Basic-GlobalProtect-configuration-with-Pre-Logon-then-On-Demand

Basic-GlobalProtect-configuration-with-Pre-Logon-then-On-Demand

2137
Created On 05/03/21 19:20 PM - Last Modified 05/07/21 20:34 PM


Objective
This document will explain the GlobalProtect Pre-Logon then On-Demand connect method and the basic configuration required

Environment
  •  GlobalProtect Infrastructure
  •  Endpoint with supported OS 


Procedure

The Pre-logon then On-Demand is a new hybrid connect method which combines both Pre-logon capabilities to authenticate the user before they log into the endpoint, and the on-demand capability to allow users to establish a connection with external gateways manually for subsequent connections.

This is useful when users forget their password or work with their help-desk to change their password and require network access over a pre-logon VPN tunnel to log into their system. 

Please follow the steps below to configure the Portal's agent configuration using the pre-logon then On-Demand connect method:
Note: This is found by navigating under Networks > GlobalProtect > Portals > (Select Appropriate Portal(s)) > Agent > (Select/Create Appropriate Agent Config)
  1. Authentication
  • Give any name to this client config
  • Client certificate - leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
  • Save user credential - Yes (default)
  • (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
Note: If a certificate is selected here under the portal, the same certificate needs to be selected under Gateway's config for encrypt/decrypt cookie.
 
User-added image
  1. Config Selection Criteria
  • Select 'pre-logon' from drop-down menu
User-added image
 
  1.  External 
  • Under 'External gateways', click Add. Give any name to it.
  • Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
Screenshot displaying the GlobalProtect Portal's Agent dialog box.
  1. App
  • Under "Connect Method" drop down select "Pre-Logon then On-Demand"
User-added image
  • 'Use single sign-on' config is optional here.
  •  Configure "Pre-Logon Tunnel Rename Timeout(sec) (Windows Only)" value to '0'. A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when we set the connect method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
User-added image


Note: The following steps are required only if you need to add a new client configuration that differs from the one previously created. 
  1. Authentication
  • Give any name to this client config
  • Client certificate- leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
  • Save user credential - Yes (default)
  • (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
Note: If a certificate is selected here under the portal, the same certificate needs to be selected under Gateway's config for encrypt/decrypt cookie.

User-added image
 
  1. Config Selection Criteria
  • Select 'any' from the drop-down or add specific user/user groups.
User-added image
 
  1.  External 
  • Under 'External gateways', click Add. Give any name to it.
  • Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
Screenshot displaying the GlobalProtect Portal's Agent dialog box.
 
  1. App
  • Under "Connect Method" drop down select "Pre-Logon then On-Demand"
User-added image
  • As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent setting panel is used.
  1.  Select OK and commit your changes
 


Additional Information


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments