Global Protect App "Using Cached Portal" Portal connection's status

• The most common GlobalProtect topology contains one GlobalProtect Portal and multiple GlobalProtect Gateways.
• Cached port config" is introduced to avoid a single point of failure for GP remote user VPN.
• When the "cached portal config" is present, even if GP Portal is unreachable, end users still can successfully connect to the GP Gateway configured on the non-affected firewall.
• GlobalProtect will always choose regular connection instead of "cached portal config".

• "Using Cached Portal" status can be confirmed In the GlobalProtect App:

• In the PanGPA.log (C:\Users\<username>\AppData\Local\Palo Alto Networks\GlobalProtect)

• Palo Alto Firewall
• PAN-OS 8.1 and above
• GlobalProtect (GP) Portal
• GlobalProtect App 6.2.2 and above

GlobalProtect uses cached portal config in 3 scenarios:

•  Portal is not reachable
•  Portal's server certificate cannot be verified
• "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" GlobalProtect Portal Agent's App's setting is set to 0

1. Refresh the connection to reconnect (GP App > hamburger button > Refresh connection), and check if the status will be "Connected" instead of "Using Cached Portal". This can be triggered only when the connectivity is fine ( GP is connected to the GP Gateway)
2. If "Refresh connection" is not allowed, move cached portal configuration files to a different location and restart the PC. If the connectivity is not successful, the move the  files back to reactivate the possibility for using cached portal config

• Cached portal config for "pre-logon" user is located in C:\Program Files\Palo Alto Networks\GlobalProtect.
• Cached portal config for regular user is located in C:\Users\<username>\AppData\Local\Palo Alto Networks\GlobalProtect
• Cached portal config files names starts with "PanPortalCfg_"

3.  If after "Refresh connection" GP status is "Using Cached Portal"  perform:

• regular connectivity troubleshooting. PCAP can be useful.
• test the connectivity with the PC proxy settings enabled and disabled.  
• if the connectivity is OK, check if GP Portal's certificate can be verified successfully (open GP Portal URL in the web browser and see certificate issues)

4.  If after "Refresh connection" GP status is "Connected" it indicates the connectivity method configured is either the "Pre-Logon (Always on) or "Pre-logon then On-demand". In these configurations, the PANGPS will start establishing the connection before the network is reachable.  Hence it will use the cached portal configuration to establish the connection
5. To resolve the same, modify the value of "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" from "-1" to the value higher than 0.

    

• A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect (GP) renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GP gateway.
• A value of 0 means when the user logs on to the endpoint, GP immediately terminates the pre-logon tunnel instead of renaming it. In this case, GP initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. 
• A value of 1 to 7200 indicates the number of seconds in which the pre-logon tunnel can remain active after a user logs on to the endpoint. During this time, GP enforces policies on the pre-logon tunnel. If the user authenticates with the GP gateway within the timeout period, GP reassigns the tunnel to the user. If the user does not authenticate with the GP gateway before the timeout, GP terminates the pre-logon tunnel.

Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs