GlobalProtect user incorrectly connects to a source region restricted Gateway when Pre-Logon is in use

• The user logon may connect to a region restricted Gateway.
• This happens when a Pre-Logon tunnel is connected.

• GlobalProtect Portal and Gateway
• Pre-Logon tunnel is in use
• Source region restricted Gateways
• Supported PAN-OS Versions

• The GlobalProtect Portal is responsible for setting the client's region code based on the source IP address which reaches the Portal.
• When user is connected using Pre-logon, the tunnel is already established using certificate authentication before the user enters his username/password. 
• Due to this the Portal will see the source address as the GlobalProtect IP Pool and thus cannot correctly identify the source region.
• As an example in the PANGPS logs below the client's region is set to IN, but the setting is ignored due to "do not set region code while tunnel is on".

(P5432-T5508)Debug(7484): 09/27/23 16:16:48:953 REGION-PRIO, region code is IN
(P5432-T5508)Debug(13576): 09/27/23 16:16:48:953 REGION_PRIO, do not set region code while tunnel is on

1. Open the GlobalProtect Portal configuration (Network > GlobalProtect > Portals > <portal>).
2. Navigate to the App configuration for the Pre-Logon user (Agent > <config> > App).
3. Set the 'Pre-logon Tunnel Rename Timeout' to 0.
4. Commit the configuration.

• This setting will cause the Pre-Logon tunnel to disconnect when the user logs in.
• The he user's region code will no longer be ignored when they login.