1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access (Cloud Management)
    5. Mobile Users
    6. Mobile Users — GlobalProtect
    7. GlobalProtect Pre-Logon

    GlobalProtect Pre-Logon

    Learn how to enable the pre-logon connect method for GlobalProtect mobile users.
    Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user. A pre-logon VPN tunnel has no username association because the user has not logged in. To allow endpoints to access resources, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, for example DHCP, DNS, specific Active Directory services, antivirus, or other update services. After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN tunnel to that user. The IP address mapping on Prisma Access changes from the pre-logon endpoint to the authenticated user.
    The certificate used for pre-logon authentication resides in the endpoint’s personal certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA to issue a machine certificate.
    Before you begin the pre-logon configuration, make sure that you have the following information and resources:
    • Access to your Prisma Access Cloud Management
    • Role permissions to create a new CA certificate
    • Administrator access to the endpoint for installing the machine certificate
    • Trusted PKI certificate deployed on endpoint

    Generate a Machine Certificate

    Use a machine certificate as an authentication method to establish a tunnel from an endpoint before a user logs in to Prisma Access.
    1. Import a third-party root CA certificate.
      1. To import a third-party root CA certificate, select
        Manage
        Configuration
        Objects
        Certificate Management
        .
        Ensure that you are importing the certificate for GlobalProtect mobile users.
      2. Import
         a custom certificate.
      3. Enter values, and
        Save
         the certificate settings.
    2. Import a machine certificate that is signed by the root CA certificate you imported in Step 1.

    Create a Pre-Logon Certificate Profile

    Create a certificate profile and include the self-signed root CA. This CA validates the machine certificate by the GlobalProtect mobile user during pre-logon.
    1. Select
      Manage
      Configuration
      Objects
      Certificate Management
      .
    2. Add Profile
      .
    3. Enter values.
      1. Ensure the
        Username Field
         is
        None
         to prevent the certificate mapping to a user.
      2. Add
         the root pre-logon CA certificate you imported in Step 1.
      3. Save
         the certificate profile settings.

    Configure the GlobalProtect Portal for Pre-Logon

    Configure the GlobalProtect portal to authenticate connections with a machine certificate.
    1. Select
      Settings
      Prisma Access Setup
      Mobile Users
      .
    2. Edit the user authentication configuration settings.
      Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.
      Choose any certificate authentication that GlobalProtect supports.
    3. Configure the GlobalProtect app settings to match the pre-logon criteria.
      1. Navigate to the
        GlobalProtect App
         tab.
      2. Add App Settings.
        When you enter values, ensure to
        Match pre-logon
         user entities and the pre-logon certificate profile.
        • Select a pre-logon connect method.
        • If you select
          Even before the user logs on the machine (Pre-logon) then switch to On-Demand
          , set the value of
          Pre-logon Tunnel Rename Timeout
           to –1. View the VPN advanced options to edit this field.
      3. Move the pre-logon app setting above other app settings.
      4. Edit all other app settings for authenticated users.
        Update the connect method and the certificate profile.
    4. Push the changes to Prisma Access.

    Install a Machine Certificate—Windows

    Install the machine certificate at the endpoint, which is used for authentication.
    1. Export the self-signed root CA certificate from your PKI in
      Binary Encoded Certificate (DER)
       format.
    2. Transfer the certificate files to a Windows machine.
    3. Install the root pre-logon CA certificate in the
      Trusted Root Certification Authorities
       store of your local machine.
    4. Install the pre-logon machine certificate in the local machine store location.
    5. Proceed with the installation, enter the passphrase when prompted, and complete the installation.
    6. Connect to the GlobalProtect portal, and delete all cookies from the host.
    7. (
      Optional
      ) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo