GlobalProtect Pre-Logon
Focus
Focus
Prisma Access

GlobalProtect Pre-Logon

Table of Contents

GlobalProtect Pre-Logon

Enable the pre-logon connect method for GlobalProtect mobile users.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Administrator access to the endpoint for installing the machine certificate
  • Trusted PKI certificate deployed on endpoint
Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user. A pre-logon VPN tunnel uses a generic pre-logon username because the user has not logged in. To allow endpoints to access resources, you must create security policy rules that match the pre-logon user. These policy rules should allow access to only the basic services for starting up the system; for example, DHCP, DNS, specific Active Directory services, antivirus, or other update services. After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN tunnel to that user. The IP address mapping on Prisma Access changes from the pre-logon endpoint to the authenticated user.
The certificate used for pre-logon authentication resides in the endpoint’s personal certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA to issue a machine certificate. You need to configure a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access, and then create a certificate profile that includes the pre-logon CA certificate.

GlobalProtect Pre-Logon (Strata Cloud Manager)

Learn how to enable the pre-logon connect method for GlobalProtect mobile users.

Import a Third-Party Root CA Certificate

Use a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access.
  1. SelectManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.
    Ensure that you're importing the certificate for GlobalProtect mobile users.
  2. Import a custom certificate.
  3. Enter values, and Save the certificate settings.

Create a Pre-Logon Certificate Profile

Create a certificate profile and include the self-signed root CA. This CA validates the machine certificate by the GlobalProtect mobile user during pre-logon.
  1. Select ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.
  2. Add Profile.
  3. Enter values.
    1. Ensure the Username Field is None to prevent the certificate mapping to a user.
      Username Field can't be None if you authenticate your certificate by any authentication method OR client certificate as mentioned in step 2.
    2. Add the root pre-logon CA certificate you imported in step 1.
    3. Save the certificate profile settings.

Configure the GlobalProtect Portal for Pre-Logon

Configure the GlobalProtect portal to authenticate connections with a machine certificate.
  1. Select WorkflowsPrisma Access SetupGlobalProtectInfrastructure.
  2. Edit the user authentication configuration settings.
    Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.
    Choose any certificate authentication that GlobalProtect supports.
  3. Configure the GlobalProtect app settings to match the pre-logon criteria.
    1. Navigate to the GlobalProtect App tab.
    2. Add App Settings.
      When you enter values, ensure to Match pre-logon user entities and the pre-logon certificate profile.
      • Select a pre-logon connect method.
      • If you select Even before the user logs on the machine (Pre-logon) then switch to On-Demand, set the value of Pre-logon Tunnel Rename Timeout to –1. View the VPN advanced options to edit this field.
    3. Move the pre-logon app setting above other app settings.
    4. Edit all other app settings for authenticated users.
      Update the connect method and the certificate profile.
  4. Push the changes to Prisma Access.

Install a Machine Certificate—Windows

Install the machine certificate at the endpoint, which is used for authentication.
  1. Export the self-signed root CA certificate from your PKI in Binary Encoded Certificate (DER) format.
  2. Transfer the certificate files to a Windows machine.
  3. Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
  4. Install the pre-logon machine certificate in the local machine store location.
  5. Proceed with the installation, enter the passphrase when prompted, and complete the installation.
  6. Connect to the GlobalProtect portal, and delete all cookies from the host.
  7. (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

GlobalProtect Pre-Logon (Panorama)

Learn how to enable the pre-logon connect method for GlobalProtect mobile users.

Configure Pre-Logon Certificate and Profile

Configure a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access, and then create a certificate profile that includes the pre-logon CA certificate.
  1. Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to DeviceCertificate ManagementCertificates.
    Be sure that you're in the Mobile_User_Template and the Location is set to Shared.
    1. Name the certificate; for example, Pre-logon CA Cert.
    2. Enter a Common Name.
      The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
    3. Leave the Signed By field blank, and click the Certificate Authority check box.
    4. Generate the certificate for use in Pre-logon connections.
  2. After you configure the self-signed CA, generate the machine certificate.
    1. Enter a Certificate Name and a Common Name.
    2. In the Signed By drop-down, select the Pre-logon CA Cert that you created in step 1.
    3. Generate the Windows VM Machine Certificate that you later install on a Windows machine.
      This certificate is a child of the Pre-logon CA.
  3. To create a certificate profile that includes the pre-logon CA certificate, go to DeviceCertificate ManagementCertificate Profile.
    Use this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
  4. Create and name the profile. Ensure that the Username Field is None to prevent the certificate mapping to a user.
  5. Under CA Certificates, select Add and select Pre-logon CA Cert from the drop-down.
  6. Select OK, and then select OK again.

Configure the GlobalProtect Portal for Pre-Logon

Configure the GlobalProtect portal to authenticate connections with a machine certificate.
  1. Go to NetworkGlobalProtectPortalsGlobalProtect_PortalAuthentication.
  2. Under Allow Authentication with User Credentials OR Client Certificate, select No to enforce certificate-based authentication only.
  3. For Certificate Profile, select the Pre-logon_Profile you created, and click OK.
  4. Select Agent and open the Agent configuration for authenticated users.
  5. Select the App tab.
  6. Select Pre-logon (Always On), and select OK to return to the Agent area.
  7. In the Agent area, Clone the default configuration. Change the configuration name to Pre-logon to match the connect method for machine certificate authentication.
  8. Select the newly cloned agent configuration.
  9. Select Config Selection Criteria. Under the User/User Group configuration, select pre-logon from the drop-down above the USER/USER Group configuration box, and ensure that the configuration is set to Any.
  10. Configure the App settings as needed and select OK. Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
  11. Move the pre-logon agent configuration to the top of the CONFIGS list to ensure it matches first with the pre-logon condition.
  12. Click OK to save the portal configuration.

Configure the Prisma Access GlobalProtect Gateways

Configure the GlobalProtect gateways in Panorama Managed Prisma Access.
This configuration enforces certificate-based authentication only.
  1. Go to NetworkGlobalProtectGatewaysGlobalProtect_External_GatewayAuthentication.
  2. Select the Default authentication method.
    If you already have a client authentication (such as SAML) configured, select it instead of Default.
  3. Under Allow Authentication with User Credentials or Client Certificate, select No, and then select OK to save the configuration.

Install a Machine Certificate—Windows

Install the machine certificate at the mobile users' endpoints, which are used for authentication.
  1. Go to DeviceCertificate ManagementCertificates.
  2. Be sure that you're still in the Mobile_User_Template. Select the Windows VM Machine Cert that you created previously, and select Export Certificate to download it as a PKCS12 file with a passphrase.
  3. Export the pre-logon CA cert as a base64 encoded certificate.
  4. Transfer the certificate files to a Windows machine.
  5. Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
  6. Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and select Next to proceed with the installation.
  7. Validate the filename to the certificate, and select Next.
  8. Enter the password, which is the passphrase you used during the certificate export from Panorama, and select Next.
  9. In the Certificate Store dialog, select Place all certificates in the following store, and select Browse.
  10. Select the Personal folder where you want to install the machine certificate, and select OK.
  11. Select Next to proceed with installation.
  12. Connect to the GlobalProtect portal, and delete all cookies from the host.
  13. (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.