How to Configure GlobalProtect SSO with Pre-Logon Access using Self-Signed Certificates

Printer Friendly Page

This article can still be used as a reference but I strongly recommend to check out the newer versions out there specifically created to cover newer PAN-OS versions :





This document describes how to configure GlobalProtect SSO with the Pre-Logon access method using self-signed certificates.



The example configuration below is for one portal and one gateway residing on the same Palo Alto Networks device but can be expanded to reflect multiple gateways. Local Database authentication is used for this example but other authentication methods (LDAP, Kerberos, Radius, etc.) can be applied.

  1. Generate the root Certificate Authority (CA) certificate on the Palo Alto Networks device. This will be used to sign the server certificates for for both GlobalProtect Portal and Gateway, as well as the machine certificate that will be deployed to the client machines.
    6-13-2013 10-08-02 AM.png
  2. Generate the server and machine certificates. Each certificate should be signed by the CA certificate created in Step 1.
    6-13-2013 10-10-33 AM.png
    6-13-2013 10-13-25 AM.png
  3. Device certificates associated with GlobalProtect should appear as follows:
    6-13-2013 10-13-46 AM.png
  4. Create a Certificate Profile. This will be used to confirm machine certificate validity when cross-checking with the CA Certificate. Make sure to select the CA Certificate when adding 'CA Certificates'.
    6-13-2013 10-17-13 AM.png
  5. Create your GP Portal as follows:
    1. Under Portal Configuration, configure the network and authentication settings. Select the server certificate generated in Step 3 above. For Certificate Profile, select the profile created in Step 4.
      6-13-2013 10-19-21 AM.png
    2. Under Client Configuration, create a config file. This will be pushed to GlobalProtect clients during initial connection and rediscover network attempts.
      Configure the pre-logon client config with pre-logon access method. Configure another config with 'any' user so that all users including pre-logon will get the same config. In the Trusted Root CA section, add the root CA created in Step 1. This certificate will be pushed out to the connecting agents.
      6-25-2013 9-51-27 AM.png
  6. A sample GlobalProtect Gateway configuration is shown below. Make sure to use the same server certificate and certificate profile used in the GlobalProtect Portal configuration.
    6-13-2013 10-53-00 AM.png
  7. The image below shows a GlobalProtect Gateway configuration that terminates users to tunnel.1 (L3-Trust Zone) and uses the scope with access route only to the Internal Trust Network (
    6-13-2013 10-56-07 AM.png
  8. Next step is to export the machine certificate which will then be added to the trusted certificate store on the local computer. Use the PKCS12 file format and provide a passphrase.
    6-13-2013 11-06-18 AM.png
  9. On the client machine, import the previously exported machine certificate. The image below demonstrates the use of the MMC certificate snap in for the local computer.
    6-13-2013 1-50-06 PM.png
    6-13-2013 1-51-19 PM.png
  10. This will execute the Certificate Import Wizard. Follow the steps to complete the import. The certificate for this example was exported in pkcs12 file format. Make sure to confirm the correct cert is detected.
    6-13-2013 1-53-37 PM.png
  11. Install the certificate into the local computer personal certificate store and then confirm the installation.
    6-13-2013 1-55-37 PM.png
    6-13-2013 1-56-25 PM.png
  12. Here, syslog indicates the initial connection with the agent using the user credentials to successfully connect. Subsequently, log off the machine and verify that the machine is still able to make a successful connection to both GlobalProtect Portal and Gateway as a 'pre-logon' user with the machine certificate validated by the CA certificate.
    6-13-2013 1-59-50 PM.png


owner: rkalugdan


Very clear and nice article which explains the pre-logon. If this could be updated for 7.1.x it would be even better.

Yep, I agree with shganesh. The artical is good but definitely in need of an update for 7.1.x. So much has changed that this artical is almost no longer relevant. 

I was given this link by support just the other day.  If a lot has changed why would they still give this out?  I created my CA, then after creating the Server-Cert and clicking gererate I get the following error:


Failed to insert certificate into configuration. Only self signed CA certificates can have identical subject and issuer fields. 


That must be something that has changed as the images above shows them having the same.

I recommend using the newer GP articles out there that were made for PAN-OS 8.0 :