GlobalProtect app ignores new gateway generated authentication override cookie and keeps using the old portal cookie when the portal is unreachable

GlobalProtect app ignores new gateway generated authentication override cookie and keeps using the old portal cookie when the portal is unreachable

1542
Created On 09/11/25 10:51 AM - Last Modified 10/17/25 20:48 PM


Symptom


  • When GP app uses cached portal configuration when the portal is unreachable, the successful gateway generated authentication override cookie will be replaced by the old expired portal cookie when a new gateway authentication event occurs.
  • This causes the gateway to consider the expired cookie and trigger the authentication prompt which will generate a new authentication override cookie.
  • However, it will be replaced again by the old expired portal cookie at the next gateway authentication event if the app still uses the cached portal configuration.

Environment


  • GlobalProtect (GP) Portal and Gateway
  • GlobalProtect App versions prior to 6.2.8-h4 (6.2.8-c317)
  • Authentication Override Cookie configured on GlobalProtect Portal and Gateway(s)

Cause


If the portal is unreachable, the GP app will load the old expired portal authentication override cookie from the cached portal configuration.

Resolution


  1. The issue has been fixed under GPC-23646.
  2. Upgrading to the fixed version of GP app 6.2.8-h4 (6.2.8-c317) will resolve the issue.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAFhKAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail