cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GP external gateway - Connection method Pre logon Always on

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-07-2020 01:31 PM
‎01-07-2020 01:31 PM

GP external gateway - Connection method Pre logon Always on

We are using SAML in Azure for GP external gateway connection.

When connection method is on demand we get mobile push notification and user gets connected to the GP.

 

Testing with Connection method Pre logon Always on, i am not getting mobile push notification.

Need to confirm is this by design?

 

or is there any config i can do so that Connection method Pre logon Always on  gives me mobile push notification?

 

MP
0 Likes
Reply

Accepted Solutions
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-20-2020 12:48 PM
‎01-20-2020 12:48 PM

Re: GP external gateway - Connection method Pre logon Always on

TAC confirmed with Engineering team this is not possible.

MP

View solution in original post

0 Likes
Reply

All Replies
Highlighted
kiwi
Community Team Member
‎01-08-2020 02:15 AM
‎01-08-2020 02:15 AM

Re: GP external gateway - Connection method Pre logon Always on

Hi @MP18 ,

 

Not sure if this is by design. 

I'd recommend reaching out to TAC and have them confirm with engineering if it's by design or not.

 

Cheers !

-Kiwi.

 
0 Likes
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-08-2020 07:24 AM
‎01-08-2020 07:24 AM

Re: GP external gateway - Connection method Pre logon Always on

As per TAC this is by design but i asked him to confirm with Engineering also.

MP
0 Likes
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-20-2020 12:48 PM
‎01-20-2020 12:48 PM

Re: GP external gateway - Connection method Pre logon Always on

TAC confirmed with Engineering team this is not possible.

MP

View solution in original post

0 Likes
Reply
Highlighted
vsys_remo
Cyber Elite
Cyber Elite
‎01-20-2020 01:24 PM
‎01-20-2020 01:24 PM

Re: GP external gateway - Connection method Pre logon Always on

Hi @MP18 

I don't really get it. Why isn't this possible exactly? With SAML you get single sign on, but as you have another loginfactor the push notification should be sent - so why not in your configuration? Don't give up too easily with answers from TAC

 

If there really isn't a way without a feature request where you have to wait, what about using RADIUS MFA connectior for your always-on clients? Does it maybe work this way with SSO and push notifications?

0 Likes
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-20-2020 01:32 PM
‎01-20-2020 01:32 PM

Re: GP external gateway - Connection method Pre logon Always on

We have Global protect PRe log on  Always on for pilot testing.

We have SAML configured where we get the push notifications on mobile for authentication.

 

We are using Azure SAML.

When user put the domain password during log on then GP client connects automatically they do not get mobile push notifications.

Opened ticket with TAC almost 2 weeks ago and today he confirmed that this is expected behaviour.

We can not force push mobile notifications while using pre log on always on connection method.

 

Also as our current setup we only want to use SAML using Azure.

 

 

MP
0 Likes
Reply
Highlighted
vsys_remo
Cyber Elite
Cyber Elite
‎01-20-2020 01:41 PM
‎01-20-2020 01:41 PM

Re: GP external gateway - Connection method Pre logon Always on

You are using the newest GP version? Or at least something above 5.0.2?

(I am asking as I intended to do a similar setup ... but this now does not sound very good ...)

0 Likes
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-20-2020 01:44 PM
‎01-20-2020 01:44 PM

Re: GP external gateway - Connection method Pre logon Always on

I am using GP client 5.0.4.16

MP
0 Likes
Reply
Highlighted
vsys_remo
Cyber Elite
Cyber Elite
‎01-20-2020 02:24 PM
‎01-20-2020 02:24 PM

Re: GP external gateway - Connection method Pre logon Always on

But the push notification is sent by your SAML IdP or the attached MFA service right? And GP officially supports "Pre-logon followed by SAML". So when viewing from the other side: why is this an issue of GP as the IdP is sending or at least triggering the push notification?

 

0 Likes
Reply
Highlighted
MP18
Cyber Elite
Cyber Elite
‎01-20-2020 02:32 PM
‎01-20-2020 02:32 PM

Re: GP external gateway - Connection method Pre logon Always on

We do not have MFA configured.

As per PA while using Global protect External  and using SAML you can not have MFA.

 

I could not find answer for this checked with PA and also with our SE.

Only option is to use on demand connection method.

As per PA we can submit the feature request to them.

 

 

MP
0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks