Global Protect Prelogon not working

Reply
Highlighted
L4 Transporter

Global Protect Prelogon not working

Scenario is we recieve new laptop with pre loded certs. I want that laptop to get connected to globalprotect gateway using pre-logon once it has IP it will get connectivity with DC and later it gets renamed to user name we login.

I am working on above scenario but unable to get it working.

That new laptop get pre-logon registry settings pushed like
gateway - ip or fqdn
pre-logon -yes
showprelogonbuttton -yes


Portal config.

Authentication :- Using certificate , certificate profile mapped under authentication.

Portal Config :-

Create 2 Profiles

1. Pre Logon Profile - Prelogon Always On. , User - Pre-logon

2. Pre Logon Profile - 2 - Pre Logon Always on - User - Any.

Gateway config

Authenication - LDAP
CLient setting - Tunnel Interface , IP Pool , Split Tunnel

Is this config enough to get above scenario worked ?

we tried above config , Pre logon does not trigger.

 

Any help Appreciated.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Highlighted
L1 Bithead

Hey @MandarKulkarni ,

 

One of the biggest issues involving Pre-Logon tends to be related to the certificate deployment process.

 

We must ensure the client certificates being deployed are stored in the correct directories and signed by the same root CA which signed the server certificate(s) being used for the Portal and/or Gateway.

 

I've included a document below discussing this in more detail for you to review as well: https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM

 

Also, if the configurations for the "pre-logon" and "any" users are the same, you won't need to specify a separate configuration for the pre-logon user as this will be matched by the "any" user!

 

 

 

 

-Cheers
Highlighted
L4 Transporter

Thanks @trivers01  Appreciate your reply.

 

1. Query is it is always recommended to use public cert for IP  facing public so portal IP is public  lets say we use cert from well known CA's like commdo , symantec,verizon etc.

 

2. If that is same cert I need to use as server cert on gateway ( As I have gateway and Portal on Same firewall ) then issue is with client authentication as we cannot get client certificate from well root CA's I mean not a good practice.

 

Then for Portal authentication If use LDAP or Local , for the machines that are newly build I dont have user name and password for those users  going to use it , so we want to make authentication using certificate. I think only using cert profile on portaln to match subnet name will solve it , your suggestion ?

 

MandarKulkarni_0-1595570159333.png

 

Then I dont see document mentioning use of cookie authentication ?

 

some documents refer using cookie authentication ?

 

3. Any specific logs on firewall side we can see if pre-logon is getting triggered ?

 

Thanks Again.

 

 

 

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!