Our organization has been struggling with getting MS AD security group changes to apply over VPN w/ prelogon enabled for a long period of time now. I have had support tickets in with Palo support and MS support. Palo support has determined via Globalprotect logs, prelogon appears to be functioning properly and no traffic for this function is being denied by prelogon/user firewall security policies.
Sometimes we have noticed if the user reboots twice the security group changes are then reflected on the user's PC. It hasn't been a great experience. I am curious if others are having the same headaches with gpo/security group changes that apply during boot with prelogon. Is it solvable or just something we must live with? We are configured with SAML authentication prelogon always on. Prelogon authenticates via a cookie.
This is working perfectly fine throughout the environments I manage, however whenever folks want an always-on connection we utilize certificates not SAML. Have you verified through the local client side logs and the firewall traffic logs that pre-logon is actually connected and passing traffic when your experiencing the issue? As long as pre-logon is actually working, and you're allowing the traffic, you shouldn't run into any issues with this at all.
Thanks for sharing your experience. Yes I did verify that prelogon was passing traffic during the logon in firewall logs. Also we are using the same subnet on the gateway for prelogon and users so the tunnel only gets renamed to the user. It could be something to do with our workstation build I don't know. Palo support did see that there is a wait for network connectivity during the boot process. Maybe networking is taking a little longer to initialize? It's good to know that it's functioning for others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!