I'm having a heck of a time getting prelogon working for global protect. I have spoke with both Palo Alto support, as well as a vendor that is a Palo Alto partner. Neither were really able to answer my questions.
Here is what I have today. Two Palo Alto 3020's. One is on the west coast, and one on the east coast. I have the portal license on my west coast one, and gateway licenses on both. I have paid for a GoDaddy SSL cert for both devices. I did this so there would be no errors when you browse to the url to either manager it (inside), or download the globalprotect client (outside). Originally when I got it working without the prelogon, I just used the godaddy cert for everything. Both gateways and the portal. This worked fine. If you connect to the portal you would then establish your VPN to the closest gateway.
Now I'm wanting to do the prelogon, and I cannot for the life of me make it work. I have created a Root CA cert for the PA on the west coast. I then created a server and a machine cert off that CA. I created a cert profile that uses the Root CA. No matter how I configure the portal and gateway (various certs, cert profiles, etc) I get one of two situations. With the cert profile on the portal and or gateway I get cert not found. And yes I have exported and imported the certs in to my windows machine multiple times. If I turn off the cert profile, but leave the root CA set for the gateway, I get an error on globalprotect that the cert is invalid. The only spot that I have the Root CA still on where I dont get errors is on the portal. And I really dont understand that because I would expect the portal to need a real cert, and the gateways to not matter since the portal hands you to them.
While reading Palo Alto's guide, I did notice one thing. In their config they are associating the portal and gateway to an internal interface. Mine is associated to an external interface. Can anyone explain what the right configuration should be and why? Why different certs in the portal and gateway. Why associating to external versus internal interface. How do I make it work without having an ssl error on my web url?
There are a few things that you may need to check:
1. Make sure you created the client certificate using the Root CA in your cert profile, and that client cert must be installed (with the private key) into the computer's Machine store. The default is to install it in the user store, which will not work with pre-logon.
2. Ensure you have two separate Client Configurations set up on the portal (Network > GlobalProtect > Portals > portal_name > Client Configuration tab). Both need to use the pre-logon connect method. The first should have Pre-Logon selected on the User/User Group tab, the second should be whatever user groups you want (or "any" if you don't care). You can use SSO here as well if you like, it's after the pre-logon is done so you'll be fine with that.
You'll need to choose the same certificate profile on the GP Gateway for each site, and it should be the same root CA. You may be able to get it to work individually, but I haven't attempted that and am not totally sure how that would be configured off the top of my head.
Check out the following doc if you haven't seen it yet, it's great at the config:
The most common issue I see with the cert not found errors is if the client cert was either imported into the client store (which isn't available until the client logs in) or if only the public key of the client cert was imported into the machine store. You need the private key as well.
Everything you stated above I have done and was still unsuccessful. The errors are either that I dont have the cert, or it refuses to connect because its an unsigned certificate. The guide you linked is the one I used top to bottom.
Thank you for your reply, this looks like its heading in the right direction.
Where should the certificate be stored? All of the PA guides I read, stated you put it in the personal store. For me though, that seems wrong anyways since that would only be visible once you log in to a computer. As far as making it work on one first, that is what I have been working on. in fact, since the start before logon is only to allow policies to run during logon, I was just going to only have it work on one device. Essentially, once they log in, the regular user config should push, which would then have globalprotect pick the closest gateway.
"Personal store" may be confusing.
When you add the Certificates module in mmc, make sure you select the Computer account (default is your user account). You'll have a folder "Personal" there as well...
When importing a certificate, do it the same way (using mmc) and explicitly choose the folder where you want to import the certificate to. Never trust the "Automatically select the certificate store...".
Remember, that "machine" certificate was signed by a CA (may be self signed). So make sure your computer trusts that CA or your nicely imported certificate will still be invalid.
Importing a CA to the Trusted Root CA folder is done the same way.
In our environment, we use the same certificate that is used for SSL decryption to sign our "machine" certificate. This way, for all firewall related stuff, we only need to import this one CA.
I think this is probably what I was missing. I was doing the personal store under my user account. Each time I checked, the personal store under computer was innaccessible. But I just reimaged my laptop over the weekend, so I'll try this again.
To be clear, does each and every cert go under the computer account?
I was able to add my certificates to the location specified, but it didnt resolve the situation. Again got certificate not installed. So it doesnt matter where I put the cert. It doesnt pick it up. Something else is missing, and so far I've been unable to identify what that is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!