https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340463#M297 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1289">@fatboy1607</a>&nbsp;,</P><P>&nbsp;</P><P>One of the biggest issues involving Pre-Logon tends to be related to the certificate deployment process.</P><P>&nbsp;</P><P>We must ensure the client certificates being deployed are stored in the correct directories and signed by the same root CA which signed the server certificate(s) being used for the Portal and/or Gateway.</P><P>&nbsp;</P><P>I've included a document below discussing this in more detail for you to review as well:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM" target="_blank">https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM</A></P><P>&nbsp;</P><P>Also, if the configurations for the "pre-logon" and "any" users are the same, you won't need to specify a separate configuration for the pre-logon user as this will be matched by the "any" user!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Jul 2020 05:06:48 GMT trivers01 2020-07-24T05:06:48Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340380#M294 <P>Scenario is we recieve new laptop with pre loded certs. I want that laptop to get connected to globalprotect gateway using pre-logon once it has IP it will get connectivity with DC and later it gets renamed to user name we login.</P><P>I am working on above scenario but unable to get it working.</P><P>That new laptop get pre-logon registry settings pushed like<BR />gateway - ip or fqdn<BR />pre-logon -yes<BR />showprelogonbuttton -yes</P><P><BR />Portal config.</P><P>Authentication :- Using certificate , certificate profile mapped under authentication.</P><P>Portal Config :-</P><P>Create 2 Profiles</P><P>1. Pre Logon Profile - Prelogon Always On. , User - Pre-logon</P><P>2. Pre Logon Profile - 2 - Pre Logon Always on - User - Any.</P><P>Gateway config</P><P>Authenication - LDAP<BR />CLient setting - Tunnel Interface , IP Pool , Split Tunnel</P><P>Is this config enough to get above scenario worked ?</P><P>we tried above config , Pre logon does not trigger.</P><P>&nbsp;</P><P>Any help Appreciated.</P> Thu, 23 Jul 2020 18:03:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340380#M294 fatboy1607 2020-07-23T18:03:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340463#M297 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1289">@fatboy1607</a>&nbsp;,</P><P>&nbsp;</P><P>One of the biggest issues involving Pre-Logon tends to be related to the certificate deployment process.</P><P>&nbsp;</P><P>We must ensure the client certificates being deployed are stored in the correct directories and signed by the same root CA which signed the server certificate(s) being used for the Portal and/or Gateway.</P><P>&nbsp;</P><P>I've included a document below discussing this in more detail for you to review as well:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM" target="_blank">https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM</A></P><P>&nbsp;</P><P>Also, if the configurations for the "pre-logon" and "any" users are the same, you won't need to specify a separate configuration for the pre-logon user as this will be matched by the "any" user!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Jul 2020 05:06:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340463#M297 trivers01 2020-07-24T05:06:48Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340470#M298 <P>Thanks <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/135907">@trivers01</a>&nbsp; Appreciate your reply.</P><P>&nbsp;</P><P>1. Query is it is always recommended to use public cert for IP&nbsp; facing public so portal IP is public&nbsp; lets say we use cert from well known CA's like commdo , symantec,verizon etc.</P><P>&nbsp;</P><P>2. If that is same cert I need to use as server cert on gateway ( As I have gateway and Portal on Same firewall ) then issue is with client authentication as we cannot get client certificate from well root CA's I mean not a good practice.</P><P>&nbsp;</P><P>Then for Portal authentication If use LDAP or Local , for the machines that are newly build I dont have user name and password for those users&nbsp; going to use it , so we want to make authentication using certificate. I think only using cert profile on portaln to match subnet name will solve it , your suggestion ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MandarKulkarni_0-1595570159333.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27003i7A14A1FB06912464/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MandarKulkarni_0-1595570159333.png" alt="MandarKulkarni_0-1595570159333.png" /></span></P><P>&nbsp;</P><P>Then I dont see document mentioning use of cookie authentication ?</P><P>&nbsp;</P><P>some documents refer using cookie authentication ?</P><P>&nbsp;</P><P>3. Any specific logs on firewall side we can see if pre-logon is getting triggered ?</P><P>&nbsp;</P><P>Thanks Again.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Jul 2020 06:01:53 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-prelogon-not-working/m-p/340470#M298 fatboy1607 2020-07-24T06:01:53Z