https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44503#M32663 <HTML><HEAD></HEAD><BODY><P>Its a new feature in PANOS 5.0 which is described in the release notes:</P><P></P><P>"</P><P>Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work. </P><P>"</P><P></P><P>So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).</P><P></P><P>This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.</P></BODY></HTML> Mon, 26 Nov 2012 08:31:20 GMT mikand 2012-11-26T08:31:20Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44502#M32662 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can anyone explain what the option "pre-logon" means as a value for source-user in a security policy?</P><P>I can't find anything about it. Not in the build in help, the admin guide nor the CLI reference.</P></BODY></HTML> Mon, 26 Nov 2012 07:52:40 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44502#M32662 nwsol 2012-11-26T07:52:40Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44503#M32663 <HTML><HEAD></HEAD><BODY><P>Its a new feature in PANOS 5.0 which is described in the release notes:</P><P></P><P>"</P><P>Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work. </P><P>"</P><P></P><P>So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).</P><P></P><P>This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.</P></BODY></HTML> Mon, 26 Nov 2012 08:31:20 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44503#M32663 mikand 2012-11-26T08:31:20Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44504#M32664 <HTML><HEAD></HEAD><BODY><P>Also an exert from the 5.0 admin guide:</P><P></P><P>****************************************************************************************************************************************************************</P><P></P><P class="page" title="Page 336"></P><DIV class="column"><UL><LI> <SPAN style="font-size: 9.000000pt; font-family: 'Palatino';">–&nbsp; </SPAN><SPAN style="font-size: 9.000000pt; font-family: 'Palatino'; font-weight: bold;">pre-logon</SPAN><SPAN style="font-size: 9.000000pt; font-family: 'Palatino';">—Select this option to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. GlobalProtect will establish a connection prior to user login to the computer. By doing this, a company can create a “logical network” that maintains the security </SPAN> <P><SPAN style="font-size: 9.000000pt; font-family: 'Palatino';">and management features normally achieved by a physical network. Tunnel selection and establishment happens pre-logon based on machine certificates that need to be pre-deployed on client systems outside of GlobalProtect. </SPAN></P><P><SPAN style="font-size: 9.000000pt; font-family: 'Palatino';">Examples of some of the services that can be maintained include: Active Directory group policy enforcement, maintaining drive mapping to server resources, and the ability to receive central software deployment downloads while remote. One specific example of how the pre-logon feature works is if a remote user forgets his/her password, since GlobalProtect would connect and use the cached credentials and establish a VPN before the login prompt even appears, a domain administrator could reset the user’s password as if they were logged in directly to a domain controller on the physical network. </SPAN></P></LI></UL><P></P></DIV><P></P><P>****************************************************************************************************************************************************************</P><P></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Mon, 26 Nov 2012 08:35:43 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44504#M32664 James 2012-11-26T08:35:43Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44505#M32665 <HTML><HEAD></HEAD><BODY><P>So, the pre-logon user value is linked to global protect?</P><P>I indeed found it in the admin guide under global protect. But there's no mention about the two things being linked.</P></BODY></HTML> Mon, 26 Nov 2012 08:42:14 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44505#M32665 nwsol 2012-11-26T08:42:14Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44506#M32666 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm hitting the same issue. Can you or anyone clear up pre-logon definition? for example do I need to create a user called pre-logon on the PA and create a security rule matching the GP VPN or do I create a pre-logon user in AD? or do I not need to create a pre-logon user ID?</P><P></P><P>I've got pre-logon partly working. The pre-logon feature fails with the error' user domain\pre-logon&nbsp; failed authentication' invalid username/password'</P><P></P><P>However when I log into the laptop with my AD credentials the GP client authenticates.</P><P></P><P>Rod</P></BODY></HTML> Mon, 10 Dec 2012 09:02:36 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44506#M32666 djrodb 2012-12-10T09:02:36Z https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44507#M32667 <HTML><HEAD></HEAD><BODY><P>I've resolved my problem. Please refer to <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/21662#21662">https://live.paloaltonetworks.com/message/21662#21662</A></P></BODY></HTML> Mon, 10 Dec 2012 09:51:32 GMT https://live.paloaltonetworks.com/t5/general-topics/meaning-of-source-user-pre-logon/m-p/44507#M32667 djrodb 2012-12-10T09:51:32Z