The GlobalProtect prelogon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed device certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs are in, instead of using cached credentials. Prior to user login, there is no username associated with the traffic. Therefore, to enable the client system to access resources in the trust zone there must be a security policy created that matches the prelogon user. These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services. After the user logs in to the system and authenticates, the VPN tunnel is renamed to include the username so that user and group based policy can be enforced.
The Palo Alto Networks firewall is configured with a root certificate, the Root CA that signs the server certificate and the device certificate. Export the device (Machine) cert and the Root CA certificate to the individual device that will connect using GlobalProtect. The client can use their own PKI infrastructure to generate device certificates. In these type of scenarios, the firewall admin should import the Root CA signing these device certificates into the Palo Alto Networks firewalls.
Configure the certificates required for prelogon
Go to Device > Certificate Management > Certificates > Device Certificate and select the "GP Machine Cert"(used for this example) device certificate:
Select Root CA and Export:
Download the certs and install them onto their cert stores:
For MAC OS X clients
Open Keychain Access and go to the System keychains:
Ensure that all applications have access to the private keys of the device and the Root CA certs:
For Windows clients The correct way of importing certificates is either by GPO install or a manual certificate install. Below is an example for a Windows 7 device:
Delete previous incorrect machine-certificate and root-CA-certificate on MMC
Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate.
Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate. Below are examples for installing the device certificate:
Note: For more information about the MMC, see the TechNet library on the Microsoft website.
Create a client Certificate Profile that includes the root certificate:
Configure the portal as shown below:
Enter values for Portal Configuration. The Portal Configuration does not require a client certificate, which was mandatory prior to PAN-OS 6.0 for the prelogon to work.
On the Client Configuration tab, configure prelogon client configurations to use the CACR functionality:
For both the client configurations, "Cookie authentication for config refresh" is chosen as the Authentication Modifier type. The Connect Method selected should be "pre-logon" and the "Use single sign-on" checkbox should be selected in both cases:
Configure the GlobalProtect Gateway as shown below:
Once the changes are committed, the configuration on the interfaces should reflect the GlobalProtect settings:
Prelogon client authentication
The user has to connect to the portal for the first time to download the GlobalProtect client. The portal pushes the client configuration to the agent, along with a cookie that will be used for the portal authentication to receive a configuration refresh:
Prelogon logs on the the Palo Alto Networks firewall
The firewall generates logs pertaining to the cookie based authentications when the sslvpn logs are set to the debug. The example below shows logs for the cookie based authentication for the prelogon user: When the end user logs into the device, if single-sign-on (SSO) is enabled in the client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user and group based policy can be enforced. If SSO is not enabled in the client configuration, or if SSO is no supported on the client system (for example, it is a Mac OS system) the users' credentials must be stored in the agent (the 'Remember Me" check box must be selected within the agent). The logs for the user authentication cookie are also generated as shown below:
System logs for the preglogon functionality: The authentication type is cookie:
System logs for the regular authentication: The authentication type is cookie: