Global Protect Always On VPN Pre-Logon

Chirah_Rana — Thu, 08 Jun 2023 14:56:42 GMT

Running into issue with prelogon not working properly. I have pretty much mirrored the configuration from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

Scenrio - when Laptop is connected to On prem production wifi - Internal host detection with enforece network access ON- when the laptop boots up, before logging in, i see the global protect get connected. once i input my windows credentials and laptop boots. I still have to click the connect button on the agent in order for internal host detection to kick in (sometimes it also asks for username/password). i thought the whole purpose of the prelogon with sso is that it starts all the tunnel process with less user interaction. This is a big nauance if user has to keep clicking connect even when on on prem to detect internal host connection.

Re: Global Protect Always On VPN Pre-Logon

Adrian_Jensen — Thu, 08 Jun 2023 16:10:53 GMT

Not quite, the purpose of pre-logon is that the PC can connect to the VPN before a user ever logs on (e.g. for remote management/updates/etc.). When the user subsequently logs on to the PC the GlobalProtect client re-authenticates the VPN using the user's credentials.

User authentication to the VPN consists of two parts: a connection to the Portal, which delivers the VPN configuration information, and a connection to the Gateway, which is where the encrypted tunnel traffic actually occurs. A separate user authentication to each step is required (though one or the other can be bypassed with various combinations of stored creds and cookies). In order to test internal host detection, the client must first download the configuration from the Portal, which requires an authentication (ignoring for the moment that in some cases the GlobalProtect client will temporarily cache and use a previous config).

Since it sounds like you have applied a SSO user authentication to the Portal, try changing the user Portal authentication to use a client certificate instead (and remove any cookie generation to the Gateway). This will allow the GlobalProtect client to automatically connect to the Portal with the user's certificate, without user interaction, when the VPN switches to the user authentication. The client can then automatically download the VPN config and recognize/check for local host detection without prompting the user. Then have the SSO authentication on the Gateway, so if the user need to connect to the VPN (not internally connected) they are prompted for their SSO credentials (and any MFA you may have attached to that).

topic Global Protect Always On VPN Pre-Logon in GlobalProtect Discussions

Global Protect Always On VPN Pre-Logon

Re: Global Protect Always On VPN Pre-Logon