Basic-GlobalProtect-configuration-with-Pre-Logon-then-On-Demand

Basic-GlobalProtect-configuration-with-Pre-Logon-then-On-Demand

30519
Created On 05/03/21 19:20 PM - Last Modified 07/19/23 17:34 PM


Objective


This document will explain the GlobalProtect Pre-Logon then On-Demand connect method and the basic configuration required

Environment


  •  GlobalProtect Infrastructure
  •  Endpoint with supported OS 

Procedure



The Pre-logon then On-Demand is a new hybrid connect method which combines both Pre-logon capabilities to authenticate the user before they log into the endpoint, and the on-demand capability to allow users to establish a connection with external gateways manually for subsequent connections.

This is useful when users forget their password or work with their help-desk to change their password and require network access over a pre-logon VPN tunnel to log into their system. 

Please follow the steps below to configure the Portal's agent configuration using the pre-logon then On-Demand connect method:
Note: This is found by navigating under Networks > GlobalProtect > Portals > (Select Appropriate Portal(s)) > Agent > (Select/Create Appropriate Agent Config)
  1. Authentication
  • Give any name to this client config
  • Client certificate - leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
  • Save user credential - Yes (default)
  • (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
Note: If a certificate is selected here under the portal, the same certificate needs to be selected under Gateway's config for encrypt/decrypt cookie.

Note: One of the following 3 conditions must be met for pre-logon to work:

i.  Portal contains ‘certificate profile’ but ‘no’ auth cookies
   Note: When Portal/Gateway are on the same IP, the Gateway Cert Profile will take precedence over Portal Cert Profile. If Portal Cert Profile is required, Portal/Gateway must be on different IP.

ii. Portal does ‘not’ contain ‘certificate profile’ but has ‘auth cookies’.

(In this case, the very first GP connection must be made by a user, which will create two cookies one for the ‘user’ and other for ‘pre-logon’. From then on the pre-logon will work.)

(Attempting ‘pre-logon’ in the very first time without having a user connected to GP previously will not work in this case since the ‘pre-logon’ cookie will only get generated after a user is logged in the first time.)

iii. Portal contains both ‘certificate profile’ and ‘auth cookies’.

 
User-added image
  1. Config Selection Criteria
  • Select 'pre-logon' from drop-down menu
User-added image
 
  1.  External 
  • Under 'External gateways', click Add. Give any name to it.
  • Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
Screenshot displaying the GlobalProtect Portal's Agent dialog box.
  1. App
  • Under "Connect Method" drop down select "Pre-Logon then On-Demand"
User-added image
  • 'Use single sign-on' config is optional here.
  •  Configure "Pre-Logon Tunnel Rename Timeout(sec) (Windows Only)" value to '0'. A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when we set the connect method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
User-added image


Note: The following steps are required only if you need to add a new client configuration that differs from the one previously created. 
  1. Authentication
  • Give any name to this client config
  • Client certificate- leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
  • Save user credential - Yes (default)
  • (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
Note: If a certificate is selected here under the portal, the same certificate needs to be selected under Gateway's config for encrypt/decrypt cookie.

User-added image
 
  1. Config Selection Criteria
  • Select 'any' from the drop-down or add specific user/user groups.
User-added image
 
  1.  External 
  • Under 'External gateways', click Add. Give any name to it.
  • Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
Screenshot displaying the GlobalProtect Portal's Agent dialog box.
 
  1. App
  • Under "Connect Method" drop down select "Pre-Logon then On-Demand"
User-added image
  • As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent setting panel is used.
  1.  Select OK and commit your changes
 

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language