topic Re: GlobalProtect Pre-Logon NULL issue in General Topics

GlobalProtect Pre-Logon NULL issue

raji_toor — Mon, 06 Jul 2020 22:20:28 GMT

Trying to setup new config for pre-logon, seems to be not working. I am getting machine certificate null error.

First i was using internal PKI but then i found this KB and i was hitting the same issue.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR8CAK

I then tried to setup with self generated certs, while i have asked the system admin team to add subject info, but still having same issue.

Below are portal config screenshots, i don't know what i am missing. PANOS 9.0.8, GP 5.1.4

External Gateways in both agent configs point to same public fqdn/ip

I have also tried selecting both options below

Server Authentication below uses public cert, while certificate profile use self generated root CA on firewall.

Below are the local root CA and profile screenshots

Certificate imported in to personal store of local machine, generated on firewall.

On reinstall of Agent it asks to select certificate which is this that i select and get not authorized message.

Also imported root certificate from firewall in trusted certs.

Re: GlobalProtect Pre-Logon NULL issue

MP18 — Tue, 07 Jul 2020 01:21:14 GMT

@raji_toor

Seems you need Root and Intermediate Cert in Device and Certificate profile.

Also your Machine cert need to be part of

Root

Intermediate

Machine

When you create Machine cert then it need to be signed by Intermediate cert.

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Tue, 07 Jul 2020 05:24:44 GMT

@MP18 As per your suggestion i have made below changes. new root > inter > sever cert created

Included them in server profile used in Gateway authentication config tab

exported and imported rajv-test.xxx.yyy.ca from firewall into Windows local store.

reinstalled GP and tried connection, same result. Null with not authorized.

And this time i did not see any popup from GP for which cert to use from the local store.

Am i generating machine cert rajv-test right, do i need to include server-test cert somewhere.

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Tue, 07 Jul 2020 17:53:42 GMT

@MP18 I have updated the config now with actual certs that are to be used, no self generated certs, but still hitting the same issue.

Test PC has both root and intermediate certs from our internal PKI. Machine cert pushed by GroupPolicy with subject field populated.

Portal authentication uses public cert in ssl-tls profile and none in certificate profile.

under agent tab root and intermediate certs from internal PKI are selected.

Gateway authentication uses same public cert ssl-tls profile and cert profile with root and intermediate in it from internal PKI

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Tue, 07 Jul 2020 18:50:17 GMT

This is what i have observed now.

Including the group that works in On-demad mode, pre-logon config fails

If any users is set, user gets authenticated but i still don't see any pre-logon happening

Portal Authentication	Connect Method	Working
cn=emp,ou=groups,ou=emp,dc=aaa,dc=bbbbb,dc=ca	On-Demand	Yes


Portal Authentication	Connect Method	Working
pre-logon	pre-logon (always-on)	No
cn=emp,ou=groups,ou=emp,dc=aaa,dc=bbbbb,dc=ca	pre-logon (always-on)	No


Portal Authentication	Connect Method	Working
pre-logon	pre-logon (always-on)	No
Any	pre-logon (always-on)	Yes

Re: GlobalProtect Pre-Logon NULL issue

MP18 — Tue, 07 Jul 2020 19:59:34 GMT

@raji_toor

Machine Cert need to be imported in both Local user and Local machine in Certificate Store - Personal on each machine.

Under Portal and Gateway Authentication for SSL/TLS profile has to be same

And also the Certificate profile under authentication in Portal and gateway has to be same

Regards

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Tue, 07 Jul 2020 20:34:06 GMT

Thanks @MP18 I did not need to import to Local user store, but fixing the cert config did fix the issue.

Portal/Gateway authentication - SSL/TLS profile - This is using Public cert

Portal/Gateway authentication - Certificate Profile - This is using internal PKI root and intermediate certs

Re: GlobalProtect Pre-Logon NULL issue

MP18 — Wed, 08 Jul 2020 02:10:47 GMT

@raji_toor

Make sure Cert in SSL/TLS profile has CN the FQDN of the VPN url and is trusted by the PA and end user.

Portal/Gateway authentication - Certificate Profile - This is using internal PKI root and intermediate certs

My assumption is that if you are using Cert PRofile with internal root and intermediate certs need to be same as Cert in SSL/TLS profile -

Can you please test by using either external Root or Internal Root certs and intermediate certs for both SSL/TLS and Certificate Profile?

Regards

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Wed, 08 Jul 2020 05:55:26 GMT

@MP18 I am pasting all the relevant screenshots of my config, and since all the documentations show config with self generated certs. This is with actual public cert and internal certs.

SSL/TLS Profile used in both portal and gateway configs

SSL/TLS Profile config

above ssl-tls profile refers this Public Certificate

Portal > agent > config >External refers public fqdn

portal > agent > root and inter certs added here issued from internal certificate authority

Certificate profile used in both portal and gateway configs

Certificate profile config referring same internal certificates

Internal certs added to firewall. In case someone my wonder about 3rd IM-ROOT below, we had setup that previously for decryption.

ROOT and ROOT-INTER and Machine cert are automatically pushed to PC by Group Policy under Local Computer. I don't know why 2 are pushed. And as per earlier mentioned KB Subject field should not be empty and refers to the PC name.

Status at login screen on reboot

Tunnel status on firewall before usre logs in to PC, that is the previous screenshot state. User is pre-logon

Tunnel status after user logs in, connection is automatically established if credentials have been entered before.

Re: GlobalProtect Pre-Logon NULL issue

MP18 — Thu, 09 Jul 2020 03:00:46 GMT

@raji_toor

So As per these logs it seems pre logon is working.

Does the user name pre logon to the specfic user as configured in LDAP profile?

Regards

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Thu, 09 Jul 2020 14:54:12 GMT

@MP18Yes it logs as the user according to the ldap profile.

Re: GlobalProtect Pre-Logon NULL issue

MP18 — Thu, 09 Jul 2020 15:43:35 GMT

@raji_toor

So seems then it is working as expected now ?

Re: GlobalProtect Pre-Logon NULL issue

raji_toor — Fri, 10 Jul 2020 04:28:39 GMT

yes