07-23-2020 11:03 AM
Scenario is we recieve new laptop with pre loded certs. I want that laptop to get connected to globalprotect gateway using pre-logon once it has IP it will get connectivity with DC and later it gets renamed to user name we login.
I am working on above scenario but unable to get it working.
That new laptop get pre-logon registry settings pushed like
gateway - ip or fqdn
pre-logon -yes
showprelogonbuttton -yes
Portal config.
Authentication :- Using certificate , certificate profile mapped under authentication.
Portal Config :-
Create 2 Profiles
1. Pre Logon Profile - Prelogon Always On. , User - Pre-logon
2. Pre Logon Profile - 2 - Pre Logon Always on - User - Any.
Gateway config
Authenication - LDAP
CLient setting - Tunnel Interface , IP Pool , Split Tunnel
Is this config enough to get above scenario worked ?
we tried above config , Pre logon does not trigger.
Any help Appreciated.
07-23-2020 10:06 PM
Hey @fatboy1607 ,
One of the biggest issues involving Pre-Logon tends to be related to the certificate deployment process.
We must ensure the client certificates being deployed are stored in the correct directories and signed by the same root CA which signed the server certificate(s) being used for the Portal and/or Gateway.
I've included a document below discussing this in more detail for you to review as well: https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM
Also, if the configurations for the "pre-logon" and "any" users are the same, you won't need to specify a separate configuration for the pre-logon user as this will be matched by the "any" user!
07-23-2020 11:01 PM
Thanks @trivers01 Appreciate your reply.
1. Query is it is always recommended to use public cert for IP facing public so portal IP is public lets say we use cert from well known CA's like commdo , symantec,verizon etc.
2. If that is same cert I need to use as server cert on gateway ( As I have gateway and Portal on Same firewall ) then issue is with client authentication as we cannot get client certificate from well root CA's I mean not a good practice.
Then for Portal authentication If use LDAP or Local , for the machines that are newly build I dont have user name and password for those users going to use it , so we want to make authentication using certificate. I think only using cert profile on portaln to match subnet name will solve it , your suggestion ?
Then I dont see document mentioning use of cookie authentication ?
some documents refer using cookie authentication ?
3. Any specific logs on firewall side we can see if pre-logon is getting triggered ?
Thanks Again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
