Learn how to enable the pre-logon connect method for GlobalProtect mobile users.
Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint, not the user, and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user. A pre-logon VPN tunnel has no username association because the user has not logged in. To allow endpoints to access resources, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, for example DHCP, DNS, specific Active Directory services, antivirus, or other update services. After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN tunnel to that user. The IP address mapping on Prisma Access changes from the pre-logon endpoint to the authenticated user.
The certificate used for pre-logon authentication resides in the endpoint’s personal certificate store. Use a trusted third-party CA, self-signed CA, or an internal PKI CA to issue a machine certificate.
Before you begin the pre-logon configuration, make sure that you have the following information and resources:
- Access to your Prisma Access Cloud Management
- Administrator access to the endpoint for installing the machine certificate
- Trusted PKI certificate deployed on endpoint
Generate a Machine Certificate
Use a machine certificate as an authentication method to establish a tunnel from an endpoint before a user logs in to Prisma Access.
- Import a third-party root CA certificate.
- To import a third-party root CA certificate, select.ManageConfigurationObjectsCertificate ManagementEnsure that you are importing the certificate for GlobalProtect mobile users.
- Importa custom certificate.
- Enter values, andSavethe certificate settings.
- Import a machine certificate that is signed by the root CA certificate you imported in Step 1.
Create a Pre-Logon Certificate Profile
Create a certificate profile and include the self-signed root CA. This CA validates the machine certificate by the GlobalProtect mobile user during pre-logon.
- Select.ManageConfigurationObjectsCertificate Management
- Add Profile.
- Enter values.
- Ensure theUsername FieldisNoneto prevent the certificate mapping to a user.
- Addthe root pre-logon CA certificate you imported in Step 1.
- Savethe certificate profile settings.
Configure the GlobalProtect Portal for Pre-Logon
Configure the GlobalProtect portal to authenticate connections with a machine certificate.
- Select.SettingsPrisma Access SetupMobile Users
- Edit the user authentication configuration settings.Select an authentication method that GlobalProtect supports, the pre-logon certificate profile you created, and the certificate authentication.Choose any certificate authentication that GlobalProtect supports.
- Configure the GlobalProtect app settings to match the pre-logon criteria.
- Navigate to theGlobalProtect Apptab.
- Add App Settings.When you enter values, ensure toMatch pre-logonuser entities and the pre-logon certificate profile.
- Select a pre-logon connect method.
- If you selectEven before the user logs on the machine (Pre-logon) then switch to On-Demand, set the value ofPre-logon Tunnel Rename Timeoutto –1. View the VPN advanced options to edit this field.
- Move the pre-logon app setting above other app settings.
- Edit all other app settings for authenticated users.Update the connect method and the certificate profile.
- Push the changes to Prisma Access.
Install a Machine Certificate—Windows
Install the machine certificate at the endpoint, which is used for authentication.
- Export the self-signed root CA certificate from your PKI inBinary Encoded Certificate (DER)format.
- Transfer the certificate files to a Windows machine.
- Install the root pre-logon CA certificate in theTrusted Root Certification Authoritiesstore of your local machine.
- Install the pre-logon machine certificate in the local machine store location.
- Proceed with the installation, enter the passphrase when prompted, and complete the installation.
- Connect to the GlobalProtect portal, and delete all cookies from the host.
- (Optional) Sign out of your machine and view the GlobalProtect logs to verify the pre-logon connection.
Recommended For You
Recommended videos not found.