This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect PreLogin with Certificates

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect PreLogin with Certificates

GregMeyer
L0 Member

‎04-20-2021 01:57 PM

Hey,

 

I am new to Palo Alto Firewalls and my Organization is wanting to deploy a number of Windows 10 Laptops with certificates and registry entries for prelogin configured. I have heard that we have to login to the VPN once for the prelogin to work which requires our IT department to have a hotspot and take those extra steps for every laptop we deploy. I thought with the Certificates and registry entries that this would not be necessary. Prelogin does work with the extra steps just trying to eliminate them if possible.

 

Thanks,

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎04-22-2021 12:41 AM

the easiest way to deploy prelogon is to use cookies to authenticate to the portal, then use certificates to authenticate to the gateway. that very first logon creates the cookie, which should then be automatically refreshed going forward. 

you could let your IT department skip that step as it is automatically 'taken care of' once the user logs on for the first time?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

GregMeyer
L0 Member

‎04-22-2021 08:16 AM

Thanks for the response Tom!

 

We were hoping to deploy the laptops and use the prelogon connection to allow an AD user to take it home an login to Windows 10 without having ever logged in with the laptop connected to our LAN. Trying to eliminate the scenario where a user takes the laptop home without logging into windows ahead of time and then has to use a local windows account to login. We also wanted to allow some sort of remote access to the computer for IT before the user authenticates to the VPN in case there were issues. Some options are RDP and Configuration Manager, which I see policies has the SMS option. We however don't want anybody to use the laptop to attempt to access secure resources on our internal network in the prelogon state.

 

The  portal is not accessible from our LAN I imagine since it uses loopback and a URL that it  could be configured to be accessible internally. 

0 Likes Likes
  • 2013 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks