We have a client with Global Protect Pre-logon, which assigns different IP pools to the Pre-logon user than to the known client.
Sometimes we see the connection get the Pri-logon IP and then switch to the known client IP, but other times we see it hang onto the Pre-logon address.
Firewall PAN-OS 8.1.15-h3
Client version 5.1.5
Any suggestions on where to look to figure out why it is inconsistent are appreciated.
We concluded that Global Protect was behaving as designed since the documentation we found indicated that for Windows machines, the tunnel would be renamed from pre-logon to the known user. The client changed his rulebase to apply rules based on user-id rather than ip range and as far as I know, this is working. It is not entirely satisfying, but as far as I can tell, this may just be the way gp works.
We also found that for Windows machines, there was a tunnel rename issue - and our client machines were "holding on" to their IP from the pre-logon pool even though they were no longer connected as pre-logon. So we changed the default value of '-1' (under network, portals, and then under the app section for the pre-logon agent configuration) for the "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" to 0 instead. It works since we did that. Our SE also sent us a note about it that have not looked into yet - could explain why we needed that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!