06-08-2023 07:56 AM
Hi
Running into issue with prelogon not working properly. I have pretty much mirrored the configuration from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
Scenrio - when Laptop is connected to On prem production wifi - Internal host detection with enforece network access ON- when the laptop boots up, before logging in, i see the global protect get connected. once i input my windows credentials and laptop boots. I still have to click the connect button on the agent in order for internal host detection to kick in (sometimes it also asks for username/password). i thought the whole purpose of the prelogon with sso is that it starts all the tunnel process with less user interaction. This is a big nauance if user has to keep clicking connect even when on on prem to detect internal host connection.
06-08-2023 09:08 AM - edited 06-08-2023 09:10 AM
Not quite, the purpose of pre-logon is that the PC can connect to the VPN before a user ever logs on (e.g. for remote management/updates/etc.). When the user subsequently logs on to the PC the GlobalProtect client re-authenticates the VPN using the user's credentials.
User authentication to the VPN consists of two parts: a connection to the Portal, which delivers the VPN configuration information, and a connection to the Gateway, which is where the encrypted tunnel traffic actually occurs. A separate user authentication to each step is required (though one or the other can be bypassed with various combinations of stored creds and cookies). In order to test internal host detection, the client must first download the configuration from the Portal, which requires an authentication (ignoring for the moment that in some cases the GlobalProtect client will temporarily cache and use a previous config).
Since it sounds like you have applied a SSO user authentication to the Portal, try changing the user Portal authentication to use a client certificate instead (and remove any cookie generation to the Gateway). This will allow the GlobalProtect client to automatically connect to the Portal with the user's certificate, without user interaction, when the VPN switches to the user authentication. The client can then automatically download the VPN config and recognize/check for local host detection without prompting the user. Then have the SSO authentication on the Gateway, so if the user need to connect to the VPN (not internally connected) they are prompted for their SSO credentials (and any MFA you may have attached to that).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
