GlobalProtect Client fails to connect to GlobalProtect Gateway during Pre-Logon when Multiple Portals feature is enabled in Prisma Access
2885
Created On 01/23/24 01:16 AM - Last Modified 04/05/24 07:34 AM
Symptom
When the following conditions are met, GlobalProtect Client fails to connect to GlobalProtect Gateway during pre-logon.
- Multiple Portals feature is enabled in Prisma Access
- GlobalProtect Client 6.1 or later
- GlobalProtect Client is freshly installed with pre-logon enabled
- User's PC is restarted after installing the GlobalProtect Client and before the user logs into GlobalProtect.
Environment
Prisma Access
GlobalProtect Client 6.1 or later
Cause
The Multiple Portals feature highly relies on the authentication override cookie.
Authentication override cookie is required in Multiple Portals setup. Without a valid cookie, GlobalProtect Gateway login fails, and thus GlobalProtect client tries to re-authenticate with GlobalProtect Portal again to get the cookie.
Thus, the GlobalProtect Client needs to have a valid cookie during the authentication in advance in order for the pre-logon to work.
The cookie will be generated when the authentication succeeds with the user login based on the authentication profile.
It other words, the user authentication based on the authentication profile should succeed in advance before the first pre-logon.
In case of the below sequence, a valid cookie for user pre-logon will not be created. So the GlobalProtect Gateway authentication during pre-logon fails.
1. Install GlobalProtect Client with pre-logon enabled
2. Reboot the PC without user logging into GlobalProtect (thus, no cookie generated)
3. As a result, GlobalProtect Client fails to connect to GlobalProtect Gateway during pre-logon
When this happens, the following logs appear in PanGPS.log.
(P6100-T8108)Debug(2576): 12/06/23 17:24:34:367 Unserialized empty cookie for portal xxxxxxxx.gpcloudservice.com:8443 and pre-logon user. (P6100-T8108)Debug(4111): 12/06/23 17:24:34:367 Auth cookie does not exist. Fall back to portal
Resolution
The user needs to login to GlobalProtect after installing GlobalProtect Client.
A valid cookie will be generated upon the successful user login and the cookie authentication for the GlobalProtect Gateway will succeed during pre-logon.