>
    GlobalProtect Pre-Logon (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: GlobalProtect
    5. GlobalProtect Pre-Logon
    6. GlobalProtect Pre-Logon (Strata Cloud Manager)
    Download PDF
    Prisma Access

    GlobalProtect Pre-Logon (Strata Cloud Manager)

    Table of Contents

    GlobalProtect Pre-Logon (Strata Cloud Manager)

    Learn how to enable the pre-logon connect method for GlobalProtect mobile users.

    Import a Third-Party Root CA Certificate

    Use a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access.
    1. SelectManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.
      Ensure that you're importing the certificate for GlobalProtect mobile users.
    2. Import a custom certificate.
    3. Enter values, and Save the certificate settings.

    Create a Pre-Logon Certificate Profile

    Create a certificate profile and include the self-signed root CA. This CA validates the machine certificate by the GlobalProtect mobile user during pre-logon.
    1. Select ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management. Select the Prisma Access configuration scope.
    2. Add Profile.
    3. Enter values.
      1. Ensure the Username Field is None to prevent the certificate mapping to a user.
        Username Field can't be None if you authenticate your certificate by any authentication method OR client certificate as mentioned in step 2.
      2. Add the root pre-logon CA certificate you imported in step 1.
      3. Save the certificate profile settings.

    Configure the GlobalProtect Portal for Pre-Logon

    Configure the GlobalProtect portal to authenticate connections with a machine certificate.
    1. Select WorkflowsPrisma Access SetupGlobalProtectInfrastructure.
    2. Edit the user authentication configuration settings.
      Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.
      Choose any certificate authentication that GlobalProtect supports.
    3. Configure the GlobalProtect app settings to match the pre-logon criteria.
      1. Navigate to the GlobalProtect App tab.
      2. Add App Settings.
        When you enter values, ensure to Match pre-logon user entities and the pre-logon certificate profile.
        • Select a pre-logon connect method.
        • If you select Even before the user logs on the machine (Pre-logon) then switch to On-Demand, set the value of Pre-logon Tunnel Rename Timeout to –1. View the VPN advanced options to edit this field.
      3. Move the pre-logon app setting above other app settings.
      4. Edit all other app settings for authenticated users.
        Update the connect method and the certificate profile.
    4. Push the changes to Prisma Access.

    Install a Machine Certificate—Windows

    Install the machine certificate at the endpoint, which is used for authentication.
    1. Export the self-signed root CA certificate from your PKI in Binary Encoded Certificate (DER) format.
    2. Transfer the certificate files to a Windows machine.
    3. Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
    4. Install the pre-logon machine certificate in the local machine store location.
    5. Proceed with the installation, enter the passphrase when prompted, and complete the installation.
    6. Connect to the GlobalProtect portal, and delete all cookies from the host.
    7. (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

    © 2024 Palo Alto Networks, Inc. All rights reserved.