Global Protect Pre-logon does not consistently switch IP pools

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Pre-logon does not consistently switch IP pools

L1 Bithead

We have a client with Global Protect Pre-logon, which assigns different IP pools to the Pre-logon user than to the known client.

 

Sometimes we see the connection get the Pri-logon IP and then switch to the known client IP, but other times we see it hang onto the Pre-logon address.

 

Firewall PAN-OS 8.1.15-h3

Client version 5.1.5

 

Any suggestions on where to look to figure out why it is inconsistent are appreciated.

 

Thank you!

3 REPLIES 3

L1 Bithead

we have same problem here but with split-tunnel since we have same IP pool for Pre-logon and actual users.

a workaround is to manually refresh the connection after actual user logon

 

any solution ??

We concluded that Global Protect was behaving as designed since the documentation we found indicated that for Windows machines, the tunnel would be renamed from pre-logon to the known user. The client changed his rulebase to apply rules based on user-id rather than ip range and as far as I know, this is working. It is not entirely satisfying, but as far as I can tell, this may just be the way gp works. 

L0 Member

We also found that for Windows machines, there was a tunnel rename issue  - and our client machines were "holding on" to their IP from the pre-logon pool even though they were no longer connected as pre-logon.  So we changed the default value of '-1'   (under network, portals, and then under the app section for the pre-logon agent configuration) for the "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" to 0 instead. It works since we did that.  Our SE also sent us a note about it that  have not looked into yet - could explain why we needed that.
"

  • 3641 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!