GlobalProtect Prelogon tunnel and Portal authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Prelogon tunnel and Portal authentication

L1 Bithead

Looking for assistance on a GP setup. I want to have a pre-logon tunnel (certificate, always on) and a portal, which uses SAML authentication.  I also need the user to have to re-authenticate any time they disable, sign-out, reboot, etc. The problem I'm running into is because the portal uses SAML auth, the portal communication during pre-logon fails and therefore the pre-logon tunnel doesn't start. I thought I should be able to set the Generate and Authenticate cookie options on the pre-logon portal agent configuration but it's not working. I thought it would flow like this:

 

  1. User boot machine for first time, no pre-logon tunnel as expected.
  2. User logs into machine, GP starts, user gets our internal SAML authentication window for the Portal
  3. User logs in, portal generates cookie.
  4. User logs into Post Logon gateway (no cookie options set here because I do not want cookie to auth post logon)
  5. User reboots, portal auth is handled by cookie, pre-logon tunnel starts.

The portal auth by cookie after reboot is apparently not happening. PanGPS.log shows the messages "Unserialized empty cookie on portal..." and there are no attempts to connect to the portal in the FW Monitor log.

JamesH1318_0-1715954968880.png

For my testing, I have my cookie lifetime set to 10 minutes. My reboots, logons, reboots are all occurring within 3 minutes.

 

PAN-OS 10.2.9-h1

GP 6.2.3

FYI, there are no certificate issues or anything like that.  This is a modification of an existing setup where the pre-logon and portal use the machine certificate. I need to be able to have different portal agent configs for different groups of people, which means I need to know the user at the portal level so I can use AD groups. User certificates are not an option.

3 REPLIES 3

L1 Bithead

Hi

if you always want prelogon with certificate auth, deactivate the authenticaten overwrite. Then you dont run into the cookie problems.

What is your portal authentication setup?

You cannot activate User Credentials And Client Certificate. With pre-logon, you can only activate User Credentials Or Client Certificate. Because you don't have a user at pre-logon.

What says your GP log on the firewall?

 

Thank you for the reply but I'm not sure you understood the question. I have a machine certificate portal and pre-logon setup today. However, now I need to know who the user is at the portal for the post logon agent config.  The question basically comes down to, how do I do that without breaking the pre-logon tunnel?

L1 Bithead

I'm not sure I understood the question 😄 You wrote about SAML login failures at pre-logon (what is normal), but you also expect this behavior at 1.

For cookie auth you need a valid certificate oder user auth at first. This should be the reason for your unserilied cookie problem.

The user result from the SAML auth. If it was successful, you see the user in the logs and can setup different agent configs also

 

  • 1236 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!