This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect switching from Pre Logon to User

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect switching from Pre Logon to User

ksauer507
L3 Networker

‎06-29-2024 10:08 AM - edited ‎06-29-2024 10:19 AM

Hello,

 

We have an issue where many times Global Protect clients are not switching from the Pre Logon user to their logged in user name.  Certs are deployed and Pre-logon access works.  IT can remote on to troubleshoot a PC that is just at the windows lock screen.  We can ensure the PC has access to WSUS for updates, etc...  Obviously they have domain authentication access to login and run login scripts etc.  Then after 60 seconds its supposed to switch to their user, which has more access and based on their LDAP groups.  The user login is SAML to Azure AD and every 14 days does require a Duo mfa prompt.


Whats happening is many times the user connects, all their apps start opening and then everything disconnects.  Teams is a real bear keeps asking to sign in.  Then if you go to the tray the GP icon has red X on it.  Click it and it says the network connection is unreachable or the portal is unresponsive.  Check the network connection and reconnect.  If you click the blue connect button, it says connecting, and then in about 10 to 15 seconds its connected and you can restart a lot of the apps that are in a stuck state due to network issues.

A few things about the setup.  In prelogon we give a different IP address.  When you login users get one set of IPs, vendors another, and IT yet a third.  This helps with other access lists, like for example theres ACLs on switches and stuff only IT can get to.  Vendors stay on their own subnet and zone, etc...  I'm wondering if this IP switch is part of the problem?

For example, I booted up, logged in, and I seemed ok and my IP address was 192.168.54.31.  Then I lost everything.  Had to click connect on the GP tray icon and it authenticated me fine and my IP is 192.168.59.201.  Do you think we have to keep prelogon and users in the same subnet / network?
This is Global Protect App version 6.1.2-83 on Windows 11.
Connected to PA 1420's running 11.1.2-h4
We do full tunnel.

We deny local network access. For example I cant ping my home printer from my work laptop, etc...


I seem to remember on our older 3220's this was consistent, but we used a different IP scheme.  Everything was 192.168.55.x prelogon and all.  But the 3220s were on 10.1.10-h4

 

Any ideas how to make the switch from prelogn to logged in user seemless?

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎07-01-2024 10:07 AM

@ksauer507,

You should be able to look at the user-id logs on your firewall to identify if you have any events to map the IP to the user or not. I would guess that your hypothesis is correct and what you're running into is that the IP switch that you're having them do is losing the user-id mapping. The authentication event gets the pre-logon IP mapped as the user, and when your user gets the new IP address there's no user-id mapping to grant them access through your security rulebase.

You could always add different gateways if you require different subnets to be used for these three groups. Your Portal address could stay the same and then you would just point each user group to the required gateway to isolate them. Generally this is what I would recommend as it also allows you to land them in their own zone to completely separate the traffic.

 

0 Likes Likes

RH747
L1 Bithead

‎07-01-2024 10:10 AM - edited ‎07-01-2024 10:17 AM

Without seeing the GP Monitor logs it's hard to say what could be the root issue. Do you have access to these logs? Check them and note where the failure point is for more clarity on the issue. Seeing what happens at the interim step of portal-prelogin and portal-auth would be of particular interest since that's where you'll pull your user-specific IP.

 

From what it sounds like based on your description it could be the gateway agent client settings as that defines where users are going to be pulling their IP's. When you say you logon, do you mean log into GP or the device? Is your GP configured to pull Windows credentials or have the user login manually? Correct me where I may be wrong, but the string of events read as:

  • User logs into device
  • Device is already registered into pre-logon via machine cert, etc
  • GP disconnects pre-logon connection due to 60 second disconnect rule
  • GP does not pull the user's windows credentials properly and fails
    • Failure point - does GP actually fail here or is this a limitation of your configuration? Logs would give more insight
  • User must sign in manually to regain access to gateway and pull proper IP
-RH747
0 Likes Likes
  • 179 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks