topic Re: Switching GP from User (Always On) to Pre Logon in General Topics

Switching GP from User (Always On) to Pre Logon

MikeC — Fri, 05 Oct 2018 04:30:12 GMT

I’m looking at switching GP from User (Always On) to Pre-Logon (always On).

Current setup is one firewall serving as both the portal and gateway. I’m doing both username/password with client user certificates for multiple authentication factors, as this is a requirement.

I deployed a computer cert to test Pre-Logon but it doesnt seem to work as expected it too. I thought it would be like a competitor’s “secure domain login” feature. I want to establish the VPN connection prior to login but I also want to make use of username/password. Also, the vpn connection must be always on. Pre-logon with OnDemand is not an option.

Is this possible?

Re: Switching GP from User (Always On) to Pre Logon

MikeC — Sat, 06 Oct 2018 16:07:45 GMT

Anyone? 🙂

Re: Switching GP from User (Always On) to Pre Logon

OtakarKlier — Mon, 08 Oct 2018 14:12:45 GMT

Hello,

Not sure if I am answering the correct question, but I would take a look at the following article:

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html

Hope that helps,

Re: Switching GP from User (Always On) to Pre Logon

Brandon_Wertz — Mon, 08 Oct 2018 23:26:10 GMT

This one has me confused...

From @OtakarKlier's link "A pre-logon VPN tunnel has no username association because the user has not logged in. "

When you're doing "pre-login" that inherently means no known user. So I'm confused @MikeC when you say you want to establish a VPN tunnel, but you also want to user user ID and PW. "I want to establish the VPN connection prior to login but I also want to make use of username/password."

Do you mean once the user supplies credentials to the computer you want GP to also ask for creds from the user to make the connection to the gateway?

Re: Switching GP from User (Always On) to Pre Logon

MikeC — Tue, 09 Oct 2018 00:49:13 GMT

@Brandon_Wertz I was really comparing pre-logon to checkpoint's "secure domain logon" feature. With CP, the computer would boot up, user would enter their windows login info, which would then prompt the CP VPN to pop up, user would enter vpn credentials, vpn would connect and then log into windows.

I'm currently using "Always on" with both username/pw and client certificates for multiple factors requirement. Initially, looking at pre-logon, it seemed it only uses a computer certificate, so can't really have multiple factor auth (not counting windows login). Based on the link @OtakarKlier posted, it seems I can use computer cert to establish the VPN and also use username/pw + client cert.

I also use Internal Host Detection for when laptops are in the office, not sure if that will be an issue.

I need to test what happens if there is no internet connection when the computer boots up. I have a requirement to make sure VPN connects if there is an internet connection. Will it automatically connect, or will it require the user to hit connect

Re: Switching GP from User (Always On) to Pre Logon

Brandon_Wertz — Tue, 09 Oct 2018 00:55:12 GMT

The way "pre-logon" works is it uses the machines certificate to establish a VPN tunnel at boot up. The user doesn't need to click or connect to anything, click a button (et al).

The service starts at start up and you can see at the login screen that the VPN tunnel has been established by looking at other "login options."

Re: Switching GP from User (Always On) to Pre Logon

Brandon_Wertz — Tue, 09 Oct 2018 01:01:47 GMT

Here's an example:

https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/globalprotect-credential-provider-prelogon-connection-status

Re: Switching GP from User (Always On) to Pre Logon

Brandon_Wertz — Tue, 09 Oct 2018 01:06:50 GMT

Here's a pretty detailed example of the pre-logon config:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

Of note there's security policy that you need to also have, that allows a "pre-logon" connection.

Re: Switching GP from User (Always On) to Pre Logon

MikeC — Tue, 09 Oct 2018 01:15:26 GMT

@Brandon_Wertz thanks for the links, I'll check them out. I guess the way it works is part of my issue, I can't really have multiple factors before establishing the VPN.

What about when these machines are on the internal network? the VPN is still going to connect? That would be unnessary

Re: Switching GP from User (Always On) to Pre Logon

Brandon_Wertz — Tue, 09 Oct 2018 01:20:24 GMT

That's where internal host detection comes into play. The VPN tunnel won't come up because the PCs ip would tell GP that the host is internal

Re: Switching GP from User (Always On) to Pre Logon

MikeC — Tue, 09 Oct 2018 01:26:51 GMT

That's what I was hoping you'd say. I don't use internal gateways, but that never seemed to affect internal host detection for me.

I'm going to spin this up in my lab right now. Thanks for the help