Global Protect Pre-logon does not consistently switch IP pools
Showing results for 
Search instead for 
Did you mean: 

The Enhanced LIVEcommunity Experience is finally here! Learn all about it.

Global Protect Pre-logon does not consistently switch IP pools

L1 Bithead

We have a client with Global Protect Pre-logon, which assigns different IP pools to the Pre-logon user than to the known client.


Sometimes we see the connection get the Pri-logon IP and then switch to the known client IP, but other times we see it hang onto the Pre-logon address.


Firewall PAN-OS 8.1.15-h3

Client version 5.1.5


Any suggestions on where to look to figure out why it is inconsistent are appreciated.


Thank you!


L1 Bithead

we have same problem here but with split-tunnel since we have same IP pool for Pre-logon and actual users.

a workaround is to manually refresh the connection after actual user logon


any solution ??

We concluded that Global Protect was behaving as designed since the documentation we found indicated that for Windows machines, the tunnel would be renamed from pre-logon to the known user. The client changed his rulebase to apply rules based on user-id rather than ip range and as far as I know, this is working. It is not entirely satisfying, but as far as I can tell, this may just be the way gp works. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!