How To Invalidate Previously Issued GlobalProtect Authentication Override Cookies

To invalidate previously issued GlobalProtect Authentication Override Cookies, please change the Certificate used to encrypt/decrypt the Authentication Override cookie on GlobalProtect Portals and Gateways using Panorama or Firewall Admin Console as shown below:

Change Authentication Override Cookie Certificate On GlobalProtect Portal

If you are using Panorama to manage GlobalProtect, navigate to the template that you use for GlobalProtect, for Prisma Access, navigate to Mobile_User_Template and make the following changes:

1. Navigate to ‘Network >> Portals  >> (Specific Portal Configuration) >> Agent >> (Specific Agent Configuration) >> Authentication’

2. On Authentication tab, under ‘Authentication Override’ section select the new certificate using ‘Certificate to Encrypt/Decrypt Cookie’ dropdown:

3. Make sure new certificate is selected and select ‘OK’ and commit the configuration 

4. If there are multiple agent configurations on the GlobalProtect portal then repeat the steps 1 to 3 for each agent configuration.

Change Authentication Override Cookie Certificate On GlobalProtect Gateway

If you are using Panorama to manage GlobalProtect, navigate to the template that you use for GlobalProtect, for Prisma Access, navigate to Mobile_User_Template and make the following changes:

1. Navigate to ‘Network >> Gateways >> (Specific Gateway Configuration) >> Agent >> Client Settings >> (Specific Agent Configuration) >> Authentication Override’.

2. On ‘Authentication Override’ tab select the new certificate using ‘Certificate to Encrypt/Decrypt Cookie’ dropdown:

3. Make sure new certificate is selected and select ‘OK’ and commit the configuration

 

4. If there are multiple agent configurations on the GlobalProtect gateway then repeat the steps 1 to 3 for each agent configuration.