Adding MFA to Pre-login GlobalProtect

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding MFA to Pre-login GlobalProtect

L0 Member

Global Protect VPN Solution is defined with Pre-login and always-on VPN features.





  1. Once machine is booted and before user login, Machine is authenticated based on certificate and identified in logs with (Pre-login) user
  2. Pre-login access is restricted to Mac Management solution and AD.
  3. Once user is logged in, a new tunnel is initiated and authenticated by same certificate with ability to identitfy username in certificate to be added to user-ip mapping table
  4. User group Access rules is created to match only specific user group to access internal resources.

Required: MFA integration With Pre-login


My main scope is to add more strong authentication mechanism, as with pre-logon,

Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (Client-Certificate) to access AD servers.

Step2: adding to that Second factor Authentication Factor Credential logins to be able to open the laptop itself.


In case of Client-Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).


 Proposal A:

  1. If we applied it with pre-login , I think it won’t be suitable as machine is already authenticated and any traffic is blocked except for specific Destinations as AD.
  2. Once users log in , maybe here we can apply Authentication security policy declares for access to internal resource we need MFA.

So with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.


So hope it is a good challenge for you to think about 🙂 ....


L0 Member

any recommendations?

I think there is no real solution for you in this case, except that you disable pre-logon if there isn't enough security for you.

It's probably about the question: do you trust the loginscreens of windows and mac? If not, then change everything to user-logon and there will be no connection to your internal network until the uset is successfully authenticated.

L4 Transporter

TLDR version of this exact question at my organization: Use 2FA on the windows login instead of GP if 2FA is desired in this configuration

  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!