Basic GlobalProtect Configuration with Pre-logon

 What is GlobalProtect with Pre-logon?

 

As 'pre-logon' in the name suggests, GlobalProtect is connected "before" a user-logs on to a machine. The idea behind pre-logon is to have the "device" get connected to the GlobalProtect gateway, even before a user logs into the machine, most commonly to have certain internal resources connected or scripts executed even before a user logs in. For example, in the case of Windows, GlobalProtect pre-logon get connect to the gateway while the system is still booting up or is at the Ctrl+Alt+Del screen, that is, before a user logs in to the machine. Pre-logon will also kick in once a user logs off that machine. Since there is no user associated at these times, the gateway will see this connection coming from a generic username called 'pre-logon'. Once the user logs on to the machine, the tunnel gets renamed (in Windows) from the 'pre-logon' user to the actual 'user' who logged in. In the case of MAC, the tunnel is re-established with the actual user who logged in. 

 

• Pre-logon is most commonly used in conjunction with 'user-logon' and SSO so that the GP connection is seamless to the user.
• Since this deals with two users called 'pre-logon' and the actual 'user', separate client configs need to be created under portal one for 'pre-logon' and other for 'any/specific user groups'. Separate security rules are also needed to provide access for these two users.
• Once the 'actual user' is connected to GP (ie user-logon), the user will see a 'disable' option (if allowed by admin) to disable the GP application when needed.  

This document explains basic GlobalProtect configuration for pre-logon with following considerations:

• Authentication - local database
• Same interface serving as portal and gateway.
• Root, intermediate and server certs are generated on PAN

 

1. Generate a root CA, intermediate CA (optional), and a server certificate as explained in the following document here.
 

 

2. Create a SSL/TLS profile under Device > Certificate Management > SSL/TLS Service Profile, referencing the above created 'server certificate'.

 

3. Create an authentication profile under Device > Authentication Profile and select Add.

• Name- Give a name to this authentication profile
• Type - Choose Local Database(You may choose ldap,radius etc depending on your requirement)
• Advanced Tab > Allow List > Add - Select all (If you have groups, you may restrict it to required groups)
• Click OK to save.

 

 

 

 

4. Create a tunnel interface under Network > Interfaces > Tunnel. Provide a tunnel number, virtual router and security zone.

Note: It is recommended to create a separate zone for VPN traffic as it gives better flexibility to create separate security rules for the VPN traffic.

Configure GlobalProtect Portal

5. Configure GlobalProtect Portal
 

• General 

  

 

• Authentication

 

b. Under "Client Authentication" select  Add. Give any name to it, leave the OS to 'Any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3.

c. Click OK to save.

 

Note: One of the following 3 conditions must be met for pre-logon to work:

i.  Portal contains ‘certificate profile’ but ‘no’ auth cookies
   Note: When Portal/Gateway are on the same IP, the Gateway Cert Profile will take precedence over Portal Cert Profile. If Portal Cert Profile is required, Portal/Gateway must be on different IP.

ii. Portal does ‘not’ contain ‘certificate profile’ but has ‘auth cookies’.

(In this case, the very first GP connection must be made by a user, which will create two cookies one for the ‘user’ and other for ‘pre-logon’. From then on the pre-logon will work.)

(Attempting ‘pre-logon’ in the very first time without having a user connected to GP previously will not work in this case since the ‘pre-logon’ cookie will only get generated after a user is logged in the first time.)

iii. Portal contains both ‘certificate profile’ and ‘auth cookies’.

 

•  Agent 

Note: You'll need two client configs if you have a separate configuration needed after users actually log into the gateway: one for pre-logon and second for any user/specific user groups.

 

• Client config for Pre-logon

 

• Add a pre-logon user config 

 

a. Authentication

• Give any name to this client config
• Client certificate - leave it to none, this will only be needed if we want to push any client certificate to clients for authentication purpose.
• Save user credentials - Yes (default)
• (Optional)Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.

  

 b. User/User Group

•  Select 'pre-logon' from drop-down

 

IMPORTANT!

c. External 

• Under 'External Gateways', click Add. Give any name to it.
• Address- Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) of Step 1. In this example we enter 'gp.portal-gw01.local'

   

 d. App 

• Under 'Connect-method' drop down, select 'Pre-logon(Always On)'. 

   

e. Click OK to save.

 

• Client config for actual users

• Add a new client config 

a. Authentication

• Give any name to this client config
• Client certificate - leave it to none, this will only be needed if we want to push any client certificate to clients for authentication purpose.
• Save user credentials - Yes (default)
• (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.

 

 

IMPORTANT!

 

c. External

• Under 'External gateways', click Add. Give any name to it.
• Address- Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) of step 1. In this example we enter 'gp.portal-gw01.local'

 

   d. App

• Under 'Connect-method' drop down, select 'Pre-logon(Always On)'.
• Also, make sure 'Single Sign-on' is set to 'Yes'.

    

e. Click OK to save.

 

 f. Under 'Trusted Root CA', select the root CA and intermediate CA. Also, select 'Install in Local root certificate store' to install these certificates in the client's local root certificate store after the client successfully connects to the portal for first time.

 

g. Click OK to save and close the GlobalProtect portal config.

 

Configure Client certificate profile

 

(Location: Device > Certificate Management > Certificate Profile)

Certificate profile specifies a list of CAs and Intermediate CAs. When this certificate profile is applied to the config, the portal/gateway will send a client certificate request to the client to request for a client/machine cert signed by the CA/intermediate CA specified in the cert profile. We recommend placing both the root and intermediate CAs in this profile, instead of just the root CA.

  

IMPORTANT!

Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. Used to authenticate a user.

 

Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. This is used to authenticate a device, not a user.

 

• Import the "Root CA" that signed the client/machine cert into Device> Certificate Management >Certificates (optional private key)
• Import the "intermediate CAs" if any that signed the client/machine cert into Device> Certificate Management >Certificates (optional private key)
• Go to Device>Certificate Management>Certificate Profile, Add.
• Give a name to the profile.
• Add the above root and intermediate CAs.

• Note: Username field by default is set to 'None', in typical setup where username is pulled from ldap/radius authentication you can leave this to none. On the otherhand, if certificates are the only method of authentication ie if you do not have radius/ldap for portal/gateway authentication then you must change username field from none to 'Subj' or 'Subj Alt' to extract username from the client certificate common name or email/principal name. Failing to do this will result in commit failure.
• (optional) Check CRL or OCSP if the portal/gateway needs to verify the client/machine cert's revocation status using CRL or OCSP. Please use this with caution as it can result in clients failing to connect if used in conjunction with 'Block session if certificate status is unknown'.
• Reference this certificate profile portal/gateway as needed.

  

Configure GlobalProtect Gateway

6.  Go to Network> GlobalProtect > Gateways and select Add.

• General - Give a name to the gateway and select the interface that serves as gateway from the drop down.

 

• Authentication Tab. This is similar to Step 6 but this is for the gateway.

a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down.

b. Client Authentication > Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3.

c. Select the above created certificate profile from drop down

d. Click OK to save.

 

 

• Agent Tab.

a. Tunnel Settings. Check 'Tunnel mode' to enable tunnel mode and select the tunnel interface created in step 4 from the drop-down. 

b. Enable IPSec. Check this box to enable IPSec, this is highly recommended. With this setting enabled, GP will always try to first connect over IPSec, if it fails then GP falls back to SSL.

 

c. Timeout settings - leave them to defaults. For any changes to this, refer to GP admin guide.

d. Client settings

Click Add> Give a name to Client Settings config

(Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'.

This cookie can be encrypted/decrypted using any certificate selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.

Note: If a certificate was selected in step 7 under portal, the same certificate needs to be selected here under Gateway 'certificate to encrypt/decrypt cookie'.

 

e. Config Selection Criteria tab. Leave the OS and User group to 'any' (You may restrict it to required groups if wanted). 

 

IMPORTANT!

If a group is chosen from the drop-down, make sure that the GlobalProtect user is part of this group, if not the client will NOT receive IP address from gateway.

 

Common issues here are when the user is identified by GlobalProtect as 'domain\user' but firewall's userid may have it as 'fully qualified domain\user', in those cases make sure the group/user is shown identical at both places by overwriting domain field in user-identification>group mapping. 

f. Network Settings. 

Under the Ip Pool:  

 

IMPORTANT!

• GlobalProtect gateway will be assigning IPs from this pool to clients. Specify the one or more IP pool ranges which DO NOT OVERLAP with any of the existing networks in the organization. Overlapping subnets can cause routing issues and network outages.
• (Optional but recommended) You can add a second IP pool range for backup which will be useful in cases where the user connects a wifi that is providing same IP pool range as your primary IP pool.

g. Split Tunnel > Access Route. This defines which subnets can be reached by GP clients once they are connected to gateway.

• If 'Include' is left blank, it takes it as 0.0.0.0/0 i.e. all the traffic from GP client will be forced to go through GP tunnel.
• For Split tunneling: Specify required internal subnets like 10.0.0.0/8, 192.168.x.0/24 etc so that GP client will use the tunnel to reach only these subnets. Anything outside these subnets will be accessed directly from the client's local network, this is called split tunneling.

h. Click OK to save and close client settings. One more OK to save and close GP gateway settings.

7. Create a local username/password under Device > Local User Database > Users for testing.

8. Create security and NAT policies for the newly created VPN zone to give access appropriately.

9. Commit the changes.

 

Installing client/machine cert in end client

 

This is a pre-logon, hence we need to use 'machine' certificate.

 

When importing a machine certificate, import it in PKCS format which will contain its private key.

 

Windows - 

 

1. Click start > Run, type mmc to open Microsoft certificate management console.

2. Go to File > Add/Remove Snap-in

 

 

 

IMPORTANT!

 

3. Click Certificates > Add and select one or both of the below:

 

a. To add machine(device) certificate, select 'Computer Account'. This is used for 'pre-logon' as it authenticates a machine.

 

 

 

 

 

 

4. Import machine certificate into mmc.

For importing machine certificarte, import it to 'Personal' Folder under 'Computer Account'

 

 

 

5. Similarly import the Root CA in the 'Trusted Root Certificate Authorities and Intermediate CAs(if any) in the 'Intermediate Certification Authorities'

 

 

 

IMPORTANT!

 

6. Once imported, double click the imported machine certificate to make sure

 

a. it has private key

b. its certificate chain is full upto its root CA. If the chain is missing root CA or intermediate CA, import them to their respective folders as explained in Step 5.

 

 

 

 

 

7. At this point the certificates are imported on the client, you can close the mmc console without saving it.

 

To test on client machine

 

1. From the browser go to https://gp.portal-gw01.local/ ie https://<portal-ip/fqdn>

2. Enter the credentials

3. Download the GP client 

4. In the GP client, enter the Portal address and credentials, click connect.

5. On the gateway firewall, you will see that actual user connected.

6. Log-off from that computer to simulate pre-logon situation

7. On the gateway firewall, you will see the pre-logon user connected.

8. Log into the computer with actual username,

9. On the gateway firewall, you will see the pre-logon gets renamed to actual user.