What is GlobalProtect Pre-Logon Mode

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Palo Alto Networks dives into the details of pre-logon mode in GlobalProtect. See GlobalProtect harnesses the combination of user-logon, on-demand, and pre-logon to help secure your endusers from security threats. Find answers on LIVEcommunity.




What exactly is this pre-logon mode in GlobalProtect?


Setting up GlobalProtect can be a daunting task, especially, with all the possible modes available to you. We already discussed user-logon  and on-demand mode. However, all good things come in threes, and the third variant to set up GlobalProtect is pre-logon mode.


The GlobalProtect pre-logon connect method enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway before a user logs on to a machine. This allows for internal resources to be connected or scripts executed even before a user logs in.


This means that prior to the user login there is no username associated with the traffic. In order to enable the client system to access resources, you must create security policies that match the pre-logon user. These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services. 


GlobalProtect Security Policy Rule - User Tab for Pre-logonGlobalProtect Security Policy Rule - User Tab for Pre-logon


Once the user logs on to the machine, the tunnel gets renamed for Windows users from the pre-logon user to the actual user who logged in. In the case of Mac users, the tunnel is re-established with the actual user who logged in.


Now, since this deals with two users (pre-logon and actual user), you'll need to configure separate client configs in your portal. One for the pre-logon user and another for any specific user group, which makes this specific setup a bit more engaging than the other two connection modes. 


Two views of GlobalProtect Config windows Authentication tab for pre logon and actual userTwo views of GlobalProtect Config windows Authentication tab for pre logon and actual user


For step-by-step instructions and to learn all about setting up your GlobalProtect configuration with pre-logon, please review the following Knowledge Base article:

Basic GlobalProtect Configuration with Pre-Logon



Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.



Stay Secure,
Kiwi out!

L2 Linker

The basic pre logon KB article is very dated at this point and isn't clear on certificates. Support usually doesn't want to mess with pre logon cases and just refers us to the same dated KB article. 

L0 Member

This mode is self explanatory, used in security policies and Globalprotect profiles to identify pre-logon users (certificate-based tunnels built without user credentials BEFORE user logs into system)

L1 Bithead

With this, is there a way to install the Global Protect configuration during the installation?  Our PC imaging process installs GP and also and adds the portal address but the configuration is not there until a user logs into the PC and then signs into Global Protect.  

L2 Linker
L2 Linker

Are there any issues getting this to work on MAC devices? These are the only devices that never connect a tunnel after the certificate auth. 

L2 Linker

@eumbach I have pre-logon working with our Mac endpoints.  It wasn't easy, and I wish I took better notes.  Unfortunately, all I have in my notes is about the OS X machine certificate, and a link to this KB:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkECAS


Once I got the machine cert working with OS X and scripted its import via our on-boarding scripts, Mac's now work with pre-logon without any issues.  I also posted a similar reference to this issue 2 years ago on reddit.  https://www.reddit.com/r/paloaltonetworks/comments/ph1e83/macos_prelogon_vpn/


We also have rules in place that are very specific to pre-logon, and only allowing very specific access and denying all other access in case the machine got stolen, since there would be a connection to your infrastructure once you get pre-logon working.

Register or Sign-in
Top Liked Authors