Finally! I found a detailed procedure in implementing GlobalProtect Prelogon! Amazing! Great video! Thank you for creating such educational and highly informative content!
Excellent video. One suggest in the security policies, in the best practices for PALO ALTO is not recommended allow "web-browsing" app, is a not encrypted traffic.
Thank you for your comment. Web-browsing is not encrypted, you're right. The problem is to find the right balance between usability and security. If I know the destination web server redirects the connection to https, I usually allow web-browsing, otherwise the user is obliged to type on their browser address bar. If you don't allow web-browsing, be prepared to get more complains regarding websites not available. :)
First of all, congratulations. Excellent video. Just some questions: do I need a different device certificate for each client computer? Any bast practices?
Hi, thank you for the nice comment. :-) You can use only one user certificate, that would be possible. But I really wouldn't recommend that for production. If this one certificate gets compromised (one of your company laptops gets stolen, for example), you would have to change the certificates on all your machines, before you can revoke the certificate. In the meantime, it would be possible to connect to your company using the stolen laptop! So my suggestion would be to issue specific certificates for your machines, so you can be able to revoke a compromised certificate very fast, without any VPN disturbance for the other users.
One of the Best Video on Pre-Logon, you have cover all important points. Could you please let me know that Why you have not configure two separate Agent profile in Gateway configuration as you did in Portal configuration ( one for Pre-Logon and one for User-Logon)?
Thank you for your comment. :-) You could create two gateway agents, but they would look pretty much the same. So you might as well make just one Agent profile for all users (including pre-logon).
Thanks for publishing such a tutorial videos. 21:30 Doesn't Intrazone already allow kinda traffic ?, Because Thoese interfaces is in same zone I mean "Outside" that intrazone already allow kind of traffic. Is there a need to write this security policy?
Hi, sorry for the late reply. You're right if you don't change the default rules, there would be no reason to add such a rule. Since I like to change the interzone default rule to deny, so I have more control on what is being allowed, I need to do it in my case. :-) I would recommend you also to change the default rule to deny and to declare the interzone rules manually, so you can control which apps you allow, specially on your outside zone.
Thank you. It's also possible with MacOS. From the Palo Alto documentation: Windows endpoints behave differently from macOS endpoints with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in.
Hi. You can either have one certificate for all your clients (which I wouldn't recommend) or one different certificate for each PC. On the Palo Alto you would upload the Root CA from the PKI. I cannot go over Microsoft Group Policies or how you roll out the certificates on hundreds of PCs, because it's not my field. :-)
Hi thank you for this amazing video. You asked us to create 2 client configurations for global protect portal 1st connection method was pre logon and why was the second one was also pre logon as well? Is it possible I could make the 1st agent to use pre-logon and the 2nd agent configuration to use to on-demand by selecting on demand in the connection method?
Hi, thank you for your comment! Yes, it's possible to to configure the method Pre-logon then On-demand, so that your users are not always connected to GlobalProtect. You would need to change the option for both portal agents. Take a look at this article: knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&lang=en_US%E2%80%A9
Thanks for the amazing videos! Question: if we wanted BOTH cert and username/password at the same time, would that make sense? I would like to have the most secure VPN, also want to make it so that anyone with a laptop is forced to use the VPN at all times outside of the office, but when returning to the office, they should also be able to work internally. Do you have any videos or suggestions for an implementation like this?
I'm glad you like the videos! If you set to require BOTH cert and user credentials (in the portal/gateway authentication you choose "NO" and you create/select a certificate profile), it should work. Just be aware of the Portal option "Client Certificate Store Lookup" under Portal -> App. There you should select you want for your user agent configuration a user certificate. For the pre-logon agent configuration, you should leave as default (there won't be any user certificate available during the pre-logon phase anyway). I have a video about internal gateway, maybe it would be interesting for your implementation, since your users need also to be able to work internally (without having to make an IPSec connection to the firewall): ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-5PvzQ2GoUR0.htmlfeature=shared I hope I could help.
I fallow your video but instead I'm suing the IP instead of FQDM. I type my public Ip on a browser, but I get " This site can't be reached" I'm not sure what I'm doing wrong :(
Hi. Do you have the IP address in the certificate being used by the portal? Download the logs from the GlobalProtect App and take a look at the file pan_gp_event.log file, it should tell you what the problem is.
It depends. For the basic stuff, no. If you have windows or Mac, no. Linux and mobile devices, yes. If you need ipv6, yes. docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses
![Palo Alto GlobalProtect with Pre-Logon [2024]](/img/logo.svg){kind=logo}
