GlobalProtect Pre-Logon Windows 10 Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Pre-Logon Windows 10 Issue

L0 Member

Hello!

I am facing a problem with pre-logon on windows 10. I have some windows 10 laptops that works fine but few of them have the problem below.

I have import the  local machine certificate and change registry entries. If I sign out from windows, I can see the pre logon option and connect to my vpn. But when i restart or shutdown the laptop, when it comes to the windows login screen, I dont have any option for pre logon. That means that i have first to login with a cached user , log off and here they are the start global protect option. 

Any advice?

Thanks a lot

 

5 REPLIES 5

L4 Transporter

Do a check on following :-

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup

Prelogon Value should be 1.

 

Check your machine certificate status.

 

your machine certificates it should contain private key.

 

Check certificate chain for machine certificate.

 

Troubleshooting logs what error do you see ?

 

 

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

L2 Linker

Just wondering if there was a resolution with this?

 

From research apparently changing the Pre-Logon Tunnel Rename Timeout to 0 might help.

 

SirchRettop_0-1604060962144.png

This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the 
Connect Method
 to 
Pre-logon then On-demand
, which forces the user to manually initiate the connection after the initial logon.
A value of 1 to 600 indicates the number of seconds in which the pre-logon tunnel can remain active after a user logs on to the endpoint. During this time, GlobalProtect enforces policies on the pre-logon tunnel. If the user authenticates with the GlobalProtect gateway within the timeout period, GlobalProtect reassigns the tunnel to the user. If the user does not authenticate with the GlobalProtect gateway before the timeout, GlobalProtect terminates the pre-logon tunnel.

L1 Bithead

Having this issue now - did you ever get it resolved?
Cheers

L0 Member

Hello all,

In case someone else is facing this issue

1. Make sure the registry's Prelogon Value is 1, as Fatboy1607 already mentioned.

2. Make sure you imported the correct certificates on the machine/user store on the endpoints

3. As per the PA doc, if you have different configs for prelogon and other users, make sure the connect method is prelogon.

 

And here is what fixed the same issue I had:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UgXCAU&lang=en_US%E2%80%A...

 

Checking PanGPS, I found out that PanGPS found a user session, so it skipped the pre-logon tunnel establishment, and continued with the normal user connection establishment

Once I disabled that Windows 10 feature mentioned on the link above, pre-logon tunnel was working as expected

 

Kind regards,

Apostolos

I owe you big time. Was struggling with this for a long time until I finally came across your post. Thanks a lot!

  • 15105 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!