11-21-2019 01:25 AM
Hi All,
I am testing a build for Global Protect PreLogon which I have working to a degree.
When I log in for the first time I successfully connect to GP using machine cert. When I log out, it switches to the prelogon state.
When I reboot or boot the laptop, Global Protect is disconnected. Is there a way I can make GP connect as soon as the wireless interface comes up so it is in the prelogon state? All else looks good apart from that.
Using PA software 8.1.11 and GP 5.0.5
Regards
Adrian
11-26-2019 10:40 PM
My issue was resolved with a weekend of checks.
We found that the registry setting for PreLogon was changing and we had to change it back to a DWORD of 1, reboot and then prelogon on boot would work. We don't know why it is doing this but we have generated a group policy that checks the registry setting to ensure that it is correctly set.
I found that the laptop was sending messages for prelogon connection to the Palo Alto but it would never connect. Logging in would see Globalprotect connect and log off would see it switch to Prelogon mode. This lead me to believe the solution was working and lead to the investigation of the laptop settings. Since we have rectified this issue the problem has not resurrected itself.
Regards
Adrian
11-21-2019 06:06 AM
Adrian,
I was able to find this .doc. Not sure if this is what you are looking for but hopefully it starts us off in the right direction.
Thanks,
William
11-21-2019 12:23 PM
I am still having a problem with pre-logon in the mornings, but it is connecting after a logout or reboot. One of the things that you may need to look at is the authentication for your pre-logon. If you have the client certificate as required, that may be part of the problem ( I am speculating). I have that set to none and pre-logon works for me after a logout and reboot, just not after a night with the computer off, booting in the morning.
Also, I am sure you have them right, but I messed that up the first time setting it up. Do you have the pre-logon agent config as the first config?
I am still chasing my demon related to the initial boot of the day, and hope that someone else responds to the thread and has the magic answer, but I wanted to try and help since we are chasing similar issues.
Bruce.
11-26-2019 01:08 PM
What OS are you running on your clients? Are you positive WiFi has connected after a reboot? Windows 7, for example, isn't going to connect to WiFi until a user logs in, while Windows 10 will.
Also, what are you settings Under PortalName > Agent > Pre-LogonConfigName > Authentication? In my experience, if you have any of the options to save user credentials, generate cookie, or accept cookie enabled for the pre-logon user, it actually creates a lot of pre-logon connection failures.
11-26-2019 10:40 PM
My issue was resolved with a weekend of checks.
We found that the registry setting for PreLogon was changing and we had to change it back to a DWORD of 1, reboot and then prelogon on boot would work. We don't know why it is doing this but we have generated a group policy that checks the registry setting to ensure that it is correctly set.
I found that the laptop was sending messages for prelogon connection to the Palo Alto but it would never connect. Logging in would see Globalprotect connect and log off would see it switch to Prelogon mode. This lead me to believe the solution was working and lead to the investigation of the laptop settings. Since we have rectified this issue the problem has not resurrected itself.
Regards
Adrian
09-18-2020 02:50 AM
While it is great to read that the OP created a workaround for the issue of 'changing Prelogon value in the registry'. The underlying cause of this, is still unknown and unsolved.
09-25-2020 12:43 AM
I found a reason why anyone might see this registry key change.
If I create an agent configuration for prelogon with the pre-logon account, and connection method: pre-logon (Always on). (Quite confusing).
And I create another agent configuration for users (any) with the connection method: user-logon (always on).
In this scenario, if you want to enable prelogon to always start, you need to add the registrykey prelogon=1.
However I have confirmed when a user logs in, the agent configuration for users will change the registrykey prelogon to 0.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
