This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

Global Protect Pre-Logon conflicting with User-ID agent

buck1
L1 Bithead

‎10-08-2020 09:12 AM

We are trying to deploy pre-logon, we have security policies around pre-logon users, and then security policies for actual users once they authenticate.  Basically, an initial pre-logon rule that allows access to domain controllers, etc., followed by a pre-logon deny all rule, followed by rules for users that have fully authenticated to GP.  All of this works great, except for one problem.  We run user-ID agents on our network to map IP to username, and we have found that once the user-ID agent maps an IP to a username, the firewall seems to no longer treat that connection as pre-logon from a security rules perspective.

 

So here is the specific example (by the way, we are testing with user initiated pre-logon):

 

User clicks connect button on logon screen, which initiates pre-logon connection to gateway.

 

User then enters domain credentials and successfully authenticates (pre-logon rules are being used for this).

 

User is now logged into computer, but not fully authenticated to GP yet as a user (MFA required to fully authenticate).

 

But because User-ID agent maps the IP of the user to the username, we see that the firewall jumps past our pre-logon deny rule and starts allowing the user to access internal resources we do not want them to access yet.

 

So.. status is still pre-logon, but they are jumping past our pre-logon rules.  Not ideal.  I opened a ticket with Palo and after explaining everything to them, they said that is just the way it is, and we would have to make a feature request to our SE to change this.  I just can't believe we are the only company that users user-ID agent mapping, and also uses Global Protect with pre-logon.  Seems like anyone using these two things together would have the same issue with their security policies.

 

On the occasion that user-ID IP/username mapping does not work, then the pre-logon deny rule does not get jumped, and everything works as expected (traffic gets denied to internal sensitive resources).  But any traffic that does capture the username will jump the pre-logon deny rule.

 

Anybody have any thoughts on a way to get around this issue?

 

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks