What is X-Auth support in PAN firewalls and how to troubleshoot it?

What is X-Auth support in PAN firewalls and how to troubleshoot it?

Created On 09/17/20 15:03 PM - Last Modified 05/11/23 03:12 AM

  • What is X-Auth?
  • How to troubleshoot X-auth? 

  • Palo Alto Networks Firewalls running PAN-OS 8.1 and above
  • This assumes the customer has a Globalprotect portal and gateway set up already, and has enabled X-Auth support on the Gateway. This configuration is located at Network >> Gateways >> Agent >> Tunnel Settings >> Enable X-Auth Support
  • It also assumes the customer has configured the 3rd party VPN client application properly. 
User-added image

What is X-Auth and how does it work with the firewall? 
  1. Xauth (Extended Authentication within IKE) is what Palo Alto Networks use to support third party VPN software using the Globalprotect Gateway.
  2. It allows the third party VPN client to authenticate through the Globalprotect auth profile as part of the IKE negotiation.   
  3. IKE V.1 must be used on the 3rd party clients. 
  4. Supported IPSec clients: Third-Party VPN Client Support
  5. The Palo Alto Network firewall uses the OpenSSL crypto library - Reference: GlobalProtect App Cryptographic Functions
  6. The customer sets the crypto configuration in the third party application, and as long as the firewall supports those parameters (and the PSK is correct) IKE phase 1 and 2 should negotiate successfully.
  7. Globalprotect IPsec crypto profiles aren't used for the X-auth clients.
  8. The end device simply sets up a tunnel between the device itself and the Globalprotect Gateway interface.  
  9. Troubleshooting of the tunnel is done much the same way as any IPSec tunnel would be troubleshot. Refer to the document  IPSec and Tunneling Resource list on Configuring and Troubleshooting
  10. Refer to the information of  what X-Auth does from IETF:  Extended Authentication within IKE (XAUTH)


Additional Information

X-auth support has the following limitations:
  • It does not support multiple concurrent connection sessions from one GP user: for x-auth, the firewall differentiates the user connection based on the username and public IP address. We can't have 2 clients with the same username/source IP logged in via x-auth at the same time. While for Global protect clients, it uses a username and computer name; so it is easier to make a distinction between the clients (computer name is not communicated with x-auth)
  • Support for Framed IP address assignment/allocation: Framed IP address attribute is not supported currently for X-auth Clients
  • X-auth for firewall on FIPS mode:  For the firewall running FIPS mode, the X-auth option for the globalprotect gateway is not available
  • Support for region restriction in the gateway client setting: When region specification is defined under  Gateways > [gateway-name] > Agent > Client Settings, x-auth client connection fails. The right configuration for X-Auth should be having no region config inside the client config. X-Auth clients require a separate configuration to allow them to connect when a regional restriction is in place

  • Print
  • Copy Link


Choose Language