Prisma Access
Cloud Management
Table of Contents
GlobalProtect Pre-Logon (Strata Cloud Manager)
Strata Cloud Manager
)Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Import a Third-Party Root CA Certificate
Use a machine certificate as an authentication method to establish a tunnel from an endpoint
before logging in to
Prisma Access
.- Select .If you're using Strata Cloud Manager, go to . Select theconfiguration scope.Prisma AccessEnsure that you're importing the certificate for GlobalProtect mobile users.
- Importa custom certificate.
![]()
- Enter values, andSavethe certificate settings.
![]()
Create a Pre-Logon Certificate Profile
Create a certificate profile and include the
self-signed root CA. This CA validates the machine certificate by
the GlobalProtect mobile user during pre-logon.
- Select .If you're using Strata Cloud Manager, go to . Select theconfiguration scope.Prisma Access
- Add Profile.
- Enter values.
- Ensure theUsername FieldisNoneto prevent the certificate mapping to a user.Username Fieldcan't beNoneif you authenticate your certificate by any authentication methodORclient certificate as mentioned in step 2.
- Addthe root pre-logon CA certificate you imported in step 1.
- Savethe certificate profile settings.
![]()
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate
connections with a machine certificate.
- Select .If you're using Strata Cloud Manager, go to .
- Edit the user authentication configuration settings.Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.Choose any certificate authentication that GlobalProtect supports.
![]()
- Configure the GlobalProtect app settings to match the pre-logon criteria.
- Navigate to theGlobalProtect Apptab.
- Add App Settings.When you enter values, ensure toMatch pre-logonuser entities and the pre-logon certificate profile.
![]()
- Select a pre-logon connect method.
![]()
- If you selectEven before the user logs on the machine (Pre-logon) then switch to On-Demand, set the value ofPre-logon Tunnel Rename Timeoutto –1. View the VPN advanced options to edit this field.
![]()
- Move the pre-logon app setting above other app settings.
- Edit all other app settings for authenticated users.Update the connect method and the certificate profile.
- Push the changes toPrisma Access.
Install a Machine Certificate—Windows
Install the machine certificate at the endpoint,
which is used for authentication.
- Export the self-signed root CA certificate from your PKI inBinary Encoded Certificate (DER)format.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in theTrusted Root Certification Authoritiesstore of your local machine.
- Install the pre-logon machine certificate in the local machine store location.
- Proceed with the installation, enter the passphrase when prompted, and complete the installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.