>
    Strata Copilot
    Configure Pre-Logon Support for Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Configure Pre-Logon Support for Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Configure Pre-Logon Support for Prisma Access Agent

    Table of Contents

    Configure Pre-Logon Support for Prisma Access Agent

    Learn how to configure pre-logon for Prisma Access Agent, enabling secure tunnel connections before user authentication for improved device management and security.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.3
    • macOS or Windows desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    Configure pre-logon for Prisma Access Agent to establish a secure tunnel before a user logs into their device, which provides essential network access for managing and updating remote devices without requiring a user to log in to their device.
    To implement pre-logon, you'll need to:
    • Deploy machine certificates throughout your environment, typically using a service like Microsoft Certificate Services. Prisma Access Agent uses these certificates for device authentication during the pre-logon process.
    • Configure the Prisma Access Agent settings to enable the pre-logon feature.
    • Be familiar with security policies and how they apply to pre-logon users.
    Pre-logon integrates with existing authentication methods, enabling you to use certificate-based authentication for pre-logon while maintaining SAML or other methods for user login. This flexibility ensures that your security policies remain intact while improving device management capabilities. The feature also supports agent upgrades and downgrades, ensuring your devices remain current and secure. Pre-logon is designed to work across system restarts and sleep-wake cycles, providing consistent connectivity for your managed devices.

    Pre-Logon Tunnel Flow

    The pre-logon device tunnel establishes connectivity through a sequence that begins at system boot and transitions seamlessly to user sessions.
    Pre-logon mode is only application running on an endpoint after system reboot or user sign-out. When a managed device boots up or resumes from sleep, the device immediately uses its preinstalled machine certificate to authenticate with the Endpoint Manager. Upon successful authentication, a tunnel is established before any user logs in. This tunnel uses a generic username called pre-logon because the user has not yet logged in. The pre-logon tunnel grants the device access to network resources as defined by the security policy configuration that you set up. At this stage, you can push updates, apply group policies, or perform other management tasks without user interaction.
    If an actual username configured in the IdP is called pre-logon, for example pre-logon@email.com, that user will be able to access Prisma Access Agent only in pre-logon mode. Specifically, the pre-logon@email.com user will receive the app configuration that is mapped to the generic pre-logon user, instead of the app configuration being mapped to the pre-logon@email.com user.
    Pre-Logon User Experience
    The Windows pre-logon experience is different from pre-logon for macOS. When a Windows device starts up, the pre-logon process will show what happens during a pre-logon connection. While on macOS, there are no visual cues related to the pre-logon connection. Users just need to sign in when prompted by the operating system.
    Throughout the pre-logon process, the Windows login screen will show the Prisma Access Agent status. If the device has never been enrolled (meaning the agent has never registered with the Endpoint Manager, and never been configured on the device), pre-logon enrollment proceeds automatically. When finished, the agent will automatically connect to the best available gateway using the pre-logon tunnel. Once connected, the agent status will change to Connected, and will list the gateway that the agent is connected to.
    For a device undergoing first-time enrollment, authentication takes place with the Endpoint Manager and the gateway. If the device has previously been enrolled and the user is restarting their device, authentication happens only with the gateway.
    After a user logs in, the pre-logon tunnel transitions to a user-specific tunnel with potentially broader access rights. The transition happens after the configured pre-logon tunnel rename timeout expires. Throughout the user's session, administrators retain the ability to manage the device, retrieve logs, and monitor its status.
    Upon user logout, the system reverts to the pre-logon state. The user-specific tunnel is terminated, and the device returns to using the limited pre-logon tunnel. This ensures continuous management capability and essential connectivity even when no user is actively logged in. The cycle of transitioning between pre-logon and user-specific tunnels continues, maintaining appropriate access controls throughout the device's operational states until it's shut down.
    The remote shell functionality does not work when the user is on the logon screen. However, after the user logs on and until the tunnel rename timeout period expires, the pre-logon tunnel is active and the remote shell will work as expected.

    Pre-Logon Tunnel Improvements

    Starting in Prisma Access Agent version 26.2, pre-logon device tunnel enhancements provide greater flexibility in managing device connectivity and support for persistent device management independent of user authentication state.
    Independent Connection Mode Configuration
    Pre-logon tunnels work independently of your connection mode configuration. You enable pre-logon functionality through agent settings rather than selecting it as a connection method. This allows pre-logon to work with both always-on and on-demand connections, letting you manage device connectivity and user connectivity as distinct concerns.
    Flexible Tunnel Transition Options
    You can control how the agent transitions from pre-logon device tunnel to user session through three configuration options:
    • Immediate termination disconnects the pre-logon tunnel as soon as a user logs into the operating system, with user authentication beginning automatically based on your connection mode settings.
    • Timed transition maintains the pre-logon tunnel for a specified duration after OS login, allowing time for SAML authentication or multi-factor authentication workflows to complete before transitioning to the user session. Timed transition does not apply to certificate-only authentication.
    • Persistent mode keeps the device tunnel active until the user successfully authenticates, ensuring continuous connectivity even if authentication encounters delays or failures.
    Combined Authentication Support
    You can configure authentication profiles to support both SAML and certificate authentication. The agent uses device certificates during pre-logon state and applies your chosen authentication methods (SAML, LDAP, certificates, or multi-factor authentication) after users log into the operating system.
    To configure pre-logon, you will need to:

    © 2026 Palo Alto Networks, Inc. All rights reserved.