Captive portal with Global protect detected but fails with error "ERR_NETWORK_ACCESS_DENIED"

• Global Protect client detects the captive portal but fails to connect with the error "ERR_NETWORK_ACCESS_DENIED"
• The browser pop up for the captive portal authentication is Not displayed for the user.
• The Enforce GlobalProtect for network access is enabled.
• The connect method is Pre-logon and the pre-logon tunnel rename timeout is configured 
• This is applicable to scenarios where the user is using a public wireless network (example Airport) and needs to authenticate with local captive portal to have internet access. 

• Global Protect Client with Prisma Access on Windows client. 
• Global Protect Client with Palo Alto Strata NGFW on Windows client.
• Enforce GlobalProtect for Network Access is enabled.

• This issue is caused by the Pre-Logon Tunnel Rename timeout non zero positive value.
• If the Pre logon tunnel rename timeout value is customised, that influences the captive portal exception timeout value as well.
• If the captive portal exception timeout (sec) value is set to 0, The client does not have enough time to complete the authentication process during the tunnel rename.
• The functionality of the captive portal and the authentication prompt is dependent on the time value of the Captive portal exception timeout. 

1. The Captive portal exception timeout (sec) needs to be a non zero value in this scenario.
2. The recommended value should be equal to the pre logon tunnel rename timeout.

• The debug mode GlobalProtect logs do not indicate anything specific with respect the captive portal being blocked by the enforcer.
• The logs below indicate a network problem where the GlobalProtect client is unable to resolve the captive portal server name.

Debug(5328): 09/29/21 06:05:41:548 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
Info ( 482): 09/29/21 06:05:41:548 pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
Error( 87): 09/29/21 06:05:41:548 pan_captive_portal_detection() failed to resolve captive portal server:service (www.msftconnecttest.com:80)
Debug(5328): 09/29/21 06:05:41:548 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
Debug(5513): 09/29/21 06:05:41:548 CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).