>
    Strata Copilot
    Configure Pre-Logon Support for Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Configure Pre-Logon Support for Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Configure Pre-Logon Support for Prisma Access Agent

    Table of Contents

    Configure Pre-Logon Support for Prisma Access Agent

    Learn how to configure pre-logon for Prisma Access Agent, enabling secure tunnel connections before user authentication for improved device management and security.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.3.0.43
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    Configure pre-logon for Prisma Access Agent to establish a secure tunnel before a user logs into their device, which provides essential network access for managing and updating remote devices without requiring a user to log in to their device.
    To implement pre-logon, you need to understand several key components:
    • Machine certificates must be deployed throughout your environment, typically using a service like Microsoft Certificate Services. Prisma Access Agent uses these certificates for device authentication during the pre-logon process.
    • You need to configure the Prisma Access Agent settings to enable the pre-logon feature and specify the connection method.
    • Be familiar with security policies and how they apply to pre-logon users.
    Pre-logon integrates with existing authentication methods, enabling you to use certificate-based authentication for pre-logon while maintaining SAML or other methods for user login. This flexibility ensures that your security policies remain intact while improving device management capabilities. The feature also supports agent upgrades and downgrades, ensuring your devices remain current and secure. This feature is designed to work across system restarts and sleep-wake cycles, providing consistent connectivity for your managed devices.

    About Pre-Logon

    The pre-logon workflow begins when a managed device boots up or resumes from sleep. The device immediately uses its preinstalled machine certificate to authenticate with the Prisma Access Agent management plane. Upon successful authentication, a tunnel is established before any user logs in. This tunnel uses a generic username called pre-logon because the user has not yet logged in. The pre-logon tunnel grants the device access to network resources as defined by the security policy configuration that you set up. At this stage, administrators can push updates, apply group policies, or perform other management tasks without user interaction.
    If an actual username configured in the IdP is called pre-logon, for example pre-logon@email.com, that user will be able to access Prisma Access Agent only in pre-logon mode. Specifically, the pre-logon@email.com user will receive the app configuration that is mapped to the generic pre-logon user, instead of the app configuration being mapped to the pre-logon@email.com user.
    On Windows devices, the Windows login screen will show the Prisma Access Agent status. If the device has never been enrolled (meaning the agent has never registered with the management plane, and never been configured on the device), then under the Sign-in options in the Windows login screen, the user needs to click the Prisma Access Agent icon. The agent enrollment will proceed and when finished, will automatically connect to the best available gateway using the pre-logon tunnel. Once connected, the agent status will change to Connected, and will list the gateway that the agent is connected to.
    For a device undergoing first-time enrollment, authentication takes place with the management plane and the gateway. If the device has previously been enrolled and the user is restarting their device, authentication happens only with the gateway.
    After a user logs in, the pre-logon tunnel transitions to a user-specific tunnel with potentially broader access rights. The transition happens after the configured pre-logon tunnel rename timeout expires. Throughout the user's session, administrators retain the ability to manage the device, retrieve logs, and monitor its status.
    Upon user logout, the system reverts to the pre-logon state. The user-specific tunnel is terminated, and the device returns to using the limited pre-logon tunnel. This ensures continuous management capability and essential connectivity even when no user is actively logged in. The cycle of transitioning between pre-logon and user-specific tunnels continues, maintaining appropriate access controls throughout the device's operational states until it's shut down.
    The remote shell functionality does not work when the user is on the logon screen. However, after the user logs on and until the tunnel rename timeout period expires, the pre-logon tunnel is active and the remote shell will work as expected.
    To configure pre-logon, you will need to:

    © 2025 Palo Alto Networks, Inc. All rights reserved.