Scenario is we recieve new laptop with pre loded certs. I want that laptop to get connected to globalprotect gateway using pre-logon once it has IP it will get connectivity with DC and later it gets renamed to user name we login.
I am working on above scenario but unable to get it working.
That new laptop get pre-logon registry settings pushed like
gateway - ip or fqdn
Authentication :- Using certificate , certificate profile mapped under authentication.
Portal Config :-
Create 2 Profiles
1. Pre Logon Profile - Prelogon Always On. , User - Pre-logon
2. Pre Logon Profile - 2 - Pre Logon Always on - User - Any.
Authenication - LDAP
CLient setting - Tunnel Interface , IP Pool , Split Tunnel
Is this config enough to get above scenario worked ?
we tried above config , Pre logon does not trigger.
Any help Appreciated.
Hey @MandarKulkarni ,
One of the biggest issues involving Pre-Logon tends to be related to the certificate deployment process.
We must ensure the client certificates being deployed are stored in the correct directories and signed by the same root CA which signed the server certificate(s) being used for the Portal and/or Gateway.
I've included a document below discussing this in more detail for you to review as well: https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPfM
Also, if the configurations for the "pre-logon" and "any" users are the same, you won't need to specify a separate configuration for the pre-logon user as this will be matched by the "any" user!
Thanks @trivers01 Appreciate your reply.
1. Query is it is always recommended to use public cert for IP facing public so portal IP is public lets say we use cert from well known CA's like commdo , symantec,verizon etc.
2. If that is same cert I need to use as server cert on gateway ( As I have gateway and Portal on Same firewall ) then issue is with client authentication as we cannot get client certificate from well root CA's I mean not a good practice.
Then for Portal authentication If use LDAP or Local , for the machines that are newly build I dont have user name and password for those users going to use it , so we want to make authentication using certificate. I think only using cert profile on portaln to match subnet name will solve it , your suggestion ?
Then I dont see document mentioning use of cookie authentication ?
some documents refer using cookie authentication ?
3. Any specific logs on firewall side we can see if pre-logon is getting triggered ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!