Prisma Access
GlobalProtect Pre-Logon
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
GlobalProtect Pre-Logon
Enable the pre-logon connect method for GlobalProtect mobile users.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Pre-logon is a connect method that establishes a VPN tunnel before a user
logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and
enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine
certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway.
A common practice for IT administrators is to install the machine certificate while
staging the endpoint for the user. A pre-logon VPN tunnel uses a generic pre-logon
username because the user has not logged in. To allow endpoints to access resources, you
must create security policy rules that match the pre-logon user. These policy rules
should allow access to only the basic services for starting up the system; for example,
DHCP, DNS, specific Active Directory services, antivirus, or other update services.
After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN
tunnel to that user. The IP address mapping on Prisma Access changes from the
pre-logon endpoint to the authenticated user.
The certificate used for pre-logon authentication resides in the endpoint’s personal
certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA
to issue a machine certificate. You need to configure a machine certificate as an
authentication method to establish a tunnel from an endpoint before logging in to Prisma
Access, and then create a certificate profile that includes the pre-logon CA
certificate.
GlobalProtect Pre-Logon (Strata Cloud Manager)
Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Import a Third-Party Root CA Certificate
Use a machine certificate as an authentication method to establish a tunnel from an endpoint
before logging in to Prisma Access.
- SelectManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.Ensure that you're importing the certificate for GlobalProtect mobile users.
- Import a custom certificate.
- Enter values, and Save the certificate settings.
Create a Pre-Logon Certificate Profile
Create a certificate profile and include the
self-signed root CA. This CA validates the machine certificate by
the GlobalProtect mobile user during pre-logon.
- Select ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.
- Add Profile.
- Enter values.
- Ensure the Username Field is None to prevent the certificate mapping to a user.Username Field can't be None if you authenticate your certificate by any authentication method OR client certificate as mentioned in step2.
- Add the root pre-logon CA certificate you imported in step1.
- Save the certificate profile settings.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate
connections with a machine certificate.
- Select WorkflowsPrisma Access SetupGlobalProtectInfrastructure.
- Edit the user authentication configuration settings.Select an authentication method that GlobalProtect supports, thepre-logon certificate profileyou created, and the certificate authentication.Choose any certificate authentication that GlobalProtect supports.
- Configure the GlobalProtect app settings to match the pre-logon criteria.
- Navigate to the GlobalProtect App tab.
- Add App Settings.When you enter values, ensure to Match pre-logon user entities and thepre-logon certificate profile.
- Select a pre-logon connect method.
- If you select Even before the user logs on the
machine (Pre-logon) then switch to
On-Demand, set the value of Pre-logon
Tunnel Rename Timeout to –1. View the VPN
advanced options to edit this field.
- Select a pre-logon connect method.
- Move the pre-logon app setting above other app settings.
- Edit all other app settings for authenticated users.Update the connect method and the certificate profile.
- Push the changes to Prisma Access.
Install a Machine Certificate—Windows
Install the machine certificate at the endpoint,
which is used for authentication.
- Export the self-signed root CA certificate from your PKI in Binary Encoded Certificate (DER) format.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
- Install the pre-logon machine certificate in the local machine store location.
- Proceed with the installation, enter the passphrase when prompted, and complete the installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.
GlobalProtect Pre-Logon (Panorama)
Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Configure Pre-Logon Certificate and Profile
Configure a machine certificate as an authentication method to establish a tunnel
from an endpoint before logging in to Prisma Access, and then create a
certificate profile that includes the pre-logon CA certificate.
- Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to DeviceCertificate ManagementCertificates.Be sure that you're in the Mobile_User_Template and the Location is set to Shared.
- Name the certificate; for example, Pre-logon CA Cert.
- Enter a Common Name.The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
- Leave the Signed By field blank, and click the Certificate Authority check box.
- Generate the certificate for use in Pre-logon connections.
- After you configure the self-signed CA, generate the machine certificate.
- Enter a Certificate Name and a Common Name.
- In the Signed By drop-down, select the Pre-logon CA Cert that you created in step 1.
- Generate the Windows VM Machine Certificate that you later install on a Windows machine.This certificate is a child of the Pre-logon CA.
- To create a certificate profile that includes the pre-logon CA certificate, go to DeviceCertificate ManagementCertificate Profile.Use this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
- Create and name the profile. Ensure that the Username Field is None to prevent the certificate mapping to a user.
- Under CA Certificates, select Add and select Pre-logon CA Cert from the drop-down.
- Select OK, and then select OK again.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate connections with a machine
certificate.
- Go to NetworkGlobalProtectPortalsGlobalProtect_PortalAuthentication.
- Under Allow Authentication with User Credentials OR Client Certificate, select No to enforce certificate-based authentication only.
- For Certificate Profile, select the Pre-logon_Profile you created, and click OK.
- Select Agent and open the Agent configuration for authenticated users.
- Select the App tab.
- Select Pre-logon (Always On), and select OK to return to the Agent area.
- In the Agent area, Clone the default configuration. Change the configuration name to Pre-logon to match the connect method for machine certificate authentication.
- Select the newly cloned agent configuration.
- Select Config Selection Criteria. Under the User/User Group configuration, select pre-logon from the drop-down above the USER/USER Group configuration box, and ensure that the configuration is set to Any.
- Configure the App settings as needed and select OK. Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
- Move the pre-logon agent configuration to the top of the CONFIGS list to ensure it matches first with the pre-logon condition.
- Click OK to save the portal configuration.
Configure the Prisma Access GlobalProtect Gateways
This configuration enforces certificate-based authentication
only.
- Go to NetworkGlobalProtectGatewaysGlobalProtect_External_GatewayAuthentication.
- Select the Default authentication method.If you already have a client authentication (such as SAML) configured, select it instead of Default.
- Under Allow Authentication with User Credentials or Client Certificate, select No, and then select OK to save the configuration.
Install a Machine Certificate—Windows
Install the machine certificate at the mobile users' endpoints, which are used
for authentication.
- Go to DeviceCertificate ManagementCertificates.
- Be sure that you're still in the Mobile_User_Template. Select the Windows VM Machine Cert that you created previously, and select Export Certificate to download it as a PKCS12 file with a passphrase.
- Export the pre-logon CA cert as a base64 encoded certificate.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
- Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and select Next to proceed with the installation.
- Validate the filename to the certificate, and select Next.
- Enter the password, which is the passphrase you used during the certificate export from Panorama, and select Next.
- In the Certificate Store dialog, select Place all certificates in the following store, and select Browse.
- Select the Personal folder where you want to install the machine certificate, and select OK.
- Select Next to proceed with installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.