Configure Palo Alto Networks GlobalProtect to Address the Double-authentication Problem

Please follow these steps to remove the double authentication problem of the Palo Alto Networks VPN client. These steps require a change in the Portal and in the Gateway configuration.

Step 1 - Configure the Portal

From Palo Alto Web Management Site, go to Network → GlobalProtect → Portals and select the GlobalProtect Portal Configuration item associated with the endpoint that needs to be modified (e.g.,. pa-vpn-02).

Click on the name of the GlobalProtect item that you want to configure. The following screen will appear:

Go to the “Agent” section on the menu on the left. From the “Agents” table, click on the item you would like to configure (e.g., pa-vpn-client-02).

The following screen will appear:

From the “Authentication” tab, configure the “Authentication Override” section as follows:

Check the checkboxes next to the following items:

• Generate cookie for authentication override

• Accept cookie for authentication override

Set the attributes to following values as described:

• Cookie Lifetime: “Hours” and “24”

• Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02).

Click “OK” to save the settings.

Certificate example: The following screen shows a sample certificate for the Pa-vpn-server-02 location:

Sample Pa-vpn-server-02 certificate details:

Step 2 - Configure the Gateway

Go to Network → GlobalProtect → Gateways. Select the GlobalProtect Gateway Configuration item associated to the endpoint that you would like to configure (e.g., pa-vpn-gateway-02), and click on it:

The following screen will appear:

Go to the “Agent” section on the menu on the left. From the “Client Settings” tab, click on the item you would like to configure (e.g., pa-vpn-client-02). Then, select the “Authentication Override” tab:

From the “Authentication Override” tab, configure the following options:

Check the boxes next to the following items:

• Generate cookie for authentication override

• Accept cookie for authentication override

Set the attributes to the following values as described:

• Cookie Lifetime: “Hours” and “24”

• Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02)

Click “OK” to save the settings.

Back on the GlobalProtect Gateway Configuration screen, click on the “OK” button.

Step 3

Commit all changes using the Palo Alto Networks management portal.