How to check if endpoints has tunnel connection to the gateway in GlobalProtect Pre-Logon

How to check if endpoints has tunnel connection to the gateway in GlobalProtect Pre-Logon

5689
Created On 04/03/20 03:38 AM - Last Modified 04/27/20 17:52 PM


Environment
  • PAN-OS 8.1 and above
  • GlobalProtect app version 4.1.x, 5.0 and above.
  • GlobalProtect Configured with Pre-logon.
  • Endpoint device with pre-installed certificate for authenticating the machine (not the user)
Note: 

Installing the machine certificate on the endpoint is beyond the scope of this article. Please use this KB article on how to configure GlobalProtect Pre-logon.




 


Cause

As 'pre-logon' in the name suggests, GlobalProtect is connected "before" a user-logs on to a machine. The endpoint will establish a VPN tunnel even before the actual user login to the machine. This is what we are going to check in this article.



 


Resolution

Steps:

1) Open the Firewall web UI where the GlobalProtect Gateway is configured and endpoint is connecting. Click on the "Remote Users" as seen in the display below. 

Gateway-Remote-Users


2) Before the user login to the local machine, you will see this user name "pre-logon" and other details of the "Pre-logged" machine.

Before user login to local machine.


3) When user login to the local machine, the username will be renamed to the actual authenticated username of the user.

Authenticated user after they login to local machine.


Additional Information

Note:

In Windows endpoints, the established pre-logon tunnel get reused after the user login to the machine. MacOS endpoints behave differently with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPRZ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments