122): found user group useridd-groupsready
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:482): no config found for useridd-groupsready
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:480): config found for any
.....
- Verify the trace debug logs for matching specific portal, gateway, username or source ip address.
> less mp-log gpsvc.log
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:11.964637139-05:00","message":"NewHttpTask: task for gp-getconfig(POST) request begin..."}
....
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.056795472-05:00","message":"PAN_AUTH_SUCCESS"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.056814621-05:00","message":"GetPortalConfig: args: &{ServerAddr:172.16.0.2 User:user1@plano.local Domain:(empty_domain) ClientOs:Windows
SerialNo:VMware-42 0c a7 dd 09 a1 f3 4f-ef 67 cd a2 ea 9e e1 8d PeerSerialNo: SkipCc:false DomainInAuthProf: DomainInCertProf: CscSupport:true CscData: NeedSatConfig:false NeedClientlessConfig:false}"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.056832155-05:00","message":"GetPortalConfig: domain list []"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.056843384-05:00","message":"GetUsernamesAndUsergroups: vsys (vsys1); user (user1@plano.local); domain ()"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057289012-05:00","message":"GetUsernamesAndUsergroups: response &{Email: UserAttrs:[plano.local\\user1] Groups:[] GroupReady:true}"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057311237-05:00","message":"cc lookup, user/group match result is [ ]"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057321415-05:00","message":"cc lookup: os lookup result [ ]"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057589396-05:00","message":"cc lookup: serial num lookup result [ ]"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057608182-05:00","message":"cc lookup: cscSupport:true, cscData:, checkCsc:false"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057618655-05:00","message":"cc lookup: skip csc match, result is [ ]"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057627626-05:00","message":"cc lookup: selected cc with idx 2147483647"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057636027-05:00","message":"GetPortalConfig: no client config found for domain "}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057658069-05:00","message":"GetPortalConfig: no client config found for &{ServerAddr:172.16.0.2 User:user1@plano.local Domain:(empty_domain) ClientOs:Windows
SerialNo:VMware-42 0c a7 dd 09 a1 f3 4f-ef 67 cd a2 ea 9e e1 8d PeerSerialNo: SkipCc:false DomainInAuthProf: DomainInCertProf: CscSupport:true CscData: NeedSatConfig:false NeedClientlessConfig:false}, portal Portal-Sec"}
{"level":"error","task":"4-5","time":"2023-10-09T17:37:12.057692452-05:00","message":"gpGetconfig: Failed to get portal config"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057705736-05:00","message":"SendGpLog: eventId 4"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.057755467-05:00","message":"AddTelemetryCounter api is called for key portal-Portal-Sec, field error-getconfig-fail"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.058287124-05:00","message":"saveHeader: session info: &{ID:5358d6c1-67ab-44a4-8a62-6450f84cd0e2 Values:map[] Options:0xc00dda74c0 IsNew:true store:0xc0009b8e40 name:SESSID}"}
{"level":"debug","task":"4-5","time":"2023-10-09T17:37:12.058347675-05:00","message":"RunHttp: task for gp-getconfig is completed"}
- Since the match failed in this case, check the username format of the user in the user group and then, verify if the normalized username seen on appweb3-sslvpn.log is part of the user-attributes output
> show user group name “IT Test GP Portal Agent User” | match us\user1
[12] us\user1
> show user user-attributes user us\user1
Primary: us\user1 Email: user1.palo@plano.local
Alt User Names:
1) plano.local\user1.paloalto
2) user1.paloalto@plano.local
- Since the normalized username format is not part of the user-attributes output, the match failed
- Configure SAML IdP to use a different username attribute which will provide the username that matches the formats present in the user-attributes command output.
Additional Information
Same steps can be followed when GlobalProtect app fails to get the configuration when user authenticates to the gateway successfully.