How to check if endpoints has tunnel connection to the gateway in GlobalProtect Pre-Logon

How to check if endpoints has tunnel connection to the gateway in GlobalProtect Pre-Logon

8847
Created On 04/03/20 03:38 AM - Last Modified 04/27/20 17:52 PM


Environment


  • PAN-OS 8.1 and above
  • GlobalProtect app version 4.1.x, 5.0 and above.
  • GlobalProtect Configured with Pre-logon.
  • Endpoint device with pre-installed certificate for authenticating the machine (not the user)
Note: 

Installing the machine certificate on the endpoint is beyond the scope of this article. Please use this KB article on how to configure GlobalProtect Pre-logon.




 

Cause



As 'pre-logon' in the name suggests, GlobalProtect is connected "before" a user-logs on to a machine. The endpoint will establish a VPN tunnel even before the actual user login to the machine. This is what we are going to check in this article.



 

Resolution



Steps:

1) Open the Firewall web UI where the GlobalProtect Gateway is configured and endpoint is connecting. Click on the "Remote Users" as seen in the display below. 

Gateway-Remote-Users


2) Before the user login to the local machine, you will see this user name "pre-logon" and other details of the "Pre-logged" machine.

Before user login to local machine.


3) When user login to the local machine, the username will be renamed to the actual authenticated username of the user.

Authenticated user after they login to local machine.

Additional Information



Note:

In Windows endpoints, the established pre-logon tunnel get reused after the user login to the machine. MacOS endpoints behave differently with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPRZ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail