The Further Adventures of a Networking Neophyte
Software Version: 6.0.1
GlobalProtect Agent 2.0.4
Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center. They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot.
I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot. I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect.
I'm searching, and will continue to look, but .. is it even possible?
Solution that you are looking for is pre-logon. It will take domain credentials and establish tunnel before users gets to windows desktop. Please refer to following documents for explanation :
Hope this helps. Thank you.
Just wanted to add this document to the thread. It gives a step by step configuration assistance to set up pre-logon with self signed certificate on the PAN firewall.
Hope this is helpful to you.
I will suggest first checking the global protect PanGP Agent logs and then move to the firewall.
There are multiple logs to check on the firewall depending on what you see in agent logs:
less mp-log authd.log
show log system direction equal backward subtype equal globalprotect
less webserver-log sslvpn-access.log
less webserver-log sslvpn-error.log
less mp-log sslvpn.log
less mp-log rasmgr.log
Hope it helps !
You can focus on following logs, sslvpn.log and ramgr.log are most important.
sslvpn.log, rasmgr.log, authd.log, sslvpn-access.log, sslvpn-error.log
We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set. After lunch I'll see about getting the clients logged in at boot.
The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it.
I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!