What is X-Auth support in PAN firewalls and how to troubleshoot it?
- What is X-Auth?
- How to troubleshoot X-auth?
- Palo Alto Networks Firewalls running PAN-OS 8.1 and above
- This assumes the customer has a Globalprotect portal and gateway set up already, and has enabled X-Auth support on the Gateway. This configuration is located at Network >> Gateways >> Agent >> Tunnel Settings >> Enable X-Auth Support
- It also assumes the customer has configured the 3rd party VPN client application properly.
What is X-Auth and how does it work with the firewall?
- Xauth (Extended Authentication within IKE) is what Palo Alto Networks use to support third party VPN software using the Globalprotect Gateway.
- It allows the third party VPN client to authenticate through the Globalprotect auth profile as part of the IKE negotiation.
- IKE V.1 must be used on the 3rd party clients.
- Supported IPSec clients: Third-Party VPN Client Support
- The Palo Alto Network firewall uses the OpenSSL crypto library - Reference: GlobalProtect App Cryptographic Functions
- The customer sets the crypto configuration in the third party application, and as long as the firewall supports those parameters (and the PSK is correct) IKE phase 1 and 2 should negotiate successfully.
- Globalprotect IPsec crypto profiles aren't used for the X-auth clients.
- The end device simply sets up a tunnel between the device itself and the Globalprotect Gateway interface.
- Troubleshooting of the tunnel is done much the same way as any IPSec tunnel would be troubleshot. Please refer to below document for a list of available resources.
- Below is the description of what X-Auth does from IETF website:
[IKE] allows a device to set up a secure session by using a
bidirectional authentication method using either pre-shared keys or
digital certificates. However [IKE] does not provide a method to
leverage legacy authentication methods which are widely deployed
This document describes a method for using existing unidirectional
authentication mechanisms such as RADIUS, SecurID, and OTP within
IPsec's ISAKMP protocol. The purpose of this draft is not to
replace or enhance the existing authentication mechanisms described
in [IKE], but rather to allow them to be extended using legacy
This protocol is designed in such a way that extended authentication
may be accomplished using any mode of operation for phase 1 (i.e.
Main Mode or Aggressive Mode) as well as any authentication method
supported by [IKE]. This protocol may also be easily extended to
support new modes or authentication methods. This protocol does
however require that the phase 1 authentication method be fully