How to check if endpoints have tunnel connection to the gateway in GlobalProtect Pre-Logon

• NGFW
• PAN-OS 8.1 and above
• GlobalProtect app version 4.1.x, 5.0 and above.
• GlobalProtect Pre-logon (always-on) connection method
• Endpoint device with pre-installed certificate for authenticating the machine (not the user)

Note: 
Installing the machine certificate on the endpoint is beyond the scope of this article. Please use this KB article on how to configure GlobalProtect Pre-logon. 

As 'pre-logon' in the name suggests, GlobalProtect is connected "before" a user-logs on to a machine. The endpoint will establish a VPN tunnel even before the actual user login to the machine. This is what we are going to check in this article.
 

1) Open the Firewall web UI where the GlobalProtect Gateway is configured and endpoint is connecting. Click on the "Remote Users" as seen in the display below. 



2) Before the user login to the local machine, you will see this user name "pre-logon" and other details of the "Pre-logged" machine.



3) When user login to the local machine, the username will be renamed to the actual authenticated username of the user.

In Windows endpoints, the established pre-logon tunnel get reused after the user login to the machine. MacOS endpoints behave differently with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in.