meaning of source-user pre-logon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

meaning of source-user pre-logon

L2 Linker

Hi,

Can anyone explain what the option "pre-logon" means as a value for source-user in a security policy?

I can't find anything about it. Not in the build in help, the admin guide nor the CLI reference.

1 accepted solution

Accepted Solutions

L6 Presenter

Its a new feature in PANOS 5.0 which is described in the release notes:

"

Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work.

"

So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).

This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.

View solution in original post

5 REPLIES 5

L6 Presenter

Its a new feature in PANOS 5.0 which is described in the release notes:

"

Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work.

"

So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).

This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.

L4 Transporter

Also an exert from the 5.0 admin guide:

****************************************************************************************************************************************************************

  • –  pre-logon—Select this option to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. GlobalProtect will establish a connection prior to user login to the computer. By doing this, a company can create a “logical network” that maintains the security

    and management features normally achieved by a physical network. Tunnel selection and establishment happens pre-logon based on machine certificates that need to be pre-deployed on client systems outside of GlobalProtect.

    Examples of some of the services that can be maintained include: Active Directory group policy enforcement, maintaining drive mapping to server resources, and the ability to receive central software deployment downloads while remote. One specific example of how the pre-logon feature works is if a remote user forgets his/her password, since GlobalProtect would connect and use the cached credentials and establish a VPN before the login prompt even appears, a domain administrator could reset the user’s password as if they were logged in directly to a domain controller on the physical network.

****************************************************************************************************************************************************************

Thanks

James

L2 Linker

So, the pre-logon user value is linked to global protect?

I indeed found it in the admin guide under global protect. But there's no mention about the two things being linked.

L3 Networker

Hi,

I'm hitting the same issue. Can you or anyone clear up pre-logon definition? for example do I need to create a user called pre-logon on the PA and create a security rule matching the GP VPN or do I create a pre-logon user in AD? or do I not need to create a pre-logon user ID?

I've got pre-logon partly working. The pre-logon feature fails with the error' user domain\pre-logon  failed authentication' invalid username/password'

However when I log into the laptop with my AD credentials the GP client authenticates.

Rod

I've resolved my problem. Please refer to https://live.paloaltonetworks.com/message/21662#21662

  • 1 accepted solution
  • 5081 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!