Palo Alto Networks Knowledgebase: Pre-logon User Does Not Appear in Traffic Logs

Pre-logon User Does Not Appear in Traffic Logs

3341
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:03 AM
Reporting and Logging
Resolution

Symptom

When using the pre-logon feature for GlobalProtect, the user "pre-logon" is not shown in the traffic logs and log details on the web UI:

Screen Shot 2014-01-17 at 07.55.33.png

Screen Shot 2014-01-17 at 07.57.49.png

Details

PAN-OS 5.0 introduced the "pre-logon" feature for GlobalProtect. This feature makes it possible for the client to connect to the GlobalProtect Gateway before

an actual user is logged in. All traffic that is sent during this pre-logon stage is recognized by the Palo Alto Networks device with source user "pre-logon".

For example:

> show global-protect-gateway current-user

GlobalProtect Gateway: gp_gw (1 users)

Tunnel Name          : gp_gw-N

     Domain-User Name          : \pre-logon

     Computer                  : LAB

     Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit

     Private IP                : 10.10.10.1

     Public IP                 : 172.16.31.83

     ESP                       : exist

     SSL                       : none

     Login Time                : Dec.16 08:27:07

     Logout/Expiration         : Jan.15 08:27:07

     TTL                       : 2565010 Inactivity

     TTL            : 7902

Also sessions are associated with this source user:

> show session id 6146

Session 6146

  c2s flow:

  source: 10.10.10.1 [L3-200]

  dst: 172.16.31.98

  proto: 17

  sport: 138 dport: 138

  state: ACTIVE type: FLOW

  src user: pre-logon

  dst user: unknown

  s2c flow:

  source: 172.16.31.98 [L3-Untrust]

  dst: 172.16.31.242

  proto: 17

  sport: 138 dport: 61431

  state: ACTIVE type: FLOW

  src user: unknown

  dst user: pre-logon

Cause

This is the expected behavior, as the "pre-logon" user is not a real user. Also, the "pre-logon" term alone does not indicate a particular client, so "pre-logon" applies to any client with pre-logon enabled.

owner: rvanderveken



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXlCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language