When Admin users have 2FA enabled to access the appliance management console. If they access management console via RDP, they are asked to enter there users credential for first level of authentication and are then prompted to type the OTP. However when same user authenticates via GVC, and try to access the Management Console, they are prompted to type the password only to grant access to Management Console without being asked for OTP.
When the admin users connect via global VPN client, they get authenticated and after all negotiations they are assigned with the client ip. When they hit the firewall ip in browser, firewall validates the IP from which the request is coming and since the IP is already authenticated against their username thus the username option on firewall authentication page will appear Grey for them and they will be asked to type the password only. Admin users won't get prompt for 2fa as they have been authenticated already when they connected via GVC.
Conclusively it is designed to work like this as there is no need to re-validate the user authentication third time.