Pre-logon User Does Not Appear in Traffic Logs
Resolution
Symptom
When using the pre-logon feature for GlobalProtect, the user "pre-logon" is not shown in the traffic logs and log details on the web UI:
Details
The Pre-logon Connect Method makes it possible for the client to connect to the GlobalProtect Gateway before an actual user is logged in. All traffic that is sent during this pre-logon stage is recognized by the Palo Alto Networks device with source user "pre-logon".
For example:
> show global-protect-gateway current-user
GlobalProtect Gateway: Gateway (1 users)
Tunnel Name : Gateway-N
Domain-User Name : :pre-logon
Computer : 79B99C97-A3EC-4
Primary Username : pre-logon
Region for Config : 10.0.0.0-10.255.255.255
Source Region : 10.0.0.0-10.255.255.255
Client : Microsoft Windows 10 Enterprise , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP : 172.172.172.250
Private IPv6 : ::
Public IP (connected) : 10.46.224.142
Public IPv6 : ::
Client IP : 10.46.224.142
ESP : exist
SSL : none
Login Time : Jun.15 14:49:15
Logout/Expiration : Jul.15 14:49:15
TTL : 2591940
Inactivity TTL : 10786
Request - Login : 2023-06-15 14:49:15.350 (1686865755350), 10.46.224.142
Request - GetConfig : 2023-06-15 14:49:15.506 (1686865755506), 10.46.224.142
Request - SSLVPNCONNECT : (0), ::
Also sessions are associated with this source user:
> show session id 7668
Session 7668
c2s flow:
source: 172.172.172.250 [L3-Trust]
dst: 72.21.81.240
proto: 6
sport: 57933 dport: 80
state: ACTIVE type: FLOW
src user: pre-logon
dst user: unknown
s2c flow:
source: 72.21.81.240 [L3-Untrust]
dst: 10.46.42.182
proto: 6
sport: 80 dport: 3544
state: ACTIVE type: FLOW
src user: unknown
dst user: pre-logon
start time : Thu Jun 15 14:50:48 2023
timeout : 15 sec
time to live : 13 sec
total byte count(c2s) : 47544
total byte count(s2c) : 1869358
layer7 packet count(c2s) : 765
layer7 packet count(s2c) : 1341
vsys : vsys1
application : ms-update
rule : Trust-to-Untrust
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
address/port translation : source
nat-rule : Trust-NAT(vsys1)
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
session terminate tunnel : False
captive portal session : False
ingress interface : tunnel.1
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
tracker stage firewall : TCP FIN
tracker stage l7proc : ctd err sw
end-reason : tcp-fin
Cause
Source User blank on Traffic Logs for sessions from the pre-logon tunnel is the expected behavior, as the "pre-logon" user is not a real user and it does not indicate a particular client, so "pre-logon" applies to any client with pre-logon enabled.