GlobalProtect users are unable to see Captive Portal MFA prompt for non-browser applications when connected to internal gateway

• Captive Portal MFA prompt is not being presented when the GP internal user is trying to access non-browser applications like RDP or SSH.
• Captive Portal redirection happens successfully when accessing browser-based applications.
• Firewall session details show auth-policy-deny during initial session but the prompt is never seen.

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) App
• GlobalProtect Internal Gateway
• Captive Portal (Authentication Portal)
• Windows Clients

• Check if the Captive Portal session is being established for the GP user who initiated the access to RDP or SSH.
• Packet captures on the client machine and firewall will help to identify the UDP traffic for Captive Portal redirection as shown below:
• If the firewall is trying to send the redirect but there is no Captive Portal MFA prompt, it could be the Windows client machine that has a 3rd party software or Windows Firewall blocking the traffic on port 4501.

Make sure on the client machine, Windows Firewall is configured to allow 4501 traffic:

• Note that the Captive Portal MFA prompts are initiated only when the GP app status shows "Connected" or " Connected - Internal" on the client who initiates it.
• It should work for both External as well as Internal gateways (no tunnel) as long as the users are in connected state.