Setting up GlobalProtect can be a daunting task, especially with all the possible modes available to you. We already discussed user-logon and on-demand mode. But all good things come in threes and the third variant to set up GlobalProtect is pre-logon mode.
All good things come in threes
As the name suggests, the GlobalProtect pre-logon connect method enables GP to authenticate the agent and establish the VPN tunnel to the GP gateway before the user logs on to a machine. This allows for internal resources to be connected or scripts executed even before a user logs in.
This means that prior to the user login there is NO username associated with the traffic. Therefore, to enable the client system to access resources you must create security policies that match the pre-logon user. These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services.
Pre-logon user in Security Policies
Once the actual user logs on to the machine, the tunnel gets renamed for Windows-users from the 'pre-logon' user to the actual 'user' who logged in. In the case of Mac-users, the tunnel is re-established with the actual user who logged in.
Now, since this deals with 2 users (pre-logon and actual user), you'll need to configure separate client configs in your portal. One for the pre-logon user and another for any/specific user group. This makes this specific setup a bit more engaging than the other 2 connection modes.
Separate configs for 'pre-logon user' and 'actual users'.
This may sound overly complicated but it really isn't.
Check out the step-b- step instructions provided here and learn all about setting up your GlobalProtect configuration with Pre-logon :