Prisma Access
GlobalProtect Pre-Logon
Table of Contents
GlobalProtect Pre-Logon
Enable the pre-logon connect method for GlobalProtect mobile users.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Pre-logon is a connect method that establishes a VPN tunnel before a user
logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and
enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine
certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway.
A common practice for IT administrators is to install the machine certificate while
staging the endpoint for the user. A pre-logon VPN tunnel uses a generic pre-logon
username because the user has not logged in. To allow endpoints to access resources, you
must create security policy rules that match the pre-logon user. These policy rules
should allow access to only the basic services for starting up the system; for example,
DHCP, DNS, specific Active Directory services, antivirus, or other update services.
After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN
tunnel to that user. The IP address mapping on
Prisma Access
changes from the
pre-logon endpoint to the authenticated user.The certificate used for pre-logon authentication resides in the endpoint’s personal
certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA
to issue a machine certificate. You need to configure a machine certificate as an
authentication method to establish a tunnel from an endpoint before logging in to Prisma
Access, and then create a certificate profile that includes the pre-logon CA
certificate.
Cloud Management
Cloud Management
Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Import a Third-Party Root CA Certificate
Use a machine certificate as an authentication method to establish a tunnel from an endpoint
before logging in to
Prisma Access
.- Select .If you're using Strata Cloud Manager, go to . Select theconfiguration scope.Prisma AccessEnsure that you're importing the certificate for GlobalProtect mobile users.
- Importa custom certificate.
- Enter values, andSavethe certificate settings.
Create a Pre-Logon Certificate Profile
Create a certificate profile and include the
self-signed root CA. This CA validates the machine certificate by
the GlobalProtect mobile user during pre-logon.
- Select .If you're using Strata Cloud Manager, go to . Select theconfiguration scope.Prisma Access
- Add Profile.
- Enter values.
- Ensure theUsername FieldisNoneto prevent the certificate mapping to a user.Username Fieldcan't beNoneif you authenticate your certificate by any authentication methodORclient certificate as mentioned in step 2.
- Addthe root pre-logon CA certificate you imported in step 1.
- Savethe certificate profile settings.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate
connections with a machine certificate.
- Select .If you're using Strata Cloud Manager, go to .
- Edit the user authentication configuration settings.Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.Choose any certificate authentication that GlobalProtect supports.
- Configure the GlobalProtect app settings to match the pre-logon criteria.
- Navigate to theGlobalProtect Apptab.
- Add App Settings.When you enter values, ensure toMatch pre-logonuser entities and the pre-logon certificate profile.
- Select a pre-logon connect method.
- If you selectEven before the user logs on the machine (Pre-logon) then switch to On-Demand, set the value ofPre-logon Tunnel Rename Timeoutto –1. View the VPN advanced options to edit this field.
- Move the pre-logon app setting above other app settings.
- Edit all other app settings for authenticated users.Update the connect method and the certificate profile.
- Push the changes toPrisma Access.
Install a Machine Certificate—Windows
Install the machine certificate at the endpoint,
which is used for authentication.
- Export the self-signed root CA certificate from your PKI inBinary Encoded Certificate (DER)format.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in theTrusted Root Certification Authoritiesstore of your local machine.
- Install the pre-logon machine certificate in the local machine store location.
- Proceed with the installation, enter the passphrase when prompted, and complete the installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.
Panorama
Panorama
Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Configure Pre-Logon Certificate and Profile
Configure a machine certificate as an authentication method to establish a tunnel
from an endpoint before logging in to Prisma Access, and then create a
certificate profile that includes the pre-logon CA certificate.
- Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to .Be sure that you're in theMobile_User_Templateand theLocationis set toShared.
- Name the certificate; for example,Pre-logon CA Cert.
- Enter aCommon Name.The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
- Leave theSigned Byfield blank, and click theCertificate Authoritycheck box.
- Generatethe certificate for use in Pre-logon connections.
- After you configure the self-signed CA, generate the machine certificate.
- Enter aCertificate Nameand aCommon Name.
- In theSigned Bydrop-down, select thePre-logon CA Certthat you created in step 1.
- GeneratetheWindows VM Machine Certificatethat you later install on a Windows machine.This certificate is a child of the Pre-logon CA.
- To create a certificate profile that includes the pre-logon CA certificate, go to .Use this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
- Create and name the profile. Ensure that theUsername FieldisNoneto prevent the certificate mapping to a user.
- UnderCA Certificates, selectAddand selectPre-logon CA Certfrom the drop-down.
- SelectOK, and then selectOKagain.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate connections with a machine
certificate.
- Go to .
- UnderAllow Authentication with User Credentials OR Client Certificate, selectNoto enforce certificate-based authentication only.
- ForCertificate Profile, select thePre-logon_Profileyou created, and clickOK.
- SelectAgentand open the Agent configuration for authenticated users.
- Select theApptab.
- SelectPre-logon (Always On), and selectOKto return to the Agent area.
- In the Agent area,Clonethe default configuration. Change the configuration name toPre-logonto match the connect method for machine certificate authentication.
- Select the newly cloned agent configuration.
- SelectConfig Selection Criteria. Under theUser/User Groupconfiguration, selectpre-logonfrom the drop-down above theUSER/USER Groupconfiguration box, and ensure that the configuration is set toAny.
- Configure the App settings as needed and selectOK. Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
- Move the pre-logon agent configuration to the top of theCONFIGSlist to ensure it matches first with the pre-logon condition.
- ClickOKto save the portal configuration.
Configure the Prisma Access GlobalProtect Gateways
Configure the GlobalProtect gateways in Panorama Managed Prisma
Access.
This configuration enforces certificate-based authentication
only.
- Go to .
- Select theDefaultauthentication method.If you already have a client authentication (such as SAML) configured, select it instead ofDefault.
- UnderAllow Authentication with User Credentials or Client Certificate, selectNo, and then selectOKto save the configuration.
Install a Machine Certificate—Windows
Install the machine certificate at the mobile users' endpoints, which are used
for authentication.
- Go to .
- Be sure that you're still in the Mobile_User_Template. Select theWindows VM Machine Certthat you created previously, and selectExport Certificateto download it as a PKCS12 file with a passphrase.
- Export the pre-logon CA cert as a base64 encoded certificate.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in theTrusted Root Certification Authoritiesstore of your local machine.
- Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and selectNextto proceed with the installation.
- Validate the filename to the certificate, and selectNext.
- Enter the password, which is the passphrase you used during the certificate export from Panorama, and selectNext.
- In theCertificate Storedialog, selectPlace all certificates in the following store, and selectBrowse.
- Select thePersonal folderwhere you want to install the machine certificate, and selectOK.
- SelectNextto proceed with installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.