GlobalProtect gateway logins showing Source User with domain as (null)

GlobalProtect gateway logins showing Source User with domain as (null)

7265
Created On 05/03/22 02:21 AM - Last Modified 04/24/24 17:51 PM


Symptom


GlobalProtect gateway logins showing Source User with domain as (null)
 

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above.
  • GlobalProtect Gateway authentication.
  • Authentication Override Cookie.

Cause


  • The authentication override cookie generated after successful portal authentication, holds (null) value for domain instead of the actual domain name.
  • During gateway authentication, the authentication override cookie returned by GP app registers the username as (null)/username; which leads to security policy match failure
  • In appweb3-sslvpn.log (less mp-log appweb3-sslvpn.log), the domain name is displayed as null
panGlobalProtectGetConfigCSC: Begin... user=user1@plano.com, domain=(null),user_agent=PAN GlobalProtect/5.2.9-35 (Microsoft Windows 10 Enterprise , 64-bit)
 

Resolution


Resolution:

  1. The issue is fixed under PAN-184291 in PAN-OS 10.1.6, 10.0.11, 9.1.15
  2. Upgrade should resolve the issue.


Workaround: Choose one of the workaround mentioned below.

  1. Disable authentication override cookie by navigating to following GUI paths:
  • Network > GlobalProtect > Portals >  (portal-config) > Agent > (agent-config) > Authentication > Authentication Override
  • Network > GlobalProtect > Gateways >  (gateway-config) > Agent > Client Settings > (agent-config) > Authentication Override
  1. Disable cookie generation on portal and enable cookie generation & acceptance on gateway

Additional Information


Cookie Authentication on the Portal or Gateway
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNpHCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language