GlobalProtect PreLogin with Certificates

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect PreLogin with Certificates

L0 Member



I am new to Palo Alto Firewalls and my Organization is wanting to deploy a number of Windows 10 Laptops with certificates and registry entries for prelogin configured. I have heard that we have to login to the VPN once for the prelogin to work which requires our IT department to have a hotspot and take those extra steps for every laptop we deploy. I thought with the Certificates and registry entries that this would not be necessary. Prelogin does work with the extra steps just trying to eliminate them if possible.




Cyber Elite
Cyber Elite

the easiest way to deploy prelogon is to use cookies to authenticate to the portal, then use certificates to authenticate to the gateway. that very first logon creates the cookie, which should then be automatically refreshed going forward. 

you could let your IT department skip that step as it is automatically 'taken care of' once the user logs on for the first time?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L0 Member

Thanks for the response Tom!


We were hoping to deploy the laptops and use the prelogon connection to allow an AD user to take it home an login to Windows 10 without having ever logged in with the laptop connected to our LAN. Trying to eliminate the scenario where a user takes the laptop home without logging into windows ahead of time and then has to use a local windows account to login. We also wanted to allow some sort of remote access to the computer for IT before the user authenticates to the VPN in case there were issues. Some options are RDP and Configuration Manager, which I see policies has the SMS option. We however don't want anybody to use the laptop to attempt to access secure resources on our internal network in the prelogon state.


The  portal is not accessible from our LAN I imagine since it uses loopback and a URL that it  could be configured to be accessible internally. 

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!