GlobalProtect bypasses authentication to the portal/gateway
21070
Created On 05/12/21 14:01 PM - Last Modified 04/23/24 03:20 AM
Symptom
- Case #1: GlobalPortect Portal is unreachable or connection times out, the authentication to the portal is bypassed and the user is directed to the gateway to authenticate.
- Case #2: GlobalProtect Portal is unreachable or connection times out, the authentication to the portal and gateway is bypassed.
Environment
- GlobalProtect Portal/Gateway
- All PAN-OS Versions
Resolution
Case #1: This is expected behavior. If the portal connection times out or is unreachable, the GlobalProtect agent will attempt to retrieve the cached portal configuration on the client machine hence directing the user to the gateway without authenticating to the Portal. Reference the following article for more details about Cached Portal Configuration.
Case #2: As stated in case #1, if the portal connection times out or is unreachable, the GlobalProtect agent will use the cached portal configuration. If the gateway accepts cookies for authentication and the cookie has not yet expired, then authentication to the gateway will succeed without user engagement. Reference the following article for more details about How to generate cookies on the GlobalProtect portal and use cookies for gateway authentication.
Additional Information
Additional reasons why users may appear to bypass authentication.
- Save User Credentials may be set to 'Yes', where the user's last used credentials would be cached and automatically populated in the GlobalProtect client. Save User Credentials (Knowledge Base)
- SSO may be enabled which can automatically populate the user credentials using their system login. Single Sign-On (paloaltonetworks.com)
- If SAML is used, the IdP itself may provide the user with a session cookie. If this is presented to the IdP, the user will still be authenticated but will not be prompted for credentials and may not even see this transaction. If the user is authenticated in this way, SAML authentication success logs will still show under Monitor > GobalProtect. Session timers are configured on the IdP side.