This feature requires Content Release version 590-3397 or later.
You can now configure a new hybrid connect method called pre-logon then on-demand . The new connect method is supported on endpoints running Windows 7 or Mac OS 10.9 and later releases. The purpose of the new connect method is to provide the functionality of two existing connect methods:
With pre-logon GlobalProtect authenticates the endpoint (not the user) before the user logs in and then establishes a VPN tunnel. As soon as the endpoint powers on, the GlobalProtect agent runs any domain scripts or other tasks of your choice. After the gateway authenticates a Windows user, the VPN tunnel is reassigned to that user (the IP address mapping on the firewall changes from the pre-logon endpoint to the authenticated user). Mac systems behave differently from Windows systems with pre-logon. With Mac OS, the tunnel created for pre-logon is torn down and a new tunnel created when the user logs in. With on-demand, users must manually initiate connections to external gateways.
The new connect method combines the pre-logon capability to authenticate the user before they log in and the on-demand capability to allow users to establish connections with external gateways manually for subsequent connections. This is useful when users forget their passwords or work with their IT helpdesk to change their password and require network access over a pre-logon VPN tunnel to log into their system. Then, if the tunnel disconnects for any reason, the user must manually connect to a gateway.
Configure Remote Access with Pre-logon then On-demand
Create interfaces and zones for GlobalProtect. Configure a Layer 3 interface for each portal and/or gateway you plan to deploy. On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect agents. If you created a separate zone for tunnel termination of VPN connections, create a security policy to enable traffic flow between the VPN zone and your trust zone. Save the configuration.
Create security policy rules. A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to enable access to resources in the trust zone, you must create security policies that match the pre-logon user. Create a rule that enables the pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates. Create a rule to enable access between the corp-vpn zone and the l3-trust zone for any known user after the user successfully logs in.
Obtain a server certificate for the interface that hosts the GlobalProtect portal and gateway: ( Recommended ) Import a server certificate from a well-known, third-party CA. Use the root CA on the portal to generate a self-signed server certificate. Select Device > Certificate Management > Certificates to manage certificates with the following criteria: Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components. The CN of the certificate must match the FQDN, gp.acme.com. To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
On each firewall that hosts a GlobalProtect gateway, create a certificate profile to identify the CA certificate for validating the machine certificates. Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different. Select Device > Certificates > Certificate Management > Certificate Profile. Click Add and enter a Name to uniquely identify the profile, such as PreLogonCert . Set Username Field to None. ( Optional ) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates. In the CA Certificates field, click Add, select the Trusted Root CA certificate you imported in Step 5 and then click OK. Click OK to save the profile.
Generate and deploy machine certificates. During pre-logon, the firewall sees the user as pre-logon for user-IP address mapping, logging and security policies. Generate a machine certificate for each client system that will connect to GlobalProtect and import it into the personal certificate store on each machine. Although you could generate self-signed certificates for each client system, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients. Import the trusted root CA certificate from the CA that issued the certificates onto the portal and gateways. Click OK twice to save the configuration.
Configure GlobalProtect Gateways Although you must create a certificate profile for access to the gateway using the pre-logon then on-demand connect method, you can use either client certificate authentication or authentication profile-based authentication for logged in users. Select Network > GlobalProtect > Gateways and select and existing gateway configuration or add a new one. After configuring the gateway, Commit your changes.
Configure the GlobalProtect portal. First, configure the device details (networking parameters, the authentication service profile, and the certificate for the authentication server). Next, create two agent configuration profiles. With these two types of agent configurations, you can limit gateway access to one gateway for the pre-logon users and provide access to multiple gateways for the logged in users. As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used. Select Network > GlobalProtect > Portals. Select the portal configuration or Add one. Set Up Access to the GlobalProtect Portal by configuring the General network settings and portal Authentication settings, for example: Interface—ethernet1/2 IP Address —203.0.113.1 SSL/TLS Service Profile —GP-server-cert-profile (issued by GoDaddy) Certificate Profile —None Authentication Profile —Corp-LDAP Define the GlobalProtect Agent Configurations for pre-logon users and for logged in users, for example: First Agent Configuration: Connect Method —Pre-logon then on-demand External Gateway Address —gp.example.com User/User Group —pre-logon Authentication Override —Cookie authentication for transparently authenticating users and for configuration refresh Second Agent Configuration: Use single sign-on —enabled Connect Method—Pre-logon then on-demand External Gateway Address —gp.example.com User/User Group —any Authentication Override —Cookie authentication for transparently authenticating users and for configuration refresh Make sure the pre-logon then on-demand client configuration is first in the list of configurations. If it is not, select it and click Move Up.
Save the GlobalProtect configuration. Click Commit.
( Optional ) If users will never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, create the Prelogon registry entry on the client system. You must also pre-deploy additional agent settings such as the default portal IP address and connect method. For more information about registry settings, see Deploy Agent Settings Transparently. Locate the GlobalProtect settings in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup Create a String Value named Prelogon with a value of 1 . This setting enables GlobalProtect to initiate a connection before the user logs in to the endpoint. Create a String Value named Portal that specifies the IP address or hostname of the default portal for the GlobalProtect client.

Related Documentation