Prisma Access
Panorama
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
GlobalProtect Pre-Logon (Panorama)
Panorama
)Learn how to enable the pre-logon connect method for GlobalProtect mobile
users.
Configure Pre-Logon Certificate and Profile
Configure a machine certificate as an authentication method to establish a tunnel
from an endpoint before logging in to Prisma Access, and then create a
certificate profile that includes the pre-logon CA certificate.
- Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to.DeviceCertificate ManagementCertificatesBe sure that you're in theMobile_User_Templateand theLocationis set toShared.
- Name the certificate; for example,Pre-logon CA Cert.
- Enter aCommon Name.The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
- Leave theSigned Byfield blank, and click theCertificate Authoritycheck box.
- Generatethe certificate for use in Pre-logon connections.
- After you configure the self-signed CA, generate the machine certificate.
- Enter aCertificate Nameand aCommon Name.
- In theSigned Bydrop-down, select thePre-logon CA Certthat you created in step 1.
- GeneratetheWindows VM Machine Certificatethat you later install on a Windows machine.This certificate is a child of the Pre-logon CA.
- To create a certificate profile that includes the pre-logon CA certificate, go to.DeviceCertificate ManagementCertificate ProfileUse this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
- Create and name the profile. Ensure that theUsername FieldisNoneto prevent the certificate mapping to a user.
- UnderCA Certificates, selectAddand selectPre-logon CA Certfrom the drop-down.
- SelectOK, and then selectOKagain.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate connections with a machine
certificate.
- Go to.NetworkGlobalProtectPortalsGlobalProtect_PortalAuthentication
- UnderAllow Authentication with User Credentials OR Client Certificate, selectNoto enforce certificate-based authentication only.
- ForCertificate Profile, select thePre-logon_Profileyou created, and clickOK.
- SelectAgentand open the Agent configuration for authenticated users.
- Select theApptab.
- SelectPre-logon (Always On), and selectOKto return to the Agent area.
- In the Agent area,Clonethe default configuration. Change the configuration name toPre-logonto match the connect method for machine certificate authentication.
- Select the newly cloned agent configuration.
- SelectConfig Selection Criteria. Under theUser/User Groupconfiguration, selectpre-logonfrom the drop-down above theUSER/USER Groupconfiguration box, and ensure that the configuration is set toAny.
- Configure the App settings as needed and selectOK. Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
- Move the pre-logon agent configuration to the top of theCONFIGSlist to ensure it matches first with the pre-logon condition.
- ClickOKto save the portal configuration.
Configure the Prisma Access GlobalProtect Gateways
Configure the GlobalProtect gateways in Panorama Managed Prisma
Access.
This configuration enforces certificate-based authentication
only.
- Go to.NetworkGlobalProtectGatewaysGlobalProtect_External_GatewayAuthentication
- Select theDefaultauthentication method.If you already have a client authentication (such as SAML) configured, select it instead ofDefault.
- UnderAllow Authentication with User Credentials or Client Certificate, selectNo, and then selectOKto save the configuration.
Install a Machine Certificate—Windows
Install the machine certificate at the mobile users' endpoints, which are used
for authentication.
- Go to.DeviceCertificate ManagementCertificates
- Be sure that you're still in the Mobile_User_Template. Select theWindows VM Machine Certthat you created previously, and selectExport Certificateto download it as a PKCS12 file with a passphrase.
- Export the pre-logon CA cert as a base64 encoded certificate.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in theTrusted Root Certification Authoritiesstore of your local machine.
- Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and selectNextto proceed with the installation.
- Validate the filename to the certificate, and selectNext.
- Enter the password, which is the passphrase you used during the certificate export from Panorama, and selectNext.
- In theCertificate Storedialog, selectPlace all certificates in the following store, and selectBrowse.
- Select thePersonal folderwhere you want to install the machine certificate, and selectOK.
- SelectNextto proceed with installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.