Palo Alto GlobalProtect with Pre-Logon [2024]
ฝัง
- เผยแพร่เมื่อ 21 ก.ค. 2024
- #paloaltofirewall #paloaltonetworks #firewall
In this tutorial you're going to learn how to configure remote access VPN on the Palo Alto Firewall using the pre-logon method. With this method, the devices are able to connect to your corporate network securely, even before the users sign in.
I will explain to you all the steps needed on the Palo Alto Firewall to configure the remote access VPN, including the generation of certificates. At the end I will use a Windows client in the Internet to test the VPN connection with the GlobalProtect app to a linux server. I will also show you how you can interpret the Firewall logs during and after the pre-logon phase.
If you have questions, suggestions, or any kind of feedback, please don't hesitate to comment below! I will reply as soon as possible.
Timeline:
00:00 Palo Alto Globalprotect Pre-Logon
01:02 Overview
02:11 Interface configuration
03:44 Authentication
05:10 Certificates
11:25 GlobalProtect Gateway
15:06 GlobalProtect Portal
18:45 GlobalProtect Client
20:33 Security Policies
28:34 Tests with VPN client - วิทยาศาสตร์และเทคโนโลยี
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
Finally! I found a detailed procedure in implementing GlobalProtect Prelogon!
Amazing! Great video! Thank you for creating such educational and highly informative content!
Thank you for your comment, I'm glad we were able to help.
Amazing series of videos!! Keep them coming! Thanks.
Thank you for your comment, it helps me keep going! :)
Very well explained, thank you !
Thank you for the comment, I'm glad you liked it. :)
very good video!!! Thanks.
Thank you very much for the comment!im glad you liked the video.
Good job !
Thank you for the comment. :)
Excellent video. One suggest in the security policies, in the best practices for PALO ALTO is not recommended allow "web-browsing" app, is a not encrypted traffic.
Thank you for your comment. Web-browsing is not encrypted, you're right. The problem is to find the right balance between usability and security. If I know the destination web server redirects the connection to https, I usually allow web-browsing, otherwise the user is obliged to type on their browser address bar. If you don't allow web-browsing, be prepared to get more complains regarding websites not available. :)
Thanks you bro. !!
You're welcome, I hope you enjoyed the video.
thank you bro
I'm glad you liked the video. :)
One of the Best Video on Pre-Logon, you have cover all important points. Could you please let me know that Why you have not configure two separate Agent profile in Gateway configuration as you did in Portal configuration ( one for Pre-Logon and one for User-Logon)?
Thank you for your comment. :-) You could create two gateway agents, but they would look pretty much the same. So you might as well make just one Agent profile for all users (including pre-logon).
Thanks for the reply, So there will be no security risk if I create one gateway agent for all users (Including pre-logon)@@netsums
First of all, congratulations. Excellent video.
Just some questions: do I need a different device certificate for each client computer? Any bast practices?
Hi, thank you for the nice comment. :-)
You can use only one user certificate, that would be possible. But I really wouldn't recommend that for production. If this one certificate gets compromised (one of your company laptops gets stolen, for example), you would have to change the certificates on all your machines, before you can revoke the certificate. In the meantime, it would be possible to connect to your company using the stolen laptop! So my suggestion would be to issue specific certificates for your machines, so you can be able to revoke a compromised certificate very fast, without any VPN disturbance for the other users.
Hi thank you for this amazing video.
You asked us to create 2 client configurations for global protect portal
1st connection method was pre logon and why was the second one was also pre logon as well? Is it possible I could make the 1st agent to use pre-logon and the 2nd agent configuration to use to on-demand by selecting on demand in the connection method?
Hi, thank you for your comment!
Yes, it's possible to to configure the method Pre-logon then On-demand, so that your users are not always connected to GlobalProtect. You would need to change the option for both portal agents.
Take a look at this article: knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&lang=en_US%E2%80%A9
Thanks for the amazing videos! Question: if we wanted BOTH cert and username/password at the same time, would that make sense?
I would like to have the most secure VPN, also want to make it so that anyone with a laptop is forced to use the VPN at all times outside of the office, but when returning to the office, they should also be able to work internally.
Do you have any videos or suggestions for an implementation like this?
I'm glad you like the videos!
If you set to require BOTH cert and user credentials (in the portal/gateway authentication you choose "NO" and you create/select a certificate profile), it should work. Just be aware of the Portal option "Client Certificate Store Lookup" under Portal -> App. There you should select you want for your user agent configuration a user certificate. For the pre-logon agent configuration, you should leave as default (there won't be any user certificate available during the pre-logon phase anyway).
I have a video about internal gateway, maybe it would be interesting for your implementation, since your users need also to be able to work internally (without having to make an IPSec connection to the firewall): th-cam.com/video/5PvzQ2GoUR0/w-d-xo.htmlfeature=shared
I hope I could help.
Excellent video , this config (Pre-logon) is possible with MacOs devices? or only with windows
Thank you. It's also possible with MacOS. From the Palo Alto documentation:
Windows endpoints behave differently from macOS endpoints with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in.
Thanks for publishing such a tutorial videos.
21:30 Doesn't Intrazone already allow kinda traffic ?, Because Thoese interfaces is in same zone I mean "Outside" that intrazone already allow kind of traffic. Is there a need to write this security policy?
Hi, sorry for the late reply. You're right if you don't change the default rules, there would be no reason to add such a rule.
Since I like to change the interzone default rule to deny, so I have more control on what is being allowed, I need to do it in my case. :-) I would recommend you also to change the default rule to deny and to declare the interzone rules manually, so you can control which apps you allow, specially on your outside zone.
What about PLAP enabling pre-logon? Does this also allow expired AD passwords to be change upon login?
Good question! Sorry, I cannot help you there, I haven't tried that before.
I fallow your video but instead I'm suing the IP instead of FQDM. I type my public Ip on a browser, but I get " This site can't be reached" I'm not sure what I'm doing wrong :(
Hi. Do you have the IP address in the certificate being used by the portal? Download the logs from the GlobalProtect App and take a look at the file pan_gp_event.log file, it should tell you what the problem is.
Hi sir,
how to configure MFA in radius server . we need SMS alert for login]
Take a look at this video, hopefully it will be able to help you: th-cam.com/video/2mIuqmWP-j0/w-d-xo.html
Is Globalprotect license required ?
It depends. For the basic stuff, no. If you have windows or Mac, no. Linux and mobile devices, yes. If you need ipv6, yes.
docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses