My requirement is that some user should use Pre-logon and other should use User-logon. Currently all users are using only user-logon mode.
Is it possible to use both mode in global protect, because we have to call client certificate profile on globally for pre-logon user?
If yes can you please guide me how can i archive this and Is there any down time need to take for doing this for gp user.
Prelogin cannot be restricted based upon the usernames because there is no username involved during the process. Prelogon is based upon the agent configuration which was received from the portal during the previous successful connection with the portal. Prelogon only for specific users can be achieved by creating two portals ( portal with prelogon and portal without prelogon) . make sure users who require prelogon should connect to the prelogon portal and users who doesnt require prelogon should connect to the other. Please try and let me know. You can check these config with test users to avoid a production interruption for GP users.
The other way is using a client certificate , and the laptops which has the certificate can be forced for prelogon.
@Rajendranahak I think the solution @RamprakashRT is probably the easiest. My organization currently runs multiple portals (one has pre-logon, and the other doesn't) on different IP addresses to meet this need. I will also throw out that starting in GlobalProtect 5.2, it is possible to do user logon to GlobalProtect before doing Windows logon. Palo Alto was calling this Connect Before Logon (CBL) in the beta testing. I'm not sure what your use case is for needing pre-logon. If you're needing the ability for a machine to be connected in order to run GPOs or login scripts, then this might be a viable option that lets you get away from the pre-logon user. From my own testing, the feature works well, but as 5.2 just went General Availability, I'm not sure whether the steps to configure it have made it into the documentation yet.
Thanks for response but in my company we are using single GP portal because one ISP has terminated at NGFW, Is there any alternate way to achieve the same.
User should login windows domain using GP client and as a covid time that fresh machine unable to come local network for first login.
Do you only have a single IP address from your ISP? If you have multiple addresses (or can request another block of IPs from the ISP), you can add one of them to the public interface I’d the firewall with a /32 mask, and use it for the second portal. For example, if your main address in the block is 10.0.0.1/28, you could add 10.0.0.2/32 on the same interface, and assign it to the second portal.
If additional IPs are not an option, then you probably need to look at certificate authentication that or Connect Before Login using GP version 5.2 as previously mentioned. I was able to find the documentation:
User Guide - https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-user-guide/globalprotect-app-f...
Configuration - https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-apps/deploy-a...
(Edited to include the link to the configuration page)
I can suggest one more option as well. if you have only one public ip still you can customize the portal for the 2nd portal using the same public IP.
Hope it helps.
That's a great idea @RamprakashRT. I didn't even think about using a loopback. I'm going to have to try that next time we're building out a test portal or migrating users to a new config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!