- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-04-2018 09:30 PM
10-08-2018 07:12 AM
Hello,
Not sure if I am answering the correct question, but I would take a look at the following article:
Hope that helps,
10-08-2018 04:26 PM
This one has me confused...
From @OtakarKlier's link "A pre-logon VPN tunnel has no username association because the user has not logged in. "
When you're doing "pre-login" that inherently means no known user. So I'm confused @MikeC when you say you want to establish a VPN tunnel, but you also want to user user ID and PW. "I want to establish the VPN connection prior to login but I also want to make use of username/password."
Do you mean once the user supplies credentials to the computer you want GP to also ask for creds from the user to make the connection to the gateway?
10-08-2018 05:49 PM
@Brandon_Wertz I was really comparing pre-logon to checkpoint's "secure domain logon" feature. With CP, the computer would boot up, user would enter their windows login info, which would then prompt the CP VPN to pop up, user would enter vpn credentials, vpn would connect and then log into windows.
I'm currently using "Always on" with both username/pw and client certificates for multiple factors requirement. Initially, looking at pre-logon, it seemed it only uses a computer certificate, so can't really have multiple factor auth (not counting windows login). Based on the link @OtakarKlier posted, it seems I can use computer cert to establish the VPN and also use username/pw + client cert.
I also use Internal Host Detection for when laptops are in the office, not sure if that will be an issue.
I need to test what happens if there is no internet connection when the computer boots up. I have a requirement to make sure VPN connects if there is an internet connection. Will it automatically connect, or will it require the user to hit connect
10-08-2018 05:55 PM
10-08-2018 06:06 PM
Here's a pretty detailed example of the pre-logon config:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
Of note there's security policy that you need to also have, that allows a "pre-logon" connection.
10-08-2018 06:15 PM
@Brandon_Wertz thanks for the links, I'll check them out. I guess the way it works is part of my issue, I can't really have multiple factors before establishing the VPN.
What about when these machines are on the internal network? the VPN is still going to connect? That would be unnessary
10-08-2018 06:20 PM
10-08-2018 06:26 PM
That's what I was hoping you'd say. I don't use internal gateways, but that never seemed to affect internal host detection for me.
I'm going to spin this up in my lab right now. Thanks for the help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!