Prisma Access Administration
  • Prisma Access Administration
  • Prisma Access Documentation
  • All Documentation
>
GlobalProtect Pre-Logon (Panorama)
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Prisma Access Administration
  4. Prisma Access Mobile Users
  5. Mobile Users: GlobalProtect
  6. GlobalProtect Pre-Logon
  7. GlobalProtect Pre-Logon (Panorama)
Download PDF
Prisma Access

GlobalProtect Pre-Logon (Panorama)

Table of Contents
Learn how to enable the pre-logon connect method for GlobalProtect mobile users.

Configure Pre-Logon Certificate and Profile

Configure a machine certificate as an authentication method to establish a tunnel from an endpoint before logging in to Prisma Access, and then create a certificate profile that includes the pre-logon CA certificate.
  1. Configure a self-signed CA, and use it to generate a machine certificate in the Mobile User template. Go to DeviceCertificate ManagementCertificates.
    Be sure that you're in the Mobile_User_Template and the Location is set to Shared.
    1. Name the certificate; for example, Pre-logon CA Cert.
    2. Enter a Common Name.
      The Common Name (CN) is the domain name, such as www.yourdomainname.com, you want to secure with your certificate.
    3. Leave the Signed By field blank, and click the Certificate Authority check box.
    4. Generate the certificate for use in Pre-logon connections.
  2. After you configure the self-signed CA, generate the machine certificate.
    1. Enter a Certificate Name and a Common Name.
    2. In the Signed By drop-down, select the Pre-logon CA Cert that you created in step 1.
    3. Generate the Windows VM Machine Certificate that you later install on a Windows machine.
      This certificate is a child of the Pre-logon CA.
  3. To create a certificate profile that includes the pre-logon CA certificate, go to DeviceCertificate ManagementCertificate Profile.
    Use this CA to validate the machine certificate presented by the GlobalProtect client during the pre-logon tunnel initialization.
  4. Create and name the profile. Ensure that the Username Field is None to prevent the certificate mapping to a user.
  5. Under CA Certificates, select Add and select Pre-logon CA Cert from the drop-down.
  6. Select OK, and then select OK again.

Configure the GlobalProtect Portal for Pre-Logon

Configure the GlobalProtect portal to authenticate connections with a machine certificate.
  1. Go to NetworkGlobalProtectPortalsGlobalProtect_PortalAuthentication.
  2. Under Allow Authentication with User Credentials OR Client Certificate, select No to enforce certificate-based authentication only.
  3. For Certificate Profile, select the Pre-logon_Profile you created, and click OK.
  4. Select Agent and open the Agent configuration for authenticated users.
  5. Select the App tab.
  6. Select Pre-logon (Always On), and select OK to return to the Agent area.
  7. In the Agent area, Clone the default configuration. Change the configuration name to Pre-logon to match the connect method for machine certificate authentication.
  8. Select the newly cloned agent configuration.
  9. Select Config Selection Criteria. Under the User/User Group configuration, select pre-logon from the drop-down above the USER/USER Group configuration box, and ensure that the configuration is set to Any.
  10. Configure the App settings as needed and select OK. Ensure that you select a pre-logon connect method for both the pre-logon and current configuration.
  11. Move the pre-logon agent configuration to the top of the CONFIGS list to ensure it matches first with the pre-logon condition.
  12. Click OK to save the portal configuration.

Configure the Prisma Access GlobalProtect Gateways

Configure the GlobalProtect gateways in Panorama Managed Prisma Access.
This configuration enforces certificate-based authentication only.
  1. Go to NetworkGlobalProtectGatewaysGlobalProtect_External_GatewayAuthentication.
  2. Select the Default authentication method.
    If you already have a client authentication (such as SAML) configured, select it instead of Default.
  3. Under Allow Authentication with User Credentials or Client Certificate, select No, and then select OK to save the configuration.

Install a Machine Certificate—Windows

Install the machine certificate at the mobile users' endpoints, which are used for authentication.
  1. Go to DeviceCertificate ManagementCertificates.
  2. Be sure that you're still in the Mobile_User_Template. Select the Windows VM Machine Cert that you created previously, and select Export Certificate to download it as a PKCS12 file with a passphrase.
  3. Export the pre-logon CA cert as a base64 encoded certificate.
  4. Transfer the certificate files to a Windows machine.
  5. Install the root pre-logon CA certificate in the Trusted Root Certification Authorities store of your local machine.
  6. Install the pre-logon machine certificate in the local machine store location. Complete the permissions, and select Next to proceed with the installation.
  7. Validate the filename to the certificate, and select Next.
  8. Enter the password, which is the passphrase you used during the certificate export from Panorama, and select Next.
  9. In the Certificate Store dialog, select Place all certificates in the following store, and select Browse.
  10. Select the Personal folder where you want to install the machine certificate, and select OK.
  11. Select Next to proceed with installation.
  12. Connect to the GlobalProtect portal, and delete all cookies from the host.
  13. (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.