Pre-logon issues for users - windows widgets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pre-logon issues for users - windows widgets

L1 Bithead

Hello,

 

I have been having an issue over 2022 in that some users when logging on remotely via Prisma cant connect.  I have tracked it down and it seems to be a fairly new windows widget in windows10 where a weather and location widget loads.

 

To get around it i had to create a prelogon rule to allow access to external internet services, the logon works as expected. We think we have narrowed it down to the following urls -
*.msn.com/
*.live.com/
*.bing.com
It looks like the windows 10 build tries to connect to these resources before the full tunnel is built. 

Just curious but has anyone else seen this issue and know why this widget would cause the pre-tunnel to fail

 

regards,

Kevin

10 REPLIES 10

L2 Linker

Hello Kevin,

I would suggest to open a TAC case to check the PanGPS logs on the global protect to see why the connection fails. Even when the windows needs to connect to these URL's, it should not stop GP from connecting. Unless for some reason, the OS or any other app is blocking the PanGPS process from connecting in first place.

L6 Presenter

Also you may try "Before Logon" to see if there is the same issue https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele... . Also  what is your version of the globalprotect agent as  better be on the latest to know that is not an issue that is solved.

 

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/globalprotect-kn...

L0 Member

Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and enable domain scripts or other tasks to run as soon as the endpoint powers on.  myfiosgateway.com

mobdro

Hello,  I opened a TAC case with Palo but am not getting any results.  They say based on your findings, the PanGPS/PanPGS process are not the cause of the crash rather they are the victims of the crash. They have asked me to perform Windows level investigations first as this issue behaviour include Windows taskbar freeze, WiFi modifications but this does not help me resolve why the Prisma clients cannot connect remotely.  If i turn off Global Protect on the users laptop they can connect no problem to the Corporate Network.  Its only over Prisma the user has a problem connecting

 

any advice is welcome

Its happening for alot of Prisma users on different clients from 5.2.4 up to 5.2.10 so i know its not the client software

Not all users are affected but the ones that are affected can get around the issue by disabling their wifi to disrupt the Pre-logon tunnel and then turn their wifi back on and it reconnects to the domain via Prisma.  Its very frustrating and i would just like to know why this is happening.  Is it something that has been pushed out on windows 10 or is it a problem with Pre-logon

 

any advice is welcome 

That is true and this has been working ok for two years but now random users are having a logon issue.  Is as if their laptop is trying to talk to the internet when the pre-tunnel is loading.  I think i have tracked it down to the following sites and i now have a rule at the top of the policy for pre-logon to hit these websites.  Then it disconnects and reconnects the user from Prisma to our domain.  It seems to work ok for now but why does the windows 10 laptop need access to these websites.  Does that not defeat the purpose of pre-tunnel which should only talk to our domain controllers before disconnecting and then reconnecting to log the user in

 

autologon.microsoftazuread-sso.com/domain.com/

*.microsoft.com/
www.bing.com/
login.live.com/
*.data.microsoft.com/
*.msn.com

Hi Kevin,

If there are crashes for the process than that needs to be isolated to identify what is causing those. You can may be ask for more details from TAC on why the process is crashing and also involve local IT team or microsoft as applicable to identify what process is causing the crash. Another good way to isolate is to take a test machine and remove all other 3rd party softwares from there except GP and check if the issue persists.

 

Hi,  Yes i have a test laptop which is windows 10 version 21-H2.  All other software is removed and the issue still exists.  When i boot up and pre-tunnel starts the taskbar hangs and that new widget in windows (the one with msn, location, weather and some news feeds, etc) - it fails to load and therefore the user cant connect as the pre-tunnel fails.

 

Laptops with version 1809 and 1909 do not have the issue because they do not have this windows feature

 

I am curious why this widget is impacting pre-tunnel because pre-tunnel is supposed to talk to our firewall active directory sites only.

 

any advice is welcome

 

regards,

Kevin

 

 

L6 Presenter

You may check if enforce globalprotect for network access is enabled:

 

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-quick-configs/...

 

 

Also check if changing between Pre-logon (Always On) or Pre-logon then On-demand helps. Also check if playing with

"Pre-logon Tunnel Rename Timeout" or "Preserve Tunnel on User Logoff Timeout" helps:
 
 
 
 

 

Hi,

 

I have spoken to Microsoft and taken logs off an affected laptop. 

It turns out this is the problematic URL - autologon.microsoftazuread-sso.com

If i whitelist this URL then pre-tunnel is unaffected but if i dont a lot of users are getting an issue where their taskbar hangs and they cant login to global protect until they disconnect their wifi and turn it back on.  It must be because the laptops are trying to login to Azure even though our laptops are not Azure joined - they are only Azure registered.

 

has anyone else seen this before and does anyone know why this would affect the pre-tunnel if not whitelisted

 

thanks

Kevin

  • 4308 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!