topic Connect Before Logon failing to connect to Portal after changing &quot;Enforce VPN&quot; settings in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/connect-before-logon-failing-to-connect-to-portal-after-changing/m-p/599226#M5882 <P>Is there anyway to easily reset the system-user (before logon) GP settings to restore the initial state? Having an issue testing Connect Before Logon (VPN connection icon on the Windows login screen) where I am hung in a state where the VPN will not work with Enforce VPN set in the Portal config with certificate authentication on the Portal and SAML authentication on the Gateway. It is not even attempting to connect to the Gateway and appears to be having a certificate problem on the Portal.</P> <P>&nbsp;</P> <P>I initially setup Connect Before Logon on a Portal/gateway and a couple test clients. The client could connect to the Portal without issue and would initially connect to the Gateway, but would never SAML auth (Gateway pre-login on the PaloAlto, no logs in the Entra SAML or return to the Gateway with SAML creds). After trying several FQDN bypasses in the Portal app config, I disabled Enforce VPN and everything worked exactly like it should... So definitely something blocked by Enforce VPN.</P> <P>&nbsp;</P> <P>After re-enabling Enforce VPN, now the Connect Before Logon VPN will not connect to the Portal. Wireshark shows it connecting and then sending SSL alerts and closing the connection. It appears to either be rejecting the Portal certificate or failing to provide the client certificate for authentication. The login page shows:</P> <LI-CODE lang="markup">The network is unreachable or the portal is unresponsive. Check the network and reconnect.</LI-CODE> <P>The PANGPS.log shows repeated attempts to connect to the Portal with the following error:</P> <LI-CODE lang="markup">Failed to pre-login to the portal xxx.xxx.xxx with return value 0(0).</LI-CODE> <P>&nbsp;</P> <P>If I log into the client with a local user, then the VPN connects to the Portal and Gateway without issue.</P> <P>&nbsp;</P> <P>If I disable Enforce VPN on the Portal I still can not Connect Before Logon (seems that it can't connect enough to get the new config), but I can login as a local user and establish the VPN. After rebooting the Connect Before Login will then starts connecting correctly, but as soon as I re-enable Enforce VPN it fails to connect to the Portal again.</P> Tue, 01 Oct 2024 21:07:36 GMT Adrian_Jensen 2024-10-01T21:07:36Z Connect Before Logon failing to connect to Portal after changing "Enforce VPN" settings https://live.paloaltonetworks.com/t5/globalprotect-discussions/connect-before-logon-failing-to-connect-to-portal-after-changing/m-p/599226#M5882 <P>Is there anyway to easily reset the system-user (before logon) GP settings to restore the initial state? Having an issue testing Connect Before Logon (VPN connection icon on the Windows login screen) where I am hung in a state where the VPN will not work with Enforce VPN set in the Portal config with certificate authentication on the Portal and SAML authentication on the Gateway. It is not even attempting to connect to the Gateway and appears to be having a certificate problem on the Portal.</P> <P>&nbsp;</P> <P>I initially setup Connect Before Logon on a Portal/gateway and a couple test clients. The client could connect to the Portal without issue and would initially connect to the Gateway, but would never SAML auth (Gateway pre-login on the PaloAlto, no logs in the Entra SAML or return to the Gateway with SAML creds). After trying several FQDN bypasses in the Portal app config, I disabled Enforce VPN and everything worked exactly like it should... So definitely something blocked by Enforce VPN.</P> <P>&nbsp;</P> <P>After re-enabling Enforce VPN, now the Connect Before Logon VPN will not connect to the Portal. Wireshark shows it connecting and then sending SSL alerts and closing the connection. It appears to either be rejecting the Portal certificate or failing to provide the client certificate for authentication. The login page shows:</P> <LI-CODE lang="markup">The network is unreachable or the portal is unresponsive. Check the network and reconnect.</LI-CODE> <P>The PANGPS.log shows repeated attempts to connect to the Portal with the following error:</P> <LI-CODE lang="markup">Failed to pre-login to the portal xxx.xxx.xxx with return value 0(0).</LI-CODE> <P>&nbsp;</P> <P>If I log into the client with a local user, then the VPN connects to the Portal and Gateway without issue.</P> <P>&nbsp;</P> <P>If I disable Enforce VPN on the Portal I still can not Connect Before Logon (seems that it can't connect enough to get the new config), but I can login as a local user and establish the VPN. After rebooting the Connect Before Login will then starts connecting correctly, but as soon as I re-enable Enforce VPN it fails to connect to the Portal again.</P> Tue, 01 Oct 2024 21:07:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/connect-before-logon-failing-to-connect-to-portal-after-changing/m-p/599226#M5882 Adrian_Jensen 2024-10-01T21:07:36Z