GlobalProtect Pre-logon intermittently working due to missing machine certificate subject name

GlobalProtect Pre-logon intermittently working due to missing machine certificate subject name

12386
Created On 03/21/21 06:32 AM - Last Modified 05/16/23 21:01 PM


Symptom


  • Global Protect client with pre-logon connect method using machine certificate only
  • The certificate profile for GP on the FW has Username Field specified as Subject Alt with Principal Name.
  • Use the PKI infrastructure to deploy machine certificates with the private key into each PC (local computer) via group policy. 
  • The Root CA cert and Intermediate CA cert were already imported into the FW and PCs.
  • GP Portal and GW authentication configured with certificate profile only (no other authentication profile) and no authentication cookies override.
  • The issue is observed about 90% GP pre-logon connection was not successful, GP was showing "disconnected" before the user logs into the Windows. 
  • Only about 10% it looks like GP connection was successful as it did not show "disconnected", but GP was not showing "connected" at the Windows logon screen. Directly after the user logged into Windows, GP icon showed red as disconnected at the taskbar bottom right, and after a few seconds, it auto connected successfully as GP icon green. So it looks like GP connected after the user logged into Windows, instead of before as pre-logon should be.

 

Environment


  • Palo Alto Firewalls.
  • Supported PAN-OS.
  • GlobalProtect (GP) portal and gateway with certificate profile
  • GlobalProtect App.
  • Pre-logon connect method.
  • Windows Clients.

Cause


  • The machine certificate imported into the Local computer (with the private key) did not have the subject field on itself (empty).
  • Instead, it has the Subject Alternative Name field with Principal Name and DNS Name.
  • For pre-logon tunnel, each machine certificate must have the subject field (for example, CN=laptop1.example.com) as GP identifies the endpoint using this field instead of using the "username" irrespective of the username field set on the certificate profile.

Resolution


  1. Make a change on PKI by adding the subject field with CN name (as device name) on the machine certificate and push the new machine certificate to the PC via Group Policy. 
  2. Restart the PC and GlobalProtect will show "Connected" on the Windows logon screen before user logs into the Windows.
  3. This confirms that GlobalProtect pre-logon is working as expected. 

Additional Information


Machine certificate requirements

Note: 
  • If using only a certificate profile and no other authentication profile, then the username field under the certificate profile needs to be specified since we need GP ip-user mapping for the user tunnel after they login to the machine.
  • Otherwise, GP mapping cannot be created as there is no username available to associate with the assigned IP for user tunnel.
  • When using both authentication profile (such as LDAP) and certificate profile for GP authentication and have username field set to CN in certificate profile on the firewall, then the username learned from certificate takes precedence over the username provided on LDAP.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UrpCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language