Pre-logon Configuration in the GlobalProtect VPN (Palo Alto Firewall)

Steps:

1. Create a certificate profile with the root certificate (the same root certificate used for the GP portal and gateway).
    Path: Device → Certificate Management → Certificate Profile

    2. Add the certificate profile to both the GP portal and GP gateway configurations.

- Edit the GP portal configuration → Authentication → choose the created certificate profile.
     - Edit the GP gateway configuration → Authentication → choose the certificate profile.

       3. In the GP portal configuration  (Authentication), set Allow Authentication with User Credentials or Client Certificate to Yes.

      4. In the GP gateway configuration (Authentication), set Allow Authentication with User Credentials or Client Certificate to Yes.

      5. Configure an additional agent for pre-logon in the GP portal.

         - Set the user to Pre-logon.
         - Create the VPN using an IP address or FQDN-based external gateway.

6. Select the connection method as Pre-logon (Always On) in App Configuration for both the existing GP agent and the newly created Pre-logon agent.

7. Enable Single Sign-On (SSO): Set Use Windows SSO to Yes in the App Configuration of the Pre-logon agent.

8. Move the Pre-logon agent configuration to the top (above the previous agent configuration).

9. Create the machine certificate for Pre-logon authentication.

      - If using the Palo Alto firewall certificate, a third-party certificate is not required.
      - Path: Device → Certificate Management → Certificate → Create
      - Use the same Certificate Name and Common Name, and sign it with the root certificate used in the GP portal and gateway configuration.

10. Export the machine certificate in the format Encrypted Private Key and Certificate (PKCS12), and set a password.

11. Install the machine certificate in the Personal Store on the Palo Alto GP client machine.

12. (Optional) If using a third-party certificate for GP client Pre-logon:
     - Export the server certificate in Encrypted Private Key and Certificate (PKCS12) format.
     - Install the third-party certificate in the Personal Store on the Palo Alto GP client machine.

13. Create a Pre-logon security policy:
- Source Zone: VPN
- Source Address: SSL VPN IP address
- Source User: Pre-logon
- Destination Zone: DMZ or LAN
- Destination Address: Required domain server IP address
- Service: Any (for testing)
- Action: Allow
 - Move this policy above the existing VPN policy.

14. Verify Pre-logon authentication using certificate and user logon information:

     Authentication Logs: Monitor → Logs → GlobalProtect

  User Logon Info: Device → Network → Gateway → Info tab → Remote User (validate the user).

15. Test Pre-logon policy by resetting the user password at next login from the domain server for the GP client.

16. Check password reset on the GP client machine.

17. Verify traffic logs on the Palo Alto firewall.