Global Protect AutoVPN and Windows 10 Login Screen

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect AutoVPN and Windows 10 Login Screen

L3 Networker

When I login to my laptop computer - underneath my user name for sign in  SOMETIMES is the status

message: GlobalProtect Status: Connected (and under it the name of the GP portal/gateway.)

 

But at other times I see no such message or "sign in options". If sign on options are there one 

includes the GP logo w check on it. 

A third issue now I've seen is where the status message "GlobalProtect Status:Connected" is

misleading. If I open the gateway/users on the PAN I can see that in fact that my laptop was

not connected. 

 

So two questions: 
1) What governs when the GlobalProtect Status appears on the Windows 10 login page?
2) What might cause the GlobalProtect status to say Connected when in fact it is not?

Bonus question: How to approach troubleshooting issue 2 since the false Connected message

is occurring prior to login?

 

7 REPLIES 7

Cyber Elite
Cyber Elite

Have you configured pre-logon tunnel?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

 

 

Also if you enabled the windows reg keys for before logon then the Globalprotect will log with Windows boot logon credentials to the VPN and also if you are just using Windows SSO then maybe when the computers boots it logs into the VPN really fast: 

 

 

Connect Before Logon (paloaltonetworks.com)

 

 

 

 

Single Sign-On (paloaltonetworks.com)

 

Always On VPN Configuration (paloaltonetworks.com)

 

 

 

 

 

 

From your description it could the Before Logon option that is dictated by the reg keys change on your PC.

Thanks Nikolay. So the pre-logon piece is actually working most of the time. The problems are the inconsistencies 

of the login page display and the occasional inaccurate claim of "Connected" when in fact it's not connected. 

Any thought why sometimes GP Connected/Not Connected status would show but at other times neither

message would show?

Cyber Elite
Cyber Elite

@palomed,

The login provider for GlobalProtect can be inconsistent at times actually being listed. Most of my installations we actually hide the provider so it doesn't show up since the pre-logon tunnel will work properly in the background unless the installation actually requires/makes use of Connect Before Logon. Usually if the installation wants that they simply want pre-logon and a forced VPN tunnel, so the provider doesn't actually matter.

 

As for the Connected message appearing, keep in mind that the login provider is reading the status of PanGPS (the GlobalProtect Service) separately from the PanGPA (the agent). As the agent actually fires up upon login, you can see a delay in it showing connected as it reads information from PanGPS causing it to show disconnected while the tunnel is in fact online. 

Hi BPry. You may be going a little over my head here. Can you give an example of what you mean by a provider? I don't think I've seen that problem. But maybe you're rephrasing something I've asked about - or correcting some term. 

Now as for Connected message - when you say "login provider is reading the status of PanGPS" - are you referring to Microsoft? The login page is the same login page Windows 10 presents to anyone. Except that since we installed GP w pre-login, if you client Sign-in options you'll see [GP][FIDO Sec Key][PIN][Password].   ..so what I'm not getting is that sometimes if I go to that login page it says just "Sign-in options". But other times it's showing the status. If I go into Task Manager I see background process GlobalProtect client and Global Protect service both running. Are you saying perhaps one of these is not running at the time I hit the login screen and that could be making the difference as to whether connection status is displayed?

Cyber Elite
Cyber Elite

If you have enabled pre-logon then check if also the windows reg keys are not changed for before logon as prelogon and before logon can't work together:

 

 

''''

The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.

'''

Connect Before Logon (paloaltonetworks.com)

 

 

The Before logon is a new option that Windows 10 has for vpn agents like globalprotect  called in windows "providers" where when you logon to your computer you also logon with the same credentials at the same time to the VPN agent and it is just a simple change of windows reg keys and to have globalprotect 5.2 or newer:

 

Deploy Connect Before Logon Settings in the Windows Registry (paloaltonetworks.com)

 

 

As I mentioned you either go with before logon or prelogon as to allow the computer for  example to connect to an active directory server for some scripts during boot up and for prelogon it is for the best to be with machine certificates that are always on the device. Also the prelogon option is seen on the windows credentials provider screen not only the "Before logon" shows up:

 

 

 

"""""""""'

The GlobalProtect Credential Provider logon screen for Windows 7 and Windows 10 endpoints also displays the pre-logon connection status prior to user login, which allows end users to determine whether they can access network resources upon login. If the GlobalProtect app detects an endpoint as internal, the logon screen displays the 

Internal

 pre-logon connection status. If the Globalprotect app detects an endpoint as external, the logon screen displays the 

Connected

 or 

Not Connected

 pre-logon connection status.

 

"""""""""""""""""""'

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

 

Remote Access VPN with Pre-Logon (paloaltonetworks.com)

 

 

 

I checked the registry CBL as shown in the first site and that does not exist. 

HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL

.

I do however see 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup

Prelogon REG_SEZ 1

Portal REG_SZ gp.acme.com
CurrentVersion REG_SZ 5.2.5-66

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\PreLogonStatus
(Default) REG_SZ (value not set)
ConnectedGateway REG_SZ gp.acme.com   
LogonState REG_DWORD 0xffffffff(4294967295)

Do these look right? Again this morning when I logged in there was no pre-login status of the portal. 

Cyber Elite
Cyber Elite

I have prelogon on my PC and it is similar to yours only that my "LogonState" is  "0x00000001" but I can't say specifically about this variable. With me when the prelogon happens my Globalprotect shows the VPN tunnel as established and then after couple of seconds the globalprotect agent becomes gray as if it disconnected itself and I am asked for credentials as to establish a rea tunnel.

 

 

 

 

Better to check your PanGPS and PanGPA logs why the prelogon fails :

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK

 

 

LIVEcommunity - Knowledge sharing: Globalprotect troubleshooting/investgation. Split tunnel,Globalpr...

 

 

 

 

I suggest also to update your agent to the latest software and to check the connectivity between your computer and the gateway that is used for the prelogon. Also again check your configuration and if the machine certificate for the prelogon authentication is on your PC and check the Globalprotect logs in the GUI that may help discover why the prelogon does not happen (before the System logs were having this info but now there are separate log in the gui)

 

Basic GlobalProtect Configuration with Pre-logon - Knowledge Base - Palo Alto Networks

 

How to Configure GlobalProtect SSO with Pre-Logon Access using ... - Knowledge Base - Palo Alto Netw...

 

 

 

If nothing helps check for known bugs for palo alto and globalprotect versions and raise a TAC case if needed. For example:

 

 

GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)

 

Known Issues (paloaltonetworks.com)

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!