How To Invalidate Previously Issued GlobalProtect Authentication Override Cookies
Objective
The steps mentioned in this document will invalidate previously issued GlobalProtect Authentication Override Cookies.
Environment
GlobalProtect Portal/Gateway
Prisma Access
Procedure
To invalidate previously issued GlobalProtect Authentication Override Cookies, please change the Certificate used to encrypt/decrypt the Authentication Override cookie on GlobalProtect Portals and Gateways using Panorama or Firewall Admin Console as shown below:
Change Authentication Override Cookie Certificate On GlobalProtect Portal
If you are using Panorama to manage GlobalProtect, navigate to the template that you use for GlobalProtect, for Prisma Access, navigate to Mobile_User_Template and make the following changes:
- Navigate to ‘Network >> Portals >> (Specific Portal Configuration) >> Agent >> (Specific Agent Configuration) >> Authentication’
- On Authentication tab, under ‘Authentication Override’ section select the new certificate using ‘Certificate to Encrypt/Decrypt Cookie’ dropdown:
- Make sure new certificate is selected and select ‘OK’ and commit the configuration
- If there are multiple agent configurations on the GlobalProtect portal then repeat the steps 1 to 3 for each agent configuration.
Change Authentication Override Cookie Certificate On GlobalProtect Gateway
If you are using Panorama to manage GlobalProtect, navigate to the template that you use for GlobalProtect, for Prisma Access, navigate to Mobile_User_Template and make the following changes:
- Navigate to ‘Network >> Gateways >> (Specific Gateway Configuration) >> Agent >> Client Settings >> (Specific Agent Configuration) >> Authentication Override’.
- On ‘Authentication Override’ tab select the new certificate using ‘Certificate to Encrypt/Decrypt Cookie’ dropdown:
- Make sure new certificate is selected and select ‘OK’ and commit the configuration
- If there are multiple agent configurations on the GlobalProtect gateway then repeat the steps 1 to 3 for each agent configuration.