11-25-2012 11:52 PM
Hi,
Can anyone explain what the option "pre-logon" means as a value for source-user in a security policy?
I can't find anything about it. Not in the build in help, the admin guide nor the CLI reference.
11-26-2012 12:31 AM
Its a new feature in PANOS 5.0 which is described in the release notes:
"
Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work.
"
So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).
This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.
11-26-2012 12:31 AM
Its a new feature in PANOS 5.0 which is described in the release notes:
"
Pre-logon Connection – The pre-logon option is part of the GlobalProtect agent configuration and is used to preserve pre-logon and post-logon services provided by a corporate infrastructure regardless of where the user machine is located. By doing this, a company can create a logical network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs pre-logon based on machine certificates. Examples of some of the services that can be maintained include: Active Directory group policy enforcement, drive mapping to server resources, and the ability to receive central software deployment downloads while working remotely. One specific example of how the pre-logon feature works is remote users forget their passwords, a helpdesk admin can reset their domain passwords and the users can log in with the new password because the VPN is already established and direct domain authentication will work.
"
So in short, Globalprotect can establish a VPN-tunnel before the user is authenticated in his/her machine (using machine cert).
This way you can for example set user=pre-logon to access AD, DNS, AV, WSUS. And the other rules can have user=ad-group(s) or user=userX,userY... for your other systems.
11-26-2012 12:35 AM
Also an exert from the 5.0 admin guide:
****************************************************************************************************************************************************************
and management features normally achieved by a physical network. Tunnel selection and establishment happens pre-logon based on machine certificates that need to be pre-deployed on client systems outside of GlobalProtect.
Examples of some of the services that can be maintained include: Active Directory group policy enforcement, maintaining drive mapping to server resources, and the ability to receive central software deployment downloads while remote. One specific example of how the pre-logon feature works is if a remote user forgets his/her password, since GlobalProtect would connect and use the cached credentials and establish a VPN before the login prompt even appears, a domain administrator could reset the user’s password as if they were logged in directly to a domain controller on the physical network.
****************************************************************************************************************************************************************
Thanks
James
11-26-2012 12:42 AM
So, the pre-logon user value is linked to global protect?
I indeed found it in the admin guide under global protect. But there's no mention about the two things being linked.
12-10-2012 01:02 AM
Hi,
I'm hitting the same issue. Can you or anyone clear up pre-logon definition? for example do I need to create a user called pre-logon on the PA and create a security rule matching the GP VPN or do I create a pre-logon user in AD? or do I not need to create a pre-logon user ID?
I've got pre-logon partly working. The pre-logon feature fails with the error' user domain\pre-logon failed authentication' invalid username/password'
However when I log into the laptop with my AD credentials the GP client authenticates.
Rod
12-10-2012 01:51 AM
I've resolved my problem. Please refer to https://live.paloaltonetworks.com/message/21662#21662
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
