GlobalProtect: Pre-logon Authentication

Printer Friendly Page

GlobalProtect: Pre-Logon AuthenticationGlobalProtect: Pre-Logon Authentication

 

In my previous article, "GlobalProtect: Authentication Policy with MFA," we covered Authentication Policy with MFA to provide elevated access for both HTTP and non-HTTP traffic to specific sensitive resources. You can see a diagram of the environment here.

 

In this post, we are going to add pre-logon authentication using machine certificates.

The value of pre-logon authentication means that a device can be connected to a gateway before an actual user logs into the machine, allowing certain internal resources to be accessible or scripts to be run. For more information about pre-logon, please review this TechDocs article: Remote Access VPN with Pre-Logon.

 

NOTE: This article assumes the following:
  • You have already followed the previous articles in this series.

 

Part V - Pre-logon Authentication

  • Navigate to Device > Certificate Management > Certificates > Generate to create a machine certificate signed by the root CA that was previously created
    • Enter a Certificate Name that represents the device
    • Enter a Common Name that represents the device
    • Select the root CA that was previously created for Signed By
    • Click Generate
      • NOTE: It is recommended to use an enterprise CA in a production environment 

Generate Certificate - Machine Certificate Signed by Root CAGenerate Certificate - Machine Certificate Signed by Root CA

  • Navigate to Device > Certificate Management > Certificates > Generate to create an authentication cookie certificate signed by the root CA that was previously created
    • Enter a Certificate Name that represents the device
    • Enter a Common Name that represents the device
    • Select the root CA that was previously created for Signed By
    • Click Generate

Generate Certificate - Authentication Cookie Certificate Signed by Root CAGenerate Certificate - Authentication Cookie Certificate Signed by Root CA

 

  • Navigate to Device > Certificate Management > Certificate Profile > Add to create a new Certificate Profile
    • Enter a Name
    • Navigate to CA Certificates > Add to add the root CA that was created previously
    • Click OK

Certificate Profile - Add New Certificate ProfileCertificate Profile - Add New Certificate Profile

  • Navigate to Policies > Security > Add to create a rule above your existing rules which allows access from devices assigned the Pre-logon user to the minimum internal resources necessary

Policies > Security > Add RulePolicies > Security > Add Rule

  • Navigate to Network > GlobalProtect > Portals > select the existing portal that was previously created
    • Navigate to Agent > Add
      • Enter a Name
      • Enable Authentication Override and select the certificate to be used for authentication cookies that was created previously
        • NOTE: Pre-logon will only work if: 
          1. Authentication Override is enabled and the Certificate Profile created previously is applied under the Portals > (your portal) > Authentication tab
          2. Authentication Override is enabled and the Certificate Profile created previously is not applied under the Portals > (your portal) > Authentication tab
          3. Authentication Override is not enabled and the Certificate Profile created previously is applied under the Portals > (your portal) > Authentication tab
        • In this use case, we are using option two, but it's important to note that it will fail if the user has not been previously connected. As we have an internal gateway configured, this will allow the user to connect, or refresh the connection, while on the internal network to generate the Pre-logon cookie.
          (See "GlobalProtect Pre-Logon Using Cookie-Based Authentication" for more information.)

Configs > Authentication Tab  for Portal Machine ConfigConfigs > Authentication Tab for Portal Machine Config

  • Navigate to Internal and enter the same information that exists in your other agent configuration

Configs > Internal Tab for Home Internal GatewayConfigs > Internal Tab for Home Internal Gateway

  • Navigate to External and enter the same information that exists in your other agent configuration

Configs > External Tab for Home External GatewayConfigs > External Tab for Home External Gateway

  • Navigate to App and set the Connect Method to Pre-logon (Always On)
  • Click OK

Configs > App Tab for Connect Method to Pre-logon (Always On)Configs > App Tab for Connect Method to Pre-logon (Always On)

  • Navigate to Network > GlobalProtect > Portals > select the existing portal that was previously created
    • Navigate to Agent and select the other Agent that was created prior to beginning the configuration changes in this article (NOT the portal machine config you created above)
    • Enable Authentication Override and select the certificate to be used for authentication cookies that was created previously 

Configs > Authentication Tab for Portal Users ConfigConfigs > Authentication Tab for Portal Users Config

  • Navigate to App and set the Connect Method to Pre-logon (Always On)
  • Click OK

Configs > App Tab to Connect Method to Pre-logon (Always on)Configs > App Tab to Connect Method to Pre-logon (Always on)

  • Navigate to Network > GlobalProtect > Gateways > select the external gateway that was previously created
    • Navigate to Authentication > Certificate Profile and the certificate profile that was previously created

GlobalProtect Gateway - Configuration Certificate ProfileGlobalProtect Gateway - Configuration Certificate Profile

  • Navigate to Agent > Client Settings > select the existing config > Authentication Override then enable it and select the certificate to be used for authentication cookies that was created previously
    • Click OK

Configs > Authentication Override TabConfigs > Authentication Override Tab

  • Click OK
  • Commit the configuration
You should now start seeing entries in the System Logs that show successful authentication events with a user name of Pre-logon (you can filter the logs by (description contains 'pre-logon')). Based on the configuration changes implemented from this and previous articles, we are now authenticating via machine certificates, user credentials, and DUO.
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
13 of 13
Last update:
2 weeks ago
Updated by:
 
Contributors