What's this pre-logon mode in GlobalProtect exactly?

Community Team Member

Setting up GlobalProtect can be a daunting task, especially with all the possible modes available to you.  We already discussed user-logon and on-demand mode.  But all good things come in threes and the third variant to set up GlobalProtect is pre-logon mode.


As the name suggests, the GlobalProtect pre-logon connect method enables GP to authenticate the agent and establish the VPN tunnel to the GP gateway before the user logs on to a machine.  This allows for internal resources to be connected or scripts executed even before a user logs in.


This means that prior to the user login there is NO username associated with the traffic. Therefore, to enable the client system to access resources you must create security policies that match the pre-logon user.  These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services.
Pre-logon user in Security PoliciesPre-logon user in Security Policies
Once the actual user logs on to the machine, the tunnel gets renamed for Windows-users from the 'pre-logon' user to the actual 'user' who logged in. In the case of Mac-users, the tunnel is re-established with the actual user who logged in. 
Now, since this deals with 2 users (pre-logon and actual user), you'll need to configure separate client configs in your portal.  One for the pre-logon user and another for any/specific user group.  This makes this specific setup a bit more engaging than the other 2 connection modes.
Separate configs for '"re-logon user" and "actual users."Separate configs for '"re-logon user" and "actual users."


 This may sound overly complicated but it really isn't.


Check out the step-b- step instructions provided here and learn all about setting up your GlobalProtect configuration with Pre-logon :
L0 Member

Hi There,

I really struggle with this pre-logon.

I have a requirement to have pre-logon and user auth.
Can do one or the other but not both. 

What I mean by this is simple:


1. Certificate Profile (certificate based pre-logon) 

2. User Logon 


When configuring the Portal, I need to add LDAP Authentication Profile.

When that's in, I can then connect to global protect as user but the pre-logon doesn't work.  - authentication failed.

When I remove the LDAP profile and I leave only Certificate Profile then the pre-logon comes up , authentication success.
Then the user logs on, and it connects again but as a HOST and I can see hostname of the PC rather than the user.

Is there any good article that combines both ?

I followed 2 already - didn't work.

Version 8.0.2 and GP 4.0.2-19 


L0 Member

I have the same issue as described by MP_IRL above using the same version of PANOS and GP.

L1 Bithead

About security rules needed...

The traffic log can't filter on user pre-logon, as this user is not displayed in the logs. But if we create specific rules where user pre-logon is added, in that case we see which traffic the rule is hitting. Otherewise the pre-logon will just use any other rule configured for GP-clients (supposed that user 'any' is allowed).

So the addvantage of having specific pre-logon user rules is visiblity.



L1 Bithead

I does this have the same functionality as the Cisco VPN client to be available prior to logging into windows? 


I would rather all authentication for tunnels go thru user based transactions? 


Also allows me to build systems and connect them to the domain via the Global protect client and than login. I could do that with this described feature but do not like that you don't have to login.. I am not ok with that. 

L7 Applicator
Hi Chris Prelogonnis not something that's enabled by default, it requires a certificate etc to allow this feature to work Once prelogon is connected, it is identified on the firewall as a unique usergroup that you then allow access to specific resources, like an update server and GPO policy server etc. (And deny access to everything else till the user logs on). Once the user logs on to windows, the prelogon unique identification is replaced by the actual user and more access can be granted
Ask Questions Get Answers Join the Live Community