GlobalProtect Configuration Opinions


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

GlobalProtect Configuration Opinions



Just to be upfront, I have my configuration working for the most part but I'm interested to hear if there's not a better/safer/quicker way of bending GlobalProtect to my needs. Please feel free to chime in with ideas, opinions or suggestions! Only as much detail as you feel is necessary but I'm happy to hear what you're thinking




Globalprotect prelogon scenario with 2 level of post logon access




  • All hosts will connect on the pre-logon level with limited access to internal resources (AD, etc) using our internal PKI 
  • After logon all users will automatically stay connected via Globalprotect (the pre-logon tunnel will switch to the username) and retain access to limited internal resources via security policies and LDAP
  • Select users after they logon will have the ability to "reconnect" to the GlobalProtect gateway and have full access to the internal network (again through security policies and LDAP)


Other requirements


TFA is not in play but may be in the future.




Most of the config is based in this article: here


Again. I'm not stuck (currently). Just wanted to hear your opinions. Appreciate any feedback.







Tags (1)
L7 Applicator

Sounds like an ok setup but it really depends on your corporate security policies.


for us, PKI is a must but not acceptable without some form of hard drive encryption protected by a PIN.

this has nothing to do with certificate exposure but just an additional protection as you are currently relying on a password only policy if device is stolen.


we do not use pre-login as users are unable to join wifi until they auth on the device.


not sure about the 3rd option in your process section, why would they need to re-connect to obtain different policies.


if you move to 2FA then you may need to look at authentication overide especially if using OTP.


All of the above will not be everyones cup of tea but works well for us and we need to adhere to strict corp policies.



L1 Bithead

Thanks Mickball,


Yeah  I definitelty understand everyone's requirements, setup, etc are different. We too are required to use HD encryption as well. We liked the promise of prelogon so users can change passwords, login for the first time, etc. With all the other requirements in the scenario, it just has gotten overly conviluted IMO. I like your question about whether the users need to reconnect to refresh their policies because it makes things easier for the users as well. My experience says that the simplier the config, the easier it is to support and secure so anything that can pare things down, I'm for.


Really appreciate your two cents on this one!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!