GlobalProtect Pre-Logon NULL issue

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Pre-Logon NULL issue

L4 Transporter

Trying to setup new config for pre-logon, seems to be not working. I am getting machine certificate null error. 

First i was using internal PKI but then i found this KB and i was hitting the same issue.

I then tried to setup with self generated certs, while i have asked the system admin team to add subject info, but still having same issue.


Below are portal config screenshots, i don't know what i am missing. PANOS 9.0.8, GP 5.1.4


External Gateways in both agent configs point to same public fqdn/ip


I have also tried selecting both options below



Server Authentication below uses public cert, while certificate profile use self generated root CA on firewall.



Below are the local root CA and profile screenshots






Certificate imported in to personal store of local machine, generated on firewall.

On reinstall of Agent it asks to select certificate which is this that i select and get not authorized message.

Also imported root certificate from firewall in trusted certs.



Cyber Elite
Cyber Elite



Seems you need Root and Intermediate Cert in Device and Certificate  profile.

Also your Machine cert need to be part of 






When you create Machine cert then it need to be signed by Intermediate cert.





@MP18 As per your suggestion i have made below changes. new root > inter > sever cert created


Included them in server profile used in Gateway authentication config tab


exported and imported from firewall into Windows local store.

reinstalled GP and tried connection, same result. Null with not authorized.



And this time i did not see any popup from GP for which cert to use from the local store.

Am i generating machine cert rajv-test right, do i need to include server-test cert somewhere.




@MP18 I have updated the config now with actual certs that are to be used, no self generated certs, but still hitting the same issue.


Test PC has both root and intermediate certs from our internal PKI. Machine cert pushed by GroupPolicy with subject field populated.


Portal authentication uses public cert in ssl-tls profile and none in certificate profile.

under agent tab root and intermediate certs from internal PKI are selected.


Gateway authentication uses same public cert ssl-tls profile and cert profile with root and intermediate in it from internal PKI



This is what i have observed now.

Including the group that works in On-demad mode, pre-logon config fails

If any users is set, user gets authenticated but i still don't see any pre-logon happening



Portal AuthenticationConnect MethodWorking
Portal AuthenticationConnect MethodWorking
pre-logonpre-logon (always-on)No
cn=emp,ou=groups,ou=emp,dc=aaa,dc=bbbbb,dc=capre-logon (always-on)No
Portal AuthenticationConnect MethodWorking
pre-logonpre-logon (always-on)No
Anypre-logon (always-on)Yes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!