Remote Access VPN with Pre-Logon
Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and then enable domain scripts and other tasks of your choice to run as soon as the endpoint powers on. A machine certificate enables the endpoint to have the VPN tunnel to the gateway. A common practice for IT personnel is to install the machine certificate while staging the endpoint for the user.
A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to let the endpoint have access to resources in the trust zone, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, or operating system update services.
After the gateway authenticates a Windows user, the VPN tunnel is reassigned to that user (the IP address mapping on the firewall changes from the pre-logon endpoint to the authenticated user).
Mac systems behave differently from Windows systems with pre-logon. With Mac OS, the tunnel created for pre-logon is torn down and a new tunnel created when the user logs in.
When a client requests a new connection, the portal authenticates the client by using an authentication profile. The portal can also use an optional certificate profile that validates the client certificate (if the configuration includes a client certificate). In this case, the client certificate must identify the user.
After authentication, the portal determines if the client’s configuration is current. If the portal’s configuration for the agent has changed, it pushes an updated configuration to the endpoint.
If the configuration on the portal or a gateway includes cookie-based authentication for the client, the portal or gateway installs an encrypted cookie on the client. Subsequently, the portal or gateway uses the cookie to authenticate users and for refreshing the client’s configuration. Also, if an agent configuration profile includes the pre-logon connect method in addition to cookie-authentication, the GlobalProtect components can use the cookie for pre-logon.
If users never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, you can let the endpoint initiate a pre-logon tunnel without first connecting to the portal to download the pre-logon configuration. To do this, you must override the default behavior by creating entries in the Windows registry or Mac plist.
The GlobalProtect endpoint will then connect to the portal specified in the configuration and authenticate the endpoint by using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.
When the end user subsequently logs in to the machine and if single sign-on (SSO) is enabled in the client configuration, the username and password are captured while the user logs in and used to authenticate to the gateway and so that the tunnel can be renamed (Windows). If SSO is not enabled in the client configuration or of SSO is not supported on the client system (for example, it is a Mac OS system) the users’ credentials must be stored in the agent (that is, the Save User Credentials option must be set to Yes). After successful authentication to the gateway the tunnel will be renamed (Windows) or rebuilt (Mac) and user- and group-based policy can be enforced.
This example uses the GlobalProtect topology shown in GlobalProtect VPN for Remote Access.
Interfaces and Zones for GlobalProtect.Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
- For this example, select NetworkInterfacesEthernet and then:
- Select ethernet1/2.
- For its interface type, select Layer 3.
- Assign interface to: default virtual router, default virtual system, and l3-untrust security zone.
- Select IPv4 and Add.
- Select the address 203.0.113.1 (or the object that maps 203.0.113.1) or add a New Address to create a new object and address mapping. (Leave the address type as Static.)
- Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
- Select NetworkInterfacesTunnel.
- Add a tunnel.2 interface to a new zone called corp-vpn. Assign it to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create the security policy rules.This configuration requires the following policies (PoliciesSecurity):
- Create a rule that enables pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates.
- Create a rule to deny pre-logon user access to all other destinations and applications.
- Create any additional rules to enable access to specific destinations and applications for specific users or user groups. Follow the Best Practice Internet Gateway Security Policy recommendations for creating these rules.
- Use one of the following methods to obtain a server certificate
for the interface that is hosts the GlobalProtect portal and gateway:Select DeviceCertificate ManagementCertificates to manage certificates with the following criteria:
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN, gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Generate a machine certificate for each client system
that will connect to GlobalProtect and import them into the personal
certificate store on each machine.Although you could generate self-signed certificates for each client system, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients.
- Issue client certificates to GlobalProtect clients and endpoints.
- Install certificates in the personal certificate store on the endpoints. (Local Computer store on Windows or System Keychain on Mac OS)
the trusted root CA certificate from the CA that issued the machine
certificates onto the portal and gateway(s).You do not have to import the private key.
- Download the CA certificate in Base64 format.
- Import the certificate onto each firewall that hosts
a portal or gateway, as follows:
- Select DeviceCertificate ManagementCertificatesDevice Certificates and click Import.
- Enter a Certificate Name that identifies the certificate as your client CA certificate.
- Browse to the Certificate File you downloaded from the CA.
- Select Base64 Encoded Certificate (PEM) as the File Format and then click OK.
- Select the certificate you just imported on the Device Certificates tab to open it.
- Select Trusted Root CA and then click OK.
- On each firewall that hosts a GlobalProtect gateway,
create a certificate profile to identify the CA certificate for
validating the machine certificates.Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different.
- Select DeviceCertificatesCertificate ManagementCertificate Profile.
- Click Add and enter a Name to uniquely identify the profile, such as PreLogonCert.
- Set UsernameField to None.
- (Optional) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates.
- In the CA Certificates field, click Add, select the Trusted Root CA certificate you imported in 5 and then click OK.
- Click OK to save the profile.
a GlobalProtect Gateway.See the topology diagram shown in GlobalProtect VPN for Remote Access.Although you must create a certificate profile for pre-logon access to the gateway, you can use either client certificate authentication or authentication profile-based authentication for logged in users. In this example, the same LDAP profile is used that is used to authenticate users to the portal.
- Select NetworkGlobalProtectGateways and
add the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—PreLogonCertAuthentication Profile—Corp-LDAPTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Commit the gateway configuration.
- Select NetworkGlobalProtectGateways and add the following configuration:
- Configure the GlobalProtect
Portals.Configure Device details (networking parameters, the authentication service profile, and the certificate for the authentication server).Select NetworkGlobalProtectPortals and specify the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—NoneAuthentication Profile—Corp-LDAP
the GlobalProtect Agent Configurations for pre-logon users
and for logged in users.Use a single agent configuration if you want pre-logon users to access the same gateways before and after they log in.Otherwise, to direct pre-logon users to different gateways before and after they log in, create two agent configuration profiles. In this first agent configuration’s User/User Group, select the pre-logon filter. With pre-logon, the portal first authenticates the endpoint, not the user, to set up a VPN (even though the pre-logon parameter is associated with users). Subsequently, the portal authenticates the user when he or she logs in.After the portal authenticates the user, it deploys the second agent configuration. In this case, User/User Group is any.As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used.Select Agent and specify one of the following configurations:
Use single sign-on—enabledConnect Method—pre-logonExternal Gateway Address—gp1.acme.comUser/User Group—anyAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refresh
- Use the same gateway before and after pre-logon users log in:
First Agent Configuration:Connect Method—pre-logonExternal Gateway Address—gp1.acme.comUser/User Group—pre-logonAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refreshSecond Agent Configuration:Use single sign-on—enabledConnect Method—pre-logonExternal Gateway Address—gp2.acme.comUser/User Group—anyAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refreshMake sure the pre-logon client configuration is first in the list of configurations. If it is not, select it and click Move Up.
- Use separate gateways for pre-logon users before and after they log in:
- Save the GlobalProtect configuration.Click Commit.
- (Optional) If users will never log into a device
(for example, a headless device) or a pre-logon connection is required
on a system that a user has not previously logged into, create the Prelogon registry
entry on the client system.You must also pre-deploy the default portal IP address.For more information about registry settings, see Deploy Agent Settings Transparently.
- Locate the GlobalProtect settings in the
registry:HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
- Select EditNewString Value to
create the following registry entries:
- Create a String Value named Prelogon with a value of 1. This setting enables GlobalProtect to initiate a connection before the user logs in to the endpoint.
- Create a String Value named Portal that specifies the IP address or hostname of the default portal for the GlobalProtect endpoint.
- Locate the GlobalProtect settings in the registry:
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...
GlobalProtect Portals Authentication Configuration Tab
GlobalProtect Portals Authentication Configuration Tab Select Network GlobalProtect Portals Authentication to configure several different types of GlobalProtect portal settings: An SSL/TLS service profile that the ...
Client Certificate Authentication
Client Certificate Authentication For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
How Does the Agent Know Which Certificate to Supply?
How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...
Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile) With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or ...
GlobalProtect Portals Agent Authentication Tab
GlobalProtect Portals Agent Authentication Tab Select Network GlobalProtect Portals Agent Authentication to configure the authentication settings that apply to the agent configuration. GlobalProtect Portal Client ...
Remote Access VPN (Authentication Profile)
Remote Access VPN (Authentication Profile) In the GlobalProtect VPN for Remote Access , the GlobalProtect portal and gateway are configured on ethernet1/2, so this is ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...