GlobalProtect Pre-logon fails with "auth-failed-password-empty" when Device Checks or Custom Checks Are Configured with Cookie Authentication

• GlobalProtect Pre-Logon fails with error "auth-failed-password-empty" using Authentication Override Cookie.
• There is no certificate profile configured.
• The following error is seen in PanGPS.log:

(P3084-T4508)Debug(14033): 06/07/22 07:46:26:872 Auth failed. Private header is auth-failed-password-empty

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) App
• GlobalProtect Portal with Config Selection Criteria with Device Checks/Custom Checks
• Authentication Override Cookie enabled
• Pre-Logon and User-Logon Connect Methods

This is a "chicken and the egg" style limitation is caused by the logical order of Portal Login stage and Config Selection Criteria checks:

• The Login stage (getconfig.esp) is where GP will check if Device/Custom Check information is needed from the app.
• The client does not send this information in the Login stage, so no config is matched yet.
• The "Accept Cookie" setting on the Portal is configured within the Config Selection Criteria tab of portal agent configuration
• Because GP app has not yet sent the Device/Custom Check information, firewall cannot match the portal agent configuration
• When firewall cannot match an agent configuration, it can't use the "Accept Cookie" setting contained in the agent configuration, so Cookie Authentication fails with the error "empty password"
• GP app is notified to send an additional request (getconfig_csc.esp) which contains the necessary data for the Device/Custom Checks
• But this is past the stage where the Cookie is Authenticated

This causes the following warning message to be presented when performing a commit.

If Portal Config Selection Criteria with Device Checks or Custom Checks are in use, a Certificate Profile on the Portal is a must.

• When both Device Checks and Custom Checks are configured, Authentication Override Cookie will be disabled and Cookie Authentication will not be accepted.
• If Cookie Authentication is required, Device Checks/Custom Checks shouldn't be configured.