Global Protect: Endpoint receives a "You are not authorized to connect" when switching geographic locations or moving to/from a hotspot

1148

Created On 03/04/25 16:02 PM - Last Modified 10/20/25 20:40 PM

Configuration File

GlobalProtect Agent

GlobalProtect App

GlobalProtect Gateway

GlobalProtect Portal

IPSec

Advanced Configuration

Deployment

Initial Configuration

Installation

Policy

Mobile Users

Access

Endpoints

GlobalProtect

Prisma Access

Prisma Access (Cloud Managed)

Prisma Access (Panorama Managed)

Network Security

Symptom

Users experience "You are not authorized to connect..." error message from the GP client
Users experience issue when traveling
Users experience issue when moving to or from a Hotspot
Users do anything that would cause a new IP address to be assigned to the end-point
PANGPS.log on GP client contains error messages showing "Cookie authentication failure" View the following document on how to retrieve the logs. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-the-globalprotect-app-software/view-and-collect-globalprotect-logs
The following three conditions are present:
1. Authentication override cookies on the Portal are NOT enabled:
  1. Under Network-Portal-<Portal Name>-Agent-Client settings-Authentication-Authentication Override: The checkboxes for "Generate cookie for authentication override" and "Accept cookie for authentication override" are NOT enabled.
2. Authentication override cookies on the Gateway are NOT enabled:
  1. Network-Gateway-<Gateway Name>-Agent-Client Settings-Configs-Authentication Override: The checkboxes for "Generate cookie for authentication override" and "Accept cookie for authentication override" are NOT enabled.
3. Strict IP Usage for cookies IS enabled:
  1. Under Network-Gateway-<Gateway Name>- Agent->Connection Settings->Authentication Cookie usage Restrictions, the checkbox IS enabled for "Restrict Authentication Cookie Usage(for Automatic Restoration of VPN tunnel or Authentication Override) to: "

Environment

Global Protect
Prisma Access

Cause

The issue is caused by a conflict with the strict IP setting configured on the Global Protect gateway. The strict IP setting, when activated, applies to ALL cookies in the Global Protect client, even those that are non-configurable. As a result, if a user's source IP address changes (Ex: switching from an ISP to a hotspot) the Global Protect client may fail to authenticate.

Resolution

1. Disable strict IP settings on the Global Protect gateway to resolve the issue.

Under Network-Gateway-<Gateway Name>-Agent-Connection Settings-Authentication Cookie usage Restrictions, disable the checkbox for "Restrict Authentication Cookie Usage(for Automatic Restoration of VPN tunnel or Authentication Override) to: "

NOTE: More information on Strict IP usage for cookies can be found here. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/timeout-settings-tab

Global Protect: Endpoint receives a "You are not authorized to connect" when switching geographic locations or moving to/from a hotspot

Symptom

Environment

Cause

Resolution

Other users also viewed: