Pre-logon for specific user only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pre-logon for specific user only

L2 Linker

My requirement is that some user should use Pre-logon and other should use User-logon. Currently all users are using only user-logon mode.  

Is it possible to use both mode in global protect, because we have to call client certificate profile on globally for pre-logon user?

If yes can you please guide me how can i archive this and Is there any down time need to take for doing this for gp user. 

 

gp1.png

 

   

RK
9 REPLIES 9

L3 Networker

Hi @Rajendranahak 

 

Prelogin cannot be restricted based upon the usernames because there is no username involved during the process. Prelogon is based upon the agent configuration which was received from the portal during the previous successful connection with the portal. Prelogon only for specific users can be achieved by creating two portals ( portal with prelogon and portal without prelogon) . make sure users who require prelogon should connect to the prelogon portal and users who doesnt require prelogon should connect to the other. Please try and let me know. You can check these config with test users to avoid a production interruption for GP users.

 

The other way is using a client certificate , and the laptops which has the certificate can be forced for prelogon. 

 

Thanks,

Ram

L4 Transporter

@Rajendranahak I think the solution @RamprakashRT is probably the easiest.  My organization currently runs multiple portals (one has pre-logon, and the other doesn't) on different IP addresses to meet this need.  I will also throw out that starting in GlobalProtect 5.2, it is possible to do user logon to GlobalProtect before doing Windows logon.  Palo Alto was calling this Connect Before Logon (CBL) in the beta testing.  I'm not sure what your use case is for needing pre-logon.  If you're needing the ability for a machine to be connected in order to run GPOs or login scripts, then this might be a viable option that lets you get away from the pre-logon user.  From my own testing, the feature works well, but as 5.2 just went General Availability, I'm not sure whether the steps to configure it have made it into the documentation yet.

Thanks for response but in my company we are using single GP portal because one ISP has terminated at NGFW, Is there any alternate way to achieve the same.

 

User should login windows domain using GP client and as a covid time that fresh machine unable to come local network for first login.

RK

Do you only have a single IP address from your ISP? If you have multiple addresses (or can request another block of IPs from the ISP), you can add one of them to the public interface I’d the firewall with a /32 mask, and use it for the second portal. For example, if your main address in the block is 10.0.0.1/28, you could add 10.0.0.2/32 on the same interface, and assign it to the second portal. 

 

If additional IPs are not an option, then you probably need to look at certificate authentication that or Connect Before Login using GP version 5.2 as previously mentioned. I was able to find the documentation:  

User Guide - https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-user-guide/globalprotect-app-f...

Configuration - https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-apps/deploy-a...

(Edited to include the link to the configuration page)

Hi @Rajendranahak 

 

I can suggest one more option as well. if you have only one public ip still you can customize the portal for the 2nd portal using the same public IP.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0

Hope it helps.

Thanks.

Ram

That's a great idea @RamprakashRT.  I didn't even think about using a loopback.  I'm going to have to try that next time we're building out a test portal or migrating users to a new config.

Thanks,

Is there any impact on existing user which has currently logged in using same portal.

RK

 Hi ,

 

You are welcome , there is no impact in the existing portal , you can test this parallely.

Thanks,

Ram

Hi @OwenFuller ,

 

Yeah , please try and let me know how it went .

thanks,

Ram

  • 5869 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!