This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

Kevin_McCall
L1 Bithead

‎04-20-2022 09:13 AM

Our organization has been struggling with getting MS AD security group changes to apply over VPN w/ prelogon enabled for a long period of time now. I have had support tickets in with Palo support and MS support. Palo support has determined via Globalprotect logs, prelogon appears to be functioning properly and no traffic for this function is being denied by prelogon/user firewall security policies. 

 

Sometimes we have noticed if the user reboots twice the security group changes are then reflected on the user's PC. It hasn't been a great experience. I am curious if others are having the same headaches with gpo/security group changes that apply during boot with prelogon. Is it solvable or just something we must live with? We are configured with SAML authentication prelogon always on. Prelogon authenticates via a cookie. 

 

 

 

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎04-20-2022 10:11 AM

@Kevin_McCall,

This is working perfectly fine throughout the environments I manage, however whenever folks want an always-on connection we utilize certificates not SAML. Have you verified through the local client side logs and the firewall traffic logs that pre-logon is actually connected and passing traffic when your experiencing the issue? As long as pre-logon is actually working, and you're allowing the traffic, you shouldn't run into any issues with this at all.

0 Likes Likes

Kevin_McCall
L1 Bithead
In response to BPry

‎04-20-2022 10:34 AM

Thanks for sharing your experience. Yes I did verify that prelogon was passing traffic during the logon in firewall logs. Also we are using the same subnet on the gateway for prelogon and users so the tunnel only gets renamed to the user. It could be something to do with our workstation build I don't know. Palo support did see that there is a wait for network connectivity during the boot process. Maybe networking is taking a little longer to initialize? It's good to know that it's functioning for others. 

0 Likes Likes

Kevin_McCall
L1 Bithead
In response to BPry

‎05-06-2022 08:39 AM

@BPry Would you mind sharing with me your configuration so that I may mimic what is working in your environment without giving any sensitive information? That may help us determine if it is an issue with our workstation or Globalprotect configuration. 

0 Likes Likes
  • 1888 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks