topic Something about Global Protect agent seems off in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/something-about-global-protect-agent-seems-off/m-p/354682#M475 <P>It looks like Global Protect is a hot issue and specifically in combination with prelogon functionality.</P><P>We're also having a situation that appears to difficult to explain.</P><P>&nbsp;</P><P>The idea is:</P><P>When handing out devices with global protect preinstalled and preconfigured in the windows registry.</P><P>A receiving user who has never logged into that device should be able to do so with the help of global protect prelogon (creating a device tunnel before any user tries to log in to windows).</P><P>&nbsp;</P><P>From then on, the device should always try to setup a device tunnel when it is turned on. But it should use the device certificate to do so.</P><P>&nbsp;</P><P>For some unknown reason, with some of our users (yes not all !?!) at a certain moment something happens (yes very vague so far).</P><P>The device will start trying to create a tunnel with seemingly user authentication (because 2FA request is triggered), before any user actually logs in to Windows.</P><P>So, for some reason the agent is no longer trying to create a device tunnel with the device certificate. It is all of sudden trying to create a (prelogon) tunnel with user creds.</P><P>Since the 2FA request is triggered, I assume that the username and password have been succesfully provided by saved credentials. Because the cookie lifetimes are configured so, they are no longer valid the next morning.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 06:50:04 GMT Klaverblad 2020-10-07T06:50:04Z Something about Global Protect agent seems off https://live.paloaltonetworks.com/t5/globalprotect-discussions/something-about-global-protect-agent-seems-off/m-p/354682#M475 <P>It looks like Global Protect is a hot issue and specifically in combination with prelogon functionality.</P><P>We're also having a situation that appears to difficult to explain.</P><P>&nbsp;</P><P>The idea is:</P><P>When handing out devices with global protect preinstalled and preconfigured in the windows registry.</P><P>A receiving user who has never logged into that device should be able to do so with the help of global protect prelogon (creating a device tunnel before any user tries to log in to windows).</P><P>&nbsp;</P><P>From then on, the device should always try to setup a device tunnel when it is turned on. But it should use the device certificate to do so.</P><P>&nbsp;</P><P>For some unknown reason, with some of our users (yes not all !?!) at a certain moment something happens (yes very vague so far).</P><P>The device will start trying to create a tunnel with seemingly user authentication (because 2FA request is triggered), before any user actually logs in to Windows.</P><P>So, for some reason the agent is no longer trying to create a device tunnel with the device certificate. It is all of sudden trying to create a (prelogon) tunnel with user creds.</P><P>Since the 2FA request is triggered, I assume that the username and password have been succesfully provided by saved credentials. Because the cookie lifetimes are configured so, they are no longer valid the next morning.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 06:50:04 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/something-about-global-protect-agent-seems-off/m-p/354682#M475 Klaverblad 2020-10-07T06:50:04Z