Palo Alto Networks Knowledgebase: GlobalProtect Prelogon Using Cookie Based Authentication

GlobalProtect Prelogon Using Cookie Based Authentication

11333
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:55 PM
GlobalProtect Prisma Access
Resolution

Overview

The GlobalProtect prelogon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed device certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs are in, instead of using cached credentials. Prior to user login, there is no username associated with the traffic. Therefore, to enable the client system to access resources in the trust zone there must be a security policy created that matches the prelogon user. These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services. After the user logs in to the system and authenticates, the VPN tunnel is renamed to include the username so that user and group based policy can be enforced.

 

With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either through an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal pushes the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. When a client system attempts to connect in pre-logon mode, it will use cookies to authenticate to the portal and receive its pre-logon client configuration. It will connect to the gateway specified in the configuration and authenticate using its device certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.

 

Steps

The Palo Alto Networks firewall is configured with a root certificate, the Root CA that signs the server certificate and the device certificate. Export the device (Machine) cert and the Root CA certificate to the individual device that will connect using GlobalProtect. The client can use their own PKI infrastructure to generate device certificates. In these type of scenarios, the firewall admin should import the Root CA signing these device certificates into the Palo Alto Networks firewalls.

 

Configure the certificates required for prelogon

  1. Go to Device > Certificate Management > Certificates > Device Certificate and select the "GP Machine Cert"(used for this example) device certificate:
    1.jpg
  2. Click Export:
    2.jpg
  3. Select Root CA and Export:
    3.jpg
  4. Download the certs and install them onto their cert stores:
    1. For MAC OS X clients
      1. Open Keychain Access and go to the System keychains:
        4.jpg
      2. Ensure that all applications have access to the private keys of the device and the Root CA certs:
        5.jpg
        5.1.jpg
    2. For Windows clients
      The correct way of importing certificates is either by GPO install or a manual certificate install. Below is an example for a Windows 7 device:
      1. Delete previous incorrect machine-certificate and root-CA-certificate on MMC
      2. Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate.
      3. Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
      4. Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
        Below are examples for installing the device certificate:
        mmc-snap.png
        mmc-snap-2.png
        mmc-snap-3.png
        Note: For more information about the MMC, see the TechNet library on the Microsoft website.
  5. Create a client Certificate Profile that includes the root certificate:
    6.jpg
  6. Configure the portal as shown below:
    7.jpg
    1. Enter values for Portal Configuration.
      The Portal Configuration does not require a client certificate, which was mandatory prior to PAN-OS 6.0 for the prelogon to work.
      7.1.jpg
    2. On the Client Configuration tab, configure prelogon client configurations to use the CACR functionality:
      7.2.jpg
      For both the client configurations, "Cookie authentication for config refresh" is chosen as the Authentication Modifier type. The Connect Method selected should be "pre-logon" and the "Use single sign-on" checkbox should be selected in both cases:
      7.3.jpg
      7.4.jpg
  7. Configure the GlobalProtect Gateway as shown below:
    8.jpg

Once the changes are committed, the configuration on the interfaces should reflect the GlobalProtect settings:
9.jpg

 

Prelogon client authentication

  1. The user has to connect to the portal for the first time to download the GlobalProtect client. The portal pushes the client configuration to the agent, along with a cookie that will be used for the portal authentication to receive a configuration refresh:
    10.jpg
  2. When the user logs off from the client or when the clients' device finishes booting up, the clients' system attempts to connect in prelogon mode and uses cookies to authenticate to the portal and receive its prelogon client configuration. It will then connect to the gateway specified in the configuration, and authenticate using its device certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel. Shown below is a snapshot of when the user logs from their device. The device has been authenticated as a prelogon user:
    11.jpg

Prelogon logs on the the Palo Alto Networks firewall

The firewall generates logs pertaining to the cookie based authentications when the sslvpn logs are set to the debug. The example below shows logs for the cookie based authentication for the prelogon user:
12.jpg
When the end user logs into the device, if single-sign-on (SSO) is enabled in the client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user and group based policy can be enforced. If SSO is not enabled in the client configuration, or if SSO is no supported on the client system (for example, it is a Mac OS system) the users' credentials must be stored in the agent (the 'Remember Me" check box must be selected within the agent). The logs for the user authentication cookie are also generated as shown below:
13.jpg

  • System logs for the preglogon functionality: The authentication type is cookie:
    14.jpg
  • System logs for the regular authentication: The authentication type is cookie:
    15.jpg

 

owner: kprakash



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEeCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language