Switching GP from User (Always On) to Pre Logon

Reply
L3 Networker

Switching GP from User (Always On) to Pre Logon

I’m looking at switching GP from User (Always On) to Pre-Logon (always On).

Current setup is one firewall serving as both the portal and gateway. I’m doing both username/password with client user certificates for multiple authentication factors, as this is a requirement.

I deployed a computer cert to test Pre-Logon but it doesnt seem to work as expected it too. I thought it would be like a competitor’s “secure domain login” feature. I want to establish the VPN connection prior to login but I also want to make use of username/password. Also, the vpn connection must be always on. Pre-logon with OnDemand is not an option.

Is this possible?
L3 Networker

Re: Switching GP from User (Always On) to Pre Logon

Anyone? :)

L7 Applicator

Re: Switching GP from User (Always On) to Pre Logon

Hello,

Not sure if I am answering the correct question, but I would take a look at the following article:

 

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-guide/globalprot...

 

Hope that helps,

L6 Presenter

Re: Switching GP from User (Always On) to Pre Logon

This one has me confused...

 

From @Otakar.Klier's link  "A pre-logon VPN tunnel has no username association because the user has not logged in. "

 

When you're doing "pre-login" that inherently means no known user.  So I'm confused @MikeC when you say you want to establish a VPN tunnel, but you also want to user user ID and PW.  "I want to establish the VPN connection prior to login but I also want to make use of username/password."

 

Do you mean once the user supplies credentials to the computer you want GP to also ask for creds from the user to make the connection to the gateway?

L3 Networker

Re: Switching GP from User (Always On) to Pre Logon

@Brandon_Wertz I was really comparing pre-logon to checkpoint's "secure domain logon" feature. With CP, the computer would boot up, user would enter their windows login info, which would then prompt the CP VPN to pop up, user would enter vpn credentials, vpn would connect and then log into windows. 

 

I'm currently using "Always on" with both username/pw and client certificates for multiple factors requirement. Initially, looking at pre-logon, it seemed it only uses a computer certificate, so can't really have multiple factor auth (not counting windows login). Based on the link @Otakar.Klier posted, it seems I can use computer cert to establish the VPN and also use username/pw + client cert.

 

I also use Internal Host Detection for when laptops are in the office, not sure if that will be an issue.

 

I need to test what happens if there is no internet connection when the computer boots up. I have a requirement to make sure VPN connects if there is an internet connection. Will it automatically connect, or will it require the user to hit connect

L6 Presenter

Re: Switching GP from User (Always On) to Pre Logon

The way "pre-logon" works is it uses the machines certificate to establish a VPN tunnel at boot up. The user doesn't need to click or connect to anything, click a button (et al).

The service starts at start up and you can see at the login screen that the VPN tunnel has been established by looking at other "login options."
L6 Presenter

Re: Switching GP from User (Always On) to Pre Logon

L6 Presenter

Re: Switching GP from User (Always On) to Pre Logon

Here's a pretty detailed example of the pre-logon config:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

 

Of note there's security policy that you need to also have, that allows a "pre-logon" connection.

L3 Networker

Re: Switching GP from User (Always On) to Pre Logon

@Brandon_Wertz thanks for the links, I'll check them out.  I guess the way it works is part of my issue, I can't really have multiple factors before establishing the VPN.   

 

What about when these machines are on the internal network? the VPN is still going to connect? That would be unnessary

L6 Presenter

Re: Switching GP from User (Always On) to Pre Logon

That's where internal host detection comes into play. The VPN tunnel won't come up because the PCs ip would tell GP that the host is internal
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!