topic Re: GlobalProtect Prelogon tunnel and Portal authentication in General Topics

GlobalProtect Prelogon tunnel and Portal authentication

JamesH1318 — Fri, 17 May 2024 15:31:44 GMT

Looking for assistance on a GP setup. I want to have a pre-logon tunnel (certificate, always on) and a portal, which uses SAML authentication. I also need the user to have to re-authenticate any time they disable, sign-out, reboot, etc. The problem I'm running into is because the portal uses SAML auth, the portal communication during pre-logon fails and therefore the pre-logon tunnel doesn't start. I thought I should be able to set the Generate and Authenticate cookie options on the pre-logon portal agent configuration but it's not working. I thought it would flow like this:

User boot machine for first time, no pre-logon tunnel as expected.
User logs into machine, GP starts, user gets our internal SAML authentication window for the Portal
User logs in, portal generates cookie.
User logs into Post Logon gateway (no cookie options set here because I do not want cookie to auth post logon)
User reboots, portal auth is handled by cookie, pre-logon tunnel starts.

The portal auth by cookie after reboot is apparently not happening. PanGPS.log shows the messages "Unserialized empty cookie on portal..." and there are no attempts to connect to the portal in the FW Monitor log.

For my testing, I have my cookie lifetime set to 10 minutes. My reboots, logons, reboots are all occurring within 3 minutes.

PAN-OS 10.2.9-h1

GP 6.2.3

FYI, there are no certificate issues or anything like that. This is a modification of an existing setup where the pre-logon and portal use the machine certificate. I need to be able to have different portal agent configs for different groups of people, which means I need to know the user at the portal level so I can use AD groups. User certificates are not an option.

Re: GlobalProtect Prelogon tunnel and Portal authentication

TorstenForster — Sat, 18 May 2024 10:20:03 GMT

if you always want prelogon with certificate auth, deactivate the authenticaten overwrite. Then you dont run into the cookie problems.

What is your portal authentication setup?

You cannot activate User Credentials And Client Certificate. With pre-logon, you can only activate User Credentials Or Client Certificate. Because you don't have a user at pre-logon.

What says your GP log on the firewall?

Re: GlobalProtect Prelogon tunnel and Portal authentication

JamesH1318 — Mon, 20 May 2024 11:44:03 GMT

Thank you for the reply but I'm not sure you understood the question. I have a machine certificate portal and pre-logon setup today. However, now I need to know who the user is at the portal for the post logon agent config. The question basically comes down to, how do I do that without breaking the pre-logon tunnel?

Re: GlobalProtect Prelogon tunnel and Portal authentication

TorstenForster — Wed, 22 May 2024 11:31:05 GMT

I'm not sure I understood the question 😄 You wrote about SAML login failures at pre-logon (what is normal), but you also expect this behavior at 1.

For cookie auth you need a valid certificate oder user auth at first. This should be the reason for your unserilied cookie problem.

The user result from the SAML auth. If it was successful, you see the user in the logs and can setup different agent configs also