>
    Strata Copilot
    User-Initiated Pre-Logon Connection
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Quick Configs
    5. User-Initiated Pre-Logon Connection
    Download PDF
    GlobalProtect

    User-Initiated Pre-Logon Connection

    Table of Contents

    User-Initiated Pre-Logon Connection

    Enable end users to initiate the GlobalProtect pre-logon connection manually on Windows 10 endpoints.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • Windows 10 or later endpoints
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    Enable end users to initiate the GlobalProtect Remote Access VPN with Pre-Logon connection manually on Windows 10 endpoints. User-initiated pre-logon requires that you Use Single Sign-On in your portal configuration. In this deployment, users can initiate the pre-logon connection only when their endpoint requires access to the corporate network before login, such as when new employees connect to the network remotely for the first time or when administrators must remotely connect and troubleshoot issues on the endpoint. To initiate the pre-logon connection, users must Start GlobalProtect Connection from the GlobalProtect credential provider logon screen after the endpoint boots up.
    If users are unable to establish the pre-logon connection using this option, the pre-logon connection status remains Disconnected.
    When users log out of their endpoint, the VPN tunnel is not renamed from the user tunnel back to the pre-logon tunnel. Instead, the tunnel disconnects.
    Use the following steps to enable users to initiate the pre-logon connection manually:
    You can configure this option only in the Windows Registry. This configuration can be done either manually after GlobalProtect is installed or pre-deployed as part of the Windows image that includes the GlobalProtect software.
    1. Configure remote access VPN with pre-logon.
      Use one of the following options to configure remote access VPN with pre-logon:
      • If your end user will be connecting to the GlobalProtect portal before using this feature (for example, an existing employee who has previously connected to GlobalProtect), you can configure remote access VPN with pre-logon in the portal configuration.
        To enable users to initiate the pre-logon connection manually, you must configure the following options in your portal configuration:
        • Specify a portal IP address.
        • Set the GlobalProtect Connect Method to Pre-logon (Always On) or Pre-logon then On-demand (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App).
        • Set the Use Single Sign-On option to Yes to enable GlobalProtect to use Windows login credentials to automatically authenticate users upon Active Directory login (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App).
      • If your end user will not be connecting to the GlobalProtect portal before using this feature (for example, a new employee who is connecting to the network remotely for the first time), you must pre-deploy the pre-logon settings in the Windows Registry:
        1. From your Windows endpoint, launch the Command Prompt.
        2. Enter regedit to open the Windows Registry.
        3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\.
        4. Specify a portal address:
          1. From the list of PanSetup options, right-click Portal and then select Modify... to update the portal address.
          2. Enter the portal address in the Value data field.
          3. Click OK to save your changes.
        5. Enable pre-logon:
          1. From the list of PanSetup options, right-click Prelogon and then select Modify....
          2. To enable pre-logon, set the Value data to 1.
            To disable pre-logon, set the Value data to 0.
          3. Click OK to save your changes.
        6. Enable single sign-on (SSO):
          When you enable single sign-on, GlobalProtect uses Windows login credentials to automatically authenticate users upon Active Directory login.
          1. Select EditNewString Value to add the option to use single sign-on.
          2. When prompted, set the Name to use-sso.
          3. Right-click Use-SSO and then select Modify... to update the single sign-on settings.
          4. To enable single sign-on, set the Value data to yes
            To disable single sign-on, set the Value data to no.
          5. Click OK to save your changes.
    2. From the Windows Registry, enable the option to display the Start GlobalProtect Connection button on the GlobalProtect credential provider logon screen.
      1. From your Windows endpoint, launch the Command Prompt.
      2. Enter regedit to open the Windows Registry.
      3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\.
      4. Select EditNewString Value to add the button display option.
      5. When prompted, set the Name to ShowPrelogonButton.
      6. Right-click ShowPrelogonButton and then select Modify... to update the button display settings.
      7. To enable the GlobalProtect credential provider to display the Start GlobalProtect Connection button, set the Value data to yes.
        To disable the ShowPrelogonButton option, set the Value data to no. Alternatively, you can right-click ShowPrelogonButton to Delete the option.
      8. Click OK to save your changes.
    3. Verify that the GlobalProtect credential provider displays the Start GlobalProtect Connection button so users can initiate the pre-logon connection manually.
      Depending on which option you used to configure remote access VPN with pre-logon (step 1), use one of the following options to verify that the GlobalProtect credential provider displays the Start GlobalProtect Connection button:
      • If you configured remote access VPN with pre-logon on your firewall, use the following steps to verify that the button is displayed:
        1. From you Windows endpoint, launch the GlobalProtect app.
        2. Connect to GlobalProtect to download the portal agent configuration that you configured in step 1.
        3. Reboot your Windows endpoint.
        4. When the GlobalProtect credential provider logon screen appears, ensure that the Start GlobalProtect Connection button is displayed and the pre-logon connection status is Disconnected.
      • If you pre-deployed the pre-logon settings in the Windows Registry, use the following steps to verify that the button is displayed:
        1. Reboot your Windows endpoint.
        2. When the GlobalProtect credential provider logon screen appears, ensure that the Start GlobalProtect Connection button is displayed and the pre-logon connection status is Disconnected.

    © 2026 Palo Alto Networks, Inc. All rights reserved.