Upon initial machine boot up, pre-logon tunnel does not establish and GlobalProtect status shows as Disconnected.

• Palo Alto Firewall
• PAN-OS 8.1 and above
• GlobalProtect Pre-Logon setup
• Authentication cookie

When a user turns on their client machine, they will notice that pre-logon tunnel is not connected.

1. The user has to authenticate during user tunnel connection first, to generate authentication cookie.
2. Two authentication cookies are generated. One for ‘user’ and other for ‘pre-logon’.
3. Once authentication cookies are generated, they will notice GlobalProtect Pre-Logon will be connected for the following machine boot ups.
4. Pre-Logon tunnel will stay up until the Login Lifetime timer ends.
5. Until the cookie lifetime ends, the next pre-logon cookie won't be generated for the authentication; unless the user signs out of the GlobalProtect app.
6. To avoid tunnel connection failure due to cookie lifetime expiration, it is recommended to use certificate based authentication

Cookie Configuration:

1. Both portal and gateway can generate and accept authentication cookie with either same or separate Cookie Lifetime timers on each.
2. Portal can generate and gateway can accept authentication cookie.
3. Portal can accept cookie whereas gateway can generate and accept authentication cookie with either same or separate Cookie Lifetime timers on each.

On Portal:

• Network > GlobalProtect > Portals > [portal-name] > Agent > [portal-config-name] > Authentication

 

On Gateway:

• Network > GlobalProtect > Gateways > [gateway-name] > Agent > Client Settings > [gateway-config-name] > Authentication Override

Login Lifetime:

• Timeout value can be configured under WebUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Connection Settings.

• GlobalProtect: Pre-Logon Authentication
• Basic GlobalProtect Configuration with Pre-Logon
• How to renew pre-logon cookie when expired
• Cookie Authentication on the Portal or Gateway