GlobalProtect Pre-Logon

Learn how to enable the pre-logon connect method for GlobalProtect mobile users.
Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user. A pre-logon VPN tunnel has no username association because the user has not logged in. To allow endpoints to access resources, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, for example DHCP, DNS, specific Active Directory services, antivirus, or other update services. After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN tunnel to that user. The IP address mapping on Prisma Access changes from the pre-logon endpoint to the authenticated user.
The certificate used for pre-logon authentication resides in the endpoint’s personal certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA to issue a machine certificate.
Before you begin the pre-logon configuration, make sure that you have the following information and resources:
  • Access to your Prisma Access Cloud Management
  • Role permissions to create a new CA certificate
  • Administrator access to the endpoint for installing the machine certificate
  • Trusted PKI certificate deployed on endpoint

Generate a Machine Certificate

Use a machine certificate as an authentication method to establish a tunnel from an endpoint before a user logs in to Prisma Access.
  1. Import a third-party root CA certificate.
    1. To import a third-party root CA certificate, select
      Certificate Management
      Ensure that you are importing the certificate for GlobalProtect mobile users.
    2. Import
      a custom certificate.
    3. Enter values, and
      the certificate settings.
  2. Import a machine certificate that is signed by the root CA certificate you imported in Step 1.

Create a Pre-Logon Certificate Profile

Create a certificate profile and include the self-signed root CA. This CA validates the machine certificate by the GlobalProtect mobile user during pre-logon.
  1. Select
    Certificate Management
  2. Add Profile
  3. Enter values.
    1. Ensure the
      Username Field
      to prevent the certificate mapping to a user.
    2. Add
      the root pre-logon CA certificate you imported in Step 1.
    3. Save
      the certificate profile settings.

Configure the GlobalProtect Portal for Pre-Logon

Configure the GlobalProtect portal to authenticate connections with a machine certificate.
  1. Select
    Prisma Access Setup
    Mobile Users
  2. Edit the user authentication configuration settings.
    Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.
    Choose any certificate authentication that GlobalProtect supports.
  3. Configure the GlobalProtect app settings to match the pre-logon criteria.
    1. Navigate to the
      GlobalProtect App
    2. Add App Settings.
      When you enter values, ensure to
      Match pre-logon
      user entities and the pre-logon certificate profile.
      • Select a pre-logon connect method.
      • If you select
        Even before the user logs on the machine (Pre-logon) then switch to On-Demand
        , set the value of
        Pre-logon Tunnel Rename Timeout
        to –1. View the VPN advanced options to edit this field.
    3. Move the pre-logon app setting above other app settings.
    4. Edit all other app settings for authenticated users.
      Update the connect method and the certificate profile.
  4. Push the changes to Prisma Access.

Install a Machine Certificate—Windows

Install the machine certificate at the endpoint, which is used for authentication.
  1. Export the self-signed root CA certificate from your PKI in
    Binary Encoded Certificate (DER)
  2. Transfer the certificate files to a Windows machine.
  3. Install the root pre-logon CA certificate in the
    Trusted Root Certification Authorities
    store of your local machine.
  4. Install the pre-logon machine certificate in the local machine store location.
  5. Proceed with the installation, enter the passphrase when prompted, and complete the installation.
  6. Connect to the GlobalProtect portal, and delete all cookies from the host.
  7. (
    ) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

Recommended For You