Pre-logon User Does Not Appear in Traffic Logs

Pre-logon User Does Not Appear in Traffic Logs

Created On 09/25/18 19:24 PM - Last Modified 02/08/19 00:03 AM



When using the pre-logon feature for GlobalProtect, the user "pre-logon" is not shown in the traffic logs and log details on the web UI:

Screen Shot 2014-01-17 at 07.55.33.png

Screen Shot 2014-01-17 at 07.57.49.png


PAN-OS 5.0 introduced the "pre-logon" feature for GlobalProtect. This feature makes it possible for the client to connect to the GlobalProtect Gateway before

an actual user is logged in. All traffic that is sent during this pre-logon stage is recognized by the Palo Alto Networks device with source user "pre-logon".

For example:

> show global-protect-gateway current-user

GlobalProtect Gateway: gp_gw (1 users)

Tunnel Name          : gp_gw-N

     Domain-User Name          : \pre-logon

     Computer                  : LAB

     Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit

     Private IP                :

     Public IP                 :

     ESP                       : exist

     SSL                       : none

     Login Time                : Dec.16 08:27:07

     Logout/Expiration         : Jan.15 08:27:07

     TTL                       : 2565010 Inactivity

     TTL            : 7902

Also sessions are associated with this source user:

> show session id 6146

Session 6146

  c2s flow:

  source: [L3-200]


  proto: 17

  sport: 138 dport: 138

  state: ACTIVE type: FLOW

  src user: pre-logon

  dst user: unknown

  s2c flow:

  source: [L3-Untrust]


  proto: 17

  sport: 138 dport: 61431

  state: ACTIVE type: FLOW

  src user: unknown

  dst user: pre-logon


This is the expected behavior, as the "pre-logon" user is not a real user. Also, the "pre-logon" term alone does not indicate a particular client, so "pre-logon" applies to any client with pre-logon enabled.

owner: rvanderveken

  • Print
  • Copy Link

Choose Language