GlobalProtect
Deploy Connect Before Logon Settings in the Windows Registry
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Deploy Connect Before Logon Settings in the Windows Registry
Enable the deployment of Connect Before Logon settings
to Windows endpoints.
You can deploy Connect Before Logon settings
to Windows 10 endpoints prior to enabling end users to log in to
the VPN before logging into the endpoint by using the Windows Registry.
GlobalProtect retrieves the registry keys only once, when the GlobalProtect
app initializes.
Follow these guidelines when deploying
the Connect Before Logon settings:
- The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
- If you are using smart card authentication or username/password-based authentication for user login using an authentication service such as LDAP, RADIUS, or OTP, you must configure exclusions for specific fully qualified domain names for the portal and gateway by entering them toAllow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not establishedas an app setting in theApp Configurationsarea of the GlobalProtect portal. If you are using SAML authentication for user login and using the configured SAML identity providers (ldPs) such as Okta, you must also configure exclusions for *okta.com and *oktacdn.com. For other ldPs, you must configure exclusions for the URLs that contain IP addresses or fully qualified domain names only if the Enforcer status is enabled.
- Configure the registry keys on the end user Windows endpoints.You must change the Windows registry on the end users’ Windows endpoints before you can enable Connect Before Logon. You can automatically add the registry keys or manually add the keys.
- To automatically add the registry keys forPanPlapProviderandPanPlapProvider.dllinPanGPS.exe(C:\Program Files\Palo Alto Networks\GlobalProtect), use the-registerplapcommand to run as an administrator by using the following syntax:PanGPS.exe -registerplapTo automatically unregister the keys forPanPlapProviderandPanPlapProvider.dllinPanGPS.exe(C:\Program Files\Palo Alto Networks\GlobalProtect), use the-unregisterplapcommand to run as an administrator by using the following syntax:PanGPS.exe -unregisterplap
- In the Windows Registry, go toHKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}.Add thePanPlapProvidervalue in the format@=PanPlapProvider.
- In the Windows Registry, go toHKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}\InprocServer32@="PanPlapProvider.dll".Verify that theThreadingModelvalue is set toApartment. This is the default value.
- In the Windows Registry, go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}@="PanPlapProvider".Add thePanPlapProvidervalue in the format@=PanPlapProvider.
To manually add the registry keys, open the Windows Registry Editor and enterregediton the command prompt.You must create theCLSIDfolder.(Optional) Configure additional portal addresses or names to display.If configured, Connect Before Logon will use the default portal address or name in the Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetupwith keyPortal).You can configure additional portal addresses or names that you want to display in the Portal drop-down by changing the registry keys on the end user Windows endpoints. You can add up to five portal addresses or names. You must change the Windows registry on the end users’ Windows endpoints before you can define the portal addresses or names.Open the Windows Registry Editor and enterregediton the command prompt.- In the Windows Registry, create theCBLfolder underHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.
- In the Windows Registry, go toHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.
- Selectto create a registry entry for each portal that you want to add.EditNewString ValueYou must specify each entry asPortal1,Portal2,Portal3,Portal4, andPortal5. Each entry cannot contain spaces.
- Right-click theportalregistry value, and then selectModify.
- Enter the IP address or name of the GlobalProtect portal in theValue Datafield, and then clickOK.
- Repeat steps 3 and 4 for each portal that you want to add.
(Optional) Display the predefined portal addresses or names.You must change the Windows registry on the end users’ Windows endpoints before you can display the portal addresses or names.Open the Windows Registry Editor and enterregediton the command prompt.- In the Windows Registry, create theCBLfolder underHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.
- In the Windows Registry, go toHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.
- Selectto create a registry entry forEditNewString ValueAlwaysShowPortal.
- Enter the value asyesin theValue Datafield, and then clickOK.By default, Connect Before Logon does not display the portal address or name if only one portal is defined.
(Optional) Enable end users to authenticate using a smart card.You must change the Windows registry on the end users’ Windows endpoints before you can enable smart card authentication.Open the Windows Registry Editor and enterregediton the command prompt.- In the Windows Registry, create theCBLfolder underHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.
- In the Windows Registry, go toHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.
- Selectto create a registry entry forEditNewString ValueUseSmartCard.
- Enter the value asyesin theValue Datafield, and then clickOK.
Reboot the endpoint.You must reboot the endpoint in order for the PLAP and Connect Before Logon registry keys to take effect.Verify the configuration.After you have configured the settings in the Windows registry and to use Connect Before Logon starting with GlobalProtect™ app 5.2, choose the authentication method: