Global Protect - Newly Imaged Laptop, first time login before Windows login

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect - Newly Imaged Laptop, first time login before Windows login

L2 Linker

Hello,

 

Been trying to look around about how to do this but not finding anything.  So we are moving from AnyConnect to Global Protect.  The transition has been fairly smooth but ran into a unique issue yesterday.

 

We have a small number of user's who are remote who can't come into the office and they are getting a new laptop shipped to them.  In the past they were able to use AnyConnect to log into the VPN before logging into the PC because they didn't have any cached credentials.  How do I set up the same thing in global protect?

 

Thank you,

 

-Dustin

1 accepted solution

Accepted Solutions

at the pre-logon stage the user has not logged into windows yet so is unknown

GP runs in the background and authenticates using an installed machine certificate as an 'unknown user' so it is connected to your infrastructure so your user can log on

 

cookie-enabled prelogon is also an option, but that does require the user to have logged on once before it will start working:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEeCAK

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

if you configure GlobalProtect for "prelogon", it creates a tunnel based on the machine certificate before the user has logged on

 

https://live.paloaltonetworks.com/t5/General-Topics/Configuring-Prelogon-for-GlobalProtect/m-p/7935#...

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Does that pre-logon tunnel connect on a newly imaged machine?

 

I thought the user had to log in first to get that to work.

at the pre-logon stage the user has not logged into windows yet so is unknown

GP runs in the background and authenticates using an installed machine certificate as an 'unknown user' so it is connected to your infrastructure so your user can log on

 

cookie-enabled prelogon is also an option, but that does require the user to have logged on once before it will start working:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEeCAK

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Awesome, thanks for the info!

  • 1 accepted solution
  • 4065 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!