Deploy Connect Before Logon Settings in the Windows Registry

Enable the deployment of Connect Before Logon settings to Windows endpoints.
You can deploy Connect Before Logon settings to Windows 10 endpoints prior to enabling end users to log in to the VPN before logging into the endpoint by using the Windows Registry. GlobalProtect retrieves the registry keys only once, when the GlobalProtect app initializes.
The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
  1. Configure the registry keys on the end user Windows endpoints.
    You must change the Windows registry on the end users’ Windows endpoints before you can enable Connect Before Logon. You can automatically add the registry keys or manually add the keys.
    • To automatically add the registry keys for
      PanPlapProvider
      and
      PanPlapProvider.dll
      in
      PanGPS.exe
      (
      C:\Program Files\Palo Alto Networks\GlobalProtect
      ), use the
      -registerplap
      command to run as an administrator by using the following syntax:
      PanGPS.exe -registerplap
    • To automatically unregister the keys for
      PanPlapProvider
      and
      PanPlapProvider.dll
      in
      PanGPS.exe
      (
      C:\Program Files\Palo Alto Networks\GlobalProtect
      ), use the
      -unregisterplap
      command to run as an administrator by using the following syntax:
      PanGPS.exe -unregisterplap
    To manually add the registry keys, open the Windows Registry Editor and enter
    regedit
    on the command prompt.
    You must create the
    CLSID
    folder.
    1. In the Windows Registry, go to
      HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}
      .
      Add the
      PanPlapProvider
      value in the format
      @=PanPlapProvider
      .
    2. In the Windows Registry, go to
      HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}\InprocServer32@="PanPlapProvider.dll"
      .
      Verify that the
      ThreadingModel
      value is set to
      Apartment
      . This is the default value.
    3. In the Windows Registry, go to
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}@="PanPlapProvider"
      .
      Add the
      PanPlapProvider
      value in the format
      @=PanPlapProvider
      .
  2. (
    Optional
    ) Configure additional portal addresses or names to display.
    If configured, Connect Before Logon will use the default portal address or name in the Windows Registry (
    HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetup
    with key
    Portal
    ).
    You can configure additional portal addresses or names that you want to display in the Portal drop-down by changing the registry keys on the end user Windows endpoints. You can add up to five portal addresses or names. You must change the Windows registry on the end users’ Windows endpoints before you can define the portal addresses or names.
    Open the Windows Registry Editor and enter
    regedit
    on the command prompt.
    1. In the Windows Registry, create the
      CBL
      folder under
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
      .
    2. In the Windows Registry, go to
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
      .
    3. Select
      Edit
      New
      String Value
      to create a registry entry for each portal that you want to add.
      You must specify each entry as
      Portal1
      ,
      Portal2
      ,
      Portal3
      ,
      Portal4
      , and
      Portal5
      . Each entry cannot contain spaces.
    4. Right-click the
      portal
      registry value, and then select
      Modify
      .
    5. Enter the IP address or name of the GlobalProtect portal in the
      Value Data
      field, and then click
      OK
      .
    6. Repeat steps 3 and 4 for each portal that you want to add.
  3. (
    Optional
    ) Display the predefined portal addresses or names.
    You must change the Windows registry on the end users’ Windows endpoints before you can display the portal addresses or names.
    Open the Windows Registry Editor and enter
    regedit
    on the command prompt.
    1. In the Windows Registry, create the
      CBL
      folder under
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
      .
    2. In the Windows Registry, go to
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
      .
    3. Select
      Edit
      New
      String Value
      to create a registry entry for
      AlwaysShowPortal
      .
    4. Enter the value as
      yes
      in the
      Value Data
      field, and then click
      OK
      .
      By default, Connect Before Logon does not display the portal address or name if only one portal is defined.
  4. (
    Optional
    ) Enable end users to authenticate using a smart card.
    You must change the Windows registry on the end users’ Windows endpoints before you can enable smart card authentication.
    Open the Windows Registry Editor and enter
    regedit
    on the command prompt.
    1. In the Windows Registry, create the
      CBL
      folder under
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
      .
    2. In the Windows Registry, go to
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
      .
    3. Select
      Edit
      New
      String Value
      to create a registry entry for
      UseSmartCard
      .
    4. Enter the value as
      yes
      in the
      Value Data
      field, and then click
      OK
      .
  5. Reboot the endpoint.
    You must reboot the endpoint in order for the PLAP and Connect Before Logon registry keys to take effect.
  6. Verify the configuration.
    After you have configured the settings in the Windows registry and to use Connect Before Logon starting with GlobalProtect™ app 5.2, choose the authentication method:

Recommended For You