PAN OS 10.1 中的 GlobalProtect Cookie 身份验证

PAN OS 10.1 中的 GlobalProtect Cookie 身份验证

4822
Created On 04/27/22 04:15 AM - Last Modified 03/11/25 20:22 PM


Environment


  • Palo Alto 防火墙
  • PAN-OS 10.1 及更高版本
  • GlobalProtect (GP) 应用程序
  • 门户/网关上的 Cookie 身份验证

Resolution


To better improve the user experience while using the GlobalProtect App, you can enable cookie authentication on either the Portal and/or Gateway to reduce the amount of times a user must authenticate. You can complete this by performing the following steps:
  1. 在 GP 门户上启用 cookie 身份验证
    1. 导航到网络 > GlobalProtect > 门户 > [选择门户] > 代理 > [选择适当的配置] > 身份验证 > 身份验证覆盖
    2. 选中生成和接受选项的复选框
    3. 指定 cookie 的有效期(以分钟、小时或天为单位)以及用于加密/解密的相应证书,然后选择两次“OK”
Snapshot displaying the authentication override dialog box within the Palo Alto Networks Portal GUI
  1. 在 GP 网关上启用 cookie 身份验证
    1. 导航到网络 > GlobalProtect > 网关 > [选择网关] > 代理 > 客户端设置 > [选择适当的配置] > 身份验证覆盖
    2. 选中接受选项旁边的复选框(它已在门户上生成,因此这里不需要)
    3. 指定 cookie 的有效期(以分钟、小时或天为单位)以及步骤 1c 中的相同证书,然后选择“OK”两次
Snapshot displaying the authentication override dialog box within the Palo Alto Networks Gateway GUI
  1. 提交更改
Note: In this example, we set the lifetime to 5 minutes to present the snippet of sslvpn or gpsvc process logs.

Afterwards, we can verify the cookie is successfully generated and used for authentication on the firewall by using the following methods:
  1. 检查防火墙GUI 中的监视器日志
    1. 导航到监控 > 日志 > GlobalProtect
    2. 您可以使用类似于下映像所示的过滤参数轻松隔离日志(例如门户/网关名称和用户名)
Snapshot displaying the GlobalProtect logs within the Palo Alto Networks firewall GUI.
  1. 在 GP 门户/网关上生成技术支持文件
注意:为了查看完整的 cookie 创建过程,必须在身份验证之前启用其他调试(rasmgr、sslvpn [10.1]、gpsvc [10.2 及更高版本])
  1. 从设备 > 支持 > 技术支持文件下载技术支持文件后,展开文件夹并导航到var/log/pan目录
  2. 您应该会看到在成功通过门户身份验证后生成的 cookie,然后用于网关身份验证,类似于下面显示的 cookie:
  • appweb3-sslvpn.log较少 mp-log appweb3-sslvpn.log
门户登录 -
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1668): found client config!
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4318): panGlobalProtectLogin: pan_generate_portal_user_auth_cookie
debug: pan_gp_rsa_gen_app_auth_cookie(pan_gp_cfg.c:2560): un-encrypted auth cookie localuser2;;Windows;20090e21-2afb-408b-98ce-a3d39b2ac20c;1651024558;192.168.150.100, user=localuser2, remote_addr=192.168.150.100
debug: pan_generate_portal_user_auth_cookie(panPhpGlobalProtect.c:2369): generate portal user auth cookie successful
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4407): loginStatus=1; no pwd_expiry_msg
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4443): panGlobalProtectLogin: set domain=(empty_domain) from EMPTYDOMAIN
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4487): user(localuser2) gen_prelogon_cookie(yes) prelogon_exist(no) gen_cookie(yes) has_prelogon_cookie(no)
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4552): panGlobalProtectLogin: cleanup
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4554): return portal user auth cookie(p6Wu9gz8Vt******lB7ofFNw==)
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4592): login ret string sent to the client is : Success
debug: panGlobalProtectLogin(panPhpGlobalProtect.c:4610): login response sent to the client is : Success
网关登录 -
debug: panSslVpnLogin(panPhpSslVpn.c:2319): panSslVpnLogin: Begin... user=localuser2, empty passwd=no, empty new passwd=yes, input=, hostid=.....
<><><><><><><><><><>
debug: pan_gp_rsa_dec_app_auth_cookie(pan_gp_cfg.c:2699): decrypt auth cookie localuser2;;Windows;20090e21-2afb-408b-98ce-a3d39b2ac20c;1651024558;192.168.150.100
debug: pan_gp_rsa_dec_app_auth_cookie(pan_gp_cfg.c:2761): curtime(1651024558) cookietime(1651024558) end=0
debug: pan_gp_rsa_dec_app_auth_cookie(pan_gp_cfg.c:2771): remote_addr(192.168.150.100) ret_remote_addr(0-6496a8c0ffff0000)
debug: panSslVpnLogin(panPhpSslVpn.c:2807): gateway user auth cookie decrypt successful
debug: panSslVpnLogin(panPhpSslVpn.c:2972): clientaddr=192.168.150.100, cookie ip=192.168.150.100; source ip check enable 0, netmask v4 32 v6 128
<><><><><><><><><><>
debug: panSslVpnLogin(panPhpSslVpn.c:3693): Cookie valid : Getting the framed ip
debug: panSslVpnLogin(panPhpSslVpn.c:3878): User localuser2 authResult = 1 cookie_valid(yes)
debug: panSslVpnLogin(panPhpSslVpn.c:4082): Valid cookie, skipping user authentication
  • gpsvc.log (少 mp-log gpsvc.log )
门户登录 -
{"level":"debug","task":"1770-5","time":"2024-07-19T12:34:25.758824212-05:00","message":"NewHttpTask: task for gp-getconfig(POST) request begin..."}
<><><><><><><><><><>
{"level":"debug","task":"1770-5","time":"2024-07-19T12:34:26.807403111-05:00","message":"HandlePortalAuthOverrideCookie: gen-cookie(yes)"}
{"level":"debug","task":"1770-5","time":"2024-07-19T12:34:26.821376872-05:00","message":"GenerateAuthCookie: cleartext localuser2;[domain-name];Windows;d64830af-791e-4f75-b28b-11a0819f46cd;1721410466;192.168.150.100, authCookieStr fCWJT1dBuLZvcsBAgOqwrho60vxT0U+Zv..."}
<><><><><><><><><><>
{"level":"debug","task":"1770-5","time":"2024-07-19T12:34:26.826875761-05:00","message":"RunHttp: task for gp-getconfig is completed"}
网关登录 -
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.788277584-05:00","message":"NewHttpTask: task for gw-login(POST) request begin..."}
<><><><><><><><><><>
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.803233694-05:00","message":"DecryptAuthCookie: auth cookie after decryption: localuser2;[domain-name];Windows;d64830af-791e-4f75-b28b-11a0819f46cd;1721410466;192.168.150.100"}
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.803383847-05:00","message":"AuthWithCookie: set domain=[domain-name] from auth override cookie"}
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.803416778-05:00","message":"AuthWithCookie: set user=localuser2 from auth override cookie"}
<><><><><><><><><><>
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.80681415-05:00","message":"HandleGWAuthOverrideCookie: gen-cookie(no)"}
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.807099047-05:00","message":"gwLogin: PAN_AUTH_SUCCESS"}
<><><><><><><><><><>
{"level":"debug","task":"1772-19","time":"2024-07-19T12:34:30.809681398-05:00","message":"RunHttp: task for gw-login is completed"}
  1. 导航到rasmgr.log应该会显示用于身份验证的 cookie,类似于下面显示的日志:
rasmgr.log较少 mp-log rasmgr.log
debug: sslvpn_set_pub_ip(src/rasmgr_sslvpn.c:1499): GP Client conn type is ipv4 (0), pub_ip 192.168.150.100, pub_ip6 0:0:0:0:0:0:0:0, rep_pub_ip 192.168.150.100, rep_pub_ip6 0:0:0:0:0:0:0:0
debug: _print_client_requests(src/rasmgr_sslvpn.c:157): (login) gw login (1651024558722, 2022-04-26 18:55:58.722, 192.168.150.100); getconfig (0, , ::); sslvpnconnrect (0, , ::)
new cookie:  ******
rasmgr_sslvpn_client_register space globalprotect-gw-N domain  user localuser2 computer 6347E0B5-3379-4 result 0

Additional Information


门户或网关上的 Cookie 身份验证
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OLHCA2&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language