topic Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption in General Topics

Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

darrencassano — Wed, 12 Dec 2018 11:58:20 GMT

Hi,

We are working to create a global protect vpn connetion between our windows 10 devices and the PA FW ver. 8.0.1.

The VPN tunnel needs to use a pre-login tunnel initially (authenticating via the machine cert) which when the user logs in re-authenticates the user using SAML (Azure via ADFS) and renames the existing VPN tunnel.

We have an existing ADFS / Azure SAML environment which is working for other 3rd party app connections.

Windows Client devices currently use globalprotect client version 4.1.1-14

Has anyone successfully completed pre-login passing over to SAML user login? Could you please share an anonymised config? The pre-login VPN is up but we are struggling to configure the 2nd part without having the VPN drop (rather than renamed).

The Palo Alto known issues log suggests that Palo have this working, but there is no configuration example as to how they got there that we can reference to assist us.

Thanks

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

Remo — Wed, 12 Dec 2018 15:17:34 GMT

Hi @darrencassano

Bad news for you ... this is not supported yet ...

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

darrencassano — Thu, 13 Dec 2018 10:19:44 GMT

Hi @Remo,

Thanks for the reply,

The way i read the Palo KB article GPC-3794 suggests that this is a current and supported config? Could you please tell me why you don't think this is supported?

I don't suppose you have any ideas on how to get to the same level of functionality with a currently supported solution?

thanks

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

Remo — Thu, 13 Dec 2018 12:44:55 GMT

Hi @darrencassano

GPC-3794 is still in the known issues list (https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-release-notes/gp-app-release-information/known-issues-related-to-gp-app). This unfortunately means it is not fixed yet.

So far I cannot tell you more than that, but your SE maybe has some more information.

Regards,

Remo

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

darrencassano — Thu, 13 Dec 2018 13:13:18 GMT

Thanks @Remo,

Yes we knew there was a known issue, however, as yet we have been unable to get our configuration to the point where we encounter the known issue.. My request for help was hoping that someone may post / provide an example (anonymised) config for cert pre-logon & saml user logon to help us get our configuration moved forward.

I don't believe the KB issue prevents a connection, it suggests you just need to logon twice. Our SE suggests that PA are hoping to resolve this in a new build of the GP client, potentially v5, but still a work in progress.

thanks again!

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

Remo — Thu, 13 Dec 2018 17:41:28 GMT

Oh ... I missed the part that you are asking for a config example anyway ... even with the vpn drop between prelogon and user-logon.

I can try to help, but right now I don't have a SAML config up and running.

Do you already have something configured or are you searching help about how to begin?

PS: Ask you SE about GPv5 Beta access

Re: Help - Certificate pre-login globalprotect VPN, with SAML tunnel adopti

Sec101 — Fri, 19 Jun 2020 19:45:04 GMT

Very interested in something like this. Wondering if supported now.