>
    GlobalProtect Pre-Logon (Panorama)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: GlobalProtect
    5. GlobalProtect Pre-Logon
    6. GlobalProtect Pre-Logon (Panorama)
    Download PDF
    Prisma Access

    Panorama

    Table of Contents

    GlobalProtect Pre-Logon (
    Panorama
    )

    Learn how to enable the pre-logon connect method for GlobalProtect mobile users.

    Configure Pre-Logon Certificate and Profile

    Configure a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access, and then create a certificate profile that includes the pre-logon CA certificate.
    1. Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to
      Device
      Certificate Management
      Certificates
      .
      Be sure that you're in the
      Mobile_User_Template
       and the
      Location
       is set to
      Shared
      .
      1. Name the certificate; for example,
        Pre-logon CA Cert
        .
      2. Enter a
        Common Name
        .
        The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
      3. Leave the
        Signed By
         field blank, and click the
        Certificate Authority
        check box.
      4. Generate
         the certificate for use in Pre-logon connections.
    2. After you configure the self-signed CA, generate the machine certificate.
      1. Enter a
        Certificate Name
         and a
        Common Name
        .
      2. In the
        Signed By
         drop-down, select the
        Pre-logon CA Cert
         that you created in step 1.
      3. Generate
         the
        Windows VM Machine Certificate
         that you later install on a Windows machine.
        This certificate is a child of the Pre-logon CA.
    3. To create a certificate profile that includes the pre-logon CA certificate, go to
      Device
      Certificate Management
      Certificate Profile
      .
      Use this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
    4. Create and name the profile. Ensure that the
      Username Field
       is
      None
       to prevent the certificate mapping to a user.
    5. Under
      CA Certificates
      , select
      Add
       and select
      Pre-logon CA Cert
       from the drop-down.
    6. Select
      OK
      , and then select
      OK
       again.

    Configure the GlobalProtect Portal for Pre-Logon

    Configure the GlobalProtect portal to authenticate connections with a machine certificate.
    1. Go to
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Authentication
      .
    2. Under
      Allow Authentication with User Credentials OR Client Certificate
      , select
      No
       to enforce certificate-based authentication only.
    3. For
      Certificate Profile
      , select the
      Pre-logon_Profile
       you created, and click
      OK
      .
    4. Select
      Agent
       and open the Agent configuration for authenticated users.
    5. Select the
      App
       tab.
    6. Select
      Pre-logon (Always On)
      , and select
      OK
       to return to the Agent area.
    7. In the Agent area,
      Clone
       the default configuration. Change the configuration name to
      Pre-logon
       to match the connect method for machine certificate authentication.
    8. Select the newly cloned agent configuration.
    9. Select
      Config Selection Criteria
      . Under the
      User/User Group
       configuration, select
      pre-logon
       from the drop-down above the
      USER/USER Group
       configuration box, and ensure that the configuration is set to
      Any
      .
    10. Configure the App settings as needed and select
      OK
      . Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
    11. Move the pre-logon agent configuration to the top of the
      CONFIGS
       list to ensure it matches first with the pre-logon condition.
    12. Click
      OK
       to save the portal configuration.

    Configure the Prisma Access GlobalProtect Gateways

    Configure the GlobalProtect gateways in Panorama Managed Prisma Access.
    This configuration enforces certificate-based authentication only.
    1. Go to
      Network
      GlobalProtect
      Gateways
      GlobalProtect_External_Gateway
      Authentication
      .
    2. Select the
      Default
       authentication method.
      If you already have a client authentication (such as SAML) configured, select it instead of
      Default
      .
    3. Under
      Allow Authentication with User Credentials or Client Certificate
      , select
      No
      , and then select
      OK
       to save the configuration.

    Install a Machine Certificate—Windows

    Install the machine certificate at the mobile users' endpoints, which are used for authentication.
    1. Go to
      Device
      Certificate Management
      Certificates
      .
    2. Be sure that you're still in the Mobile_User_Template. Select the
      Windows VM Machine Cert
       that you created previously, and select
      Export Certificate
       to download it as a PKCS12 file with a passphrase.
    3. Export the pre-logon CA cert as a base64 encoded certificate.
    4. Transfer the certificate files to a Windows machine.
    5. Install the root pre-logon CA certificate in the
      Trusted Root Certification Authorities
       store of your local machine.
    6. Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and select
      Next
       to proceed with the installation.
    7. Validate the filename to the certificate, and select
      Next
      .
    8. Enter the password, which is the passphrase you used during the certificate export from Panorama, and select
      Next
      .
    9. In the
      Certificate Store
       dialog, select
      Place all certificates in the following store
      , and select
      Browse
      .
    10. Select the
      Personal folder
       where you want to install the machine certificate, and select
      OK
      .
    11. Select
      Next
       to proceed with installation.
    12. Connect to the GlobalProtect portal, and delete all cookies from the host.
    13. (
      Optional
      ) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.