Finally! I found a detailed procedure in implementing GlobalProtect Prelogon! Amazing! Great video! Thank you for creating such educational and highly informative content!
Your videos are awesome Ricardo! Keep up the great work my friend. Is there anyway that we can give back to you for all of your hard work of putting out these informative and educational videos?
Hi, thank you for your comment and being open to help, it means a lot! :-) Sorry for taking so long to reply. We're planning on making available what we call a "GlobalProtect easy configurator", which will provide the users an initial but functioning GlobalProtect configuration, after filling out a couple form fields (instead of the full blown Palo Alto firewall configuration, which can be overwhelming). If you would like to be a beta tester, please send me a message over netsums.com. Thank you again!
Excellent video. One suggest in the security policies, in the best practices for PALO ALTO is not recommended allow "web-browsing" app, is a not encrypted traffic.
Thank you for your comment. Web-browsing is not encrypted, you're right. The problem is to find the right balance between usability and security. If I know the destination web server redirects the connection to https, I usually allow web-browsing, otherwise the user is obliged to type on their browser address bar. If you don't allow web-browsing, be prepared to get more complains regarding websites not available. :)
Excellent guide for deploying Prelogon. I am testing this in our environment but noticing after reboot the prelogon doesnt connect..Only If user logs out I can see prelogon logs in the firewall. Can you please advise what I am missing?
One of the Best Video on Pre-Logon, you have cover all important points. Could you please let me know that Why you have not configure two separate Agent profile in Gateway configuration as you did in Portal configuration ( one for Pre-Logon and one for User-Logon)?
Thank you for your comment. :-) You could create two gateway agents, but they would look pretty much the same. So you might as well make just one Agent profile for all users (including pre-logon).
Hi. You can either have one certificate for all your clients (which I wouldn't recommend) or one different certificate for each PC. On the Palo Alto you would upload the Root CA from the PKI. I cannot go over Microsoft Group Policies or how you roll out the certificates on hundreds of PCs, because it's not my field. :-)
First of all, congratulations. Excellent video. Just some questions: do I need a different device certificate for each client computer? Any bast practices?
Hi, thank you for the nice comment. :-) You can use only one user certificate, that would be possible. But I really wouldn't recommend that for production. If this one certificate gets compromised (one of your company laptops gets stolen, for example), you would have to change the certificates on all your machines, before you can revoke the certificate. In the meantime, it would be possible to connect to your company using the stolen laptop! So my suggestion would be to issue specific certificates for your machines, so you can be able to revoke a compromised certificate very fast, without any VPN disturbance for the other users.
Hi thank you for this amazing video. You asked us to create 2 client configurations for global protect portal 1st connection method was pre logon and why was the second one was also pre logon as well? Is it possible I could make the 1st agent to use pre-logon and the 2nd agent configuration to use to on-demand by selecting on demand in the connection method?
Hi, thank you for your comment! Yes, it's possible to to configure the method Pre-logon then On-demand, so that your users are not always connected to GlobalProtect. You would need to change the option for both portal agents. Take a look at this article: knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&lang=en_US%E2%80%A9
Thanks for publishing such a tutorial videos. 21:30 Doesn't Intrazone already allow kinda traffic ?, Because Thoese interfaces is in same zone I mean "Outside" that intrazone already allow kind of traffic. Is there a need to write this security policy?
Hi, sorry for the late reply. You're right if you don't change the default rules, there would be no reason to add such a rule. Since I like to change the interzone default rule to deny, so I have more control on what is being allowed, I need to do it in my case. :-) I would recommend you also to change the default rule to deny and to declare the interzone rules manually, so you can control which apps you allow, specially on your outside zone.
Thank you. It's also possible with MacOS. From the Palo Alto documentation: Windows endpoints behave differently from macOS endpoints with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in.
Thanks for the amazing videos! Question: if we wanted BOTH cert and username/password at the same time, would that make sense? I would like to have the most secure VPN, also want to make it so that anyone with a laptop is forced to use the VPN at all times outside of the office, but when returning to the office, they should also be able to work internally. Do you have any videos or suggestions for an implementation like this?
I'm glad you like the videos! If you set to require BOTH cert and user credentials (in the portal/gateway authentication you choose "NO" and you create/select a certificate profile), it should work. Just be aware of the Portal option "Client Certificate Store Lookup" under Portal -> App. There you should select you want for your user agent configuration a user certificate. For the pre-logon agent configuration, you should leave as default (there won't be any user certificate available during the pre-logon phase anyway). I have a video about internal gateway, maybe it would be interesting for your implementation, since your users need also to be able to work internally (without having to make an IPSec connection to the firewall): ua-cam.com/video/5PvzQ2GoUR0/v-deo.htmlfeature=shared I hope I could help.
I fallow your video but instead I'm suing the IP instead of FQDM. I type my public Ip on a browser, but I get " This site can't be reached" I'm not sure what I'm doing wrong :(
Hi. Do you have the IP address in the certificate being used by the portal? Download the logs from the GlobalProtect App and take a look at the file pan_gp_event.log file, it should tell you what the problem is.
It depends. For the basic stuff, no. If you have windows or Mac, no. Linux and mobile devices, yes. If you need ipv6, yes. docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses
![Palo Alto GlobalProtect SAML Single Sign-On with Azure [in 8 minutes]](http://i.ytimg.com/vi/knEi2TCdp3s/mqdefault.jpg)
![Palo Alto GlobalProtect SAML Single Sign-On with Azure [in 8 minutes]](/img/tr.png)
![GlobalProtect Internal Gateway with SAML/OKTA [2024]](http://i.ytimg.com/vi/5PvzQ2GoUR0/mqdefault.jpg)
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](/img/n.gif)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
Finally! I found a detailed procedure in implementing GlobalProtect Prelogon!
Amazing! Great video! Thank you for creating such educational and highly informative content!
Thank you for your comment, I'm glad we were able to help.
very nice video , no one can explain in such way
Thank you so much 😀
Amazing series of videos!! Keep them coming! Thanks.
Thank you for your comment, it helps me keep going! :)
Your videos are awesome Ricardo! Keep up the great work my friend. Is there anyway that we can give back to you for all of your hard work of putting out these informative and educational videos?
Hi, thank you for your comment and being open to help, it means a lot! :-) Sorry for taking so long to reply.
We're planning on making available what we call a "GlobalProtect easy configurator", which will provide the users an initial but functioning GlobalProtect configuration, after filling out a couple form fields (instead of the full blown Palo Alto firewall configuration, which can be overwhelming). If you would like to be a beta tester, please send me a message over netsums.com. Thank you again!
Very well explained, thank you !
Thank you for the comment, I'm glad you liked it. :)
very good video!!! Thanks.
Thank you very much for the comment!im glad you liked the video.
Excellent video. One suggest in the security policies, in the best practices for PALO ALTO is not recommended allow "web-browsing" app, is a not encrypted traffic.
Thank you for your comment. Web-browsing is not encrypted, you're right. The problem is to find the right balance between usability and security. If I know the destination web server redirects the connection to https, I usually allow web-browsing, otherwise the user is obliged to type on their browser address bar. If you don't allow web-browsing, be prepared to get more complains regarding websites not available. :)
Thanks you bro. !!
You're welcome, I hope you enjoyed the video.
Good job !
Thank you for the comment. :)
thank you bro
I'm glad you liked the video. :)
Excellent guide for deploying Prelogon. I am testing this in our environment but noticing after reboot the prelogon doesnt connect..Only If user logs out I can see prelogon logs in the firewall. Can you please advise what I am missing?
Do you have instruction for GlobalProtect pre-logon with SSO using SMAL from Azure?
thanks a lot for sharing
One of the Best Video on Pre-Logon, you have cover all important points. Could you please let me know that Why you have not configure two separate Agent profile in Gateway configuration as you did in Portal configuration ( one for Pre-Logon and one for User-Logon)?
Thank you for your comment. :-) You could create two gateway agents, but they would look pretty much the same. So you might as well make just one Agent profile for all users (including pre-logon).
Thanks for the reply, So there will be no security risk if I create one gateway agent for all users (Including pre-logon)@@netsums
Great video
Would you please show us how this will work with PKI certs with hundreds of users having their machine certs?
Hi. You can either have one certificate for all your clients (which I wouldn't recommend) or one different certificate for each PC. On the Palo Alto you would upload the Root CA from the PKI.
I cannot go over Microsoft Group Policies or how you roll out the certificates on hundreds of PCs, because it's not my field. :-)
First of all, congratulations. Excellent video.
Just some questions: do I need a different device certificate for each client computer? Any bast practices?
Hi, thank you for the nice comment. :-)
You can use only one user certificate, that would be possible. But I really wouldn't recommend that for production. If this one certificate gets compromised (one of your company laptops gets stolen, for example), you would have to change the certificates on all your machines, before you can revoke the certificate. In the meantime, it would be possible to connect to your company using the stolen laptop! So my suggestion would be to issue specific certificates for your machines, so you can be able to revoke a compromised certificate very fast, without any VPN disturbance for the other users.
Hi thank you for this amazing video.
You asked us to create 2 client configurations for global protect portal
1st connection method was pre logon and why was the second one was also pre logon as well? Is it possible I could make the 1st agent to use pre-logon and the 2nd agent configuration to use to on-demand by selecting on demand in the connection method?
Hi, thank you for your comment!
Yes, it's possible to to configure the method Pre-logon then On-demand, so that your users are not always connected to GlobalProtect. You would need to change the option for both portal agents.
Take a look at this article: knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU&lang=en_US%E2%80%A9
When I see your face on a tutorial, I click.
Thanks for publishing such a tutorial videos.
21:30 Doesn't Intrazone already allow kinda traffic ?, Because Thoese interfaces is in same zone I mean "Outside" that intrazone already allow kind of traffic. Is there a need to write this security policy?
Hi, sorry for the late reply. You're right if you don't change the default rules, there would be no reason to add such a rule.
Since I like to change the interzone default rule to deny, so I have more control on what is being allowed, I need to do it in my case. :-) I would recommend you also to change the default rule to deny and to declare the interzone rules manually, so you can control which apps you allow, specially on your outside zone.
Excellent video , this config (Pre-logon) is possible with MacOs devices? or only with windows
Thank you. It's also possible with MacOS. From the Palo Alto documentation:
Windows endpoints behave differently from macOS endpoints with pre-logon. With macOS endpoints, the pre-logon tunnel is torn down, and then a new tunnel is created when the user logs in.
What about PLAP enabling pre-logon? Does this also allow expired AD passwords to be change upon login?
Good question! Sorry, I cannot help you there, I haven't tried that before.
Thanks for the amazing videos! Question: if we wanted BOTH cert and username/password at the same time, would that make sense?
I would like to have the most secure VPN, also want to make it so that anyone with a laptop is forced to use the VPN at all times outside of the office, but when returning to the office, they should also be able to work internally.
Do you have any videos or suggestions for an implementation like this?
I'm glad you like the videos!
If you set to require BOTH cert and user credentials (in the portal/gateway authentication you choose "NO" and you create/select a certificate profile), it should work. Just be aware of the Portal option "Client Certificate Store Lookup" under Portal -> App. There you should select you want for your user agent configuration a user certificate. For the pre-logon agent configuration, you should leave as default (there won't be any user certificate available during the pre-logon phase anyway).
I have a video about internal gateway, maybe it would be interesting for your implementation, since your users need also to be able to work internally (without having to make an IPSec connection to the firewall): ua-cam.com/video/5PvzQ2GoUR0/v-deo.htmlfeature=shared
I hope I could help.
globalprotect pre-logon mode can use for HIP ?
As far as I know, GlobalProtect cannot read the information necessary for HIP in the pre-logon phase. So no, it would not be possible.
I fallow your video but instead I'm suing the IP instead of FQDM. I type my public Ip on a browser, but I get " This site can't be reached" I'm not sure what I'm doing wrong :(
Hi. Do you have the IP address in the certificate being used by the portal? Download the logs from the GlobalProtect App and take a look at the file pan_gp_event.log file, it should tell you what the problem is.
Hi sir,
how to configure MFA in radius server . we need SMS alert for login]
Take a look at this video, hopefully it will be able to help you: ua-cam.com/video/2mIuqmWP-j0/v-deo.html
Is Globalprotect license required ?
It depends. For the basic stuff, no. If you have windows or Mac, no. Linux and mobile devices, yes. If you need ipv6, yes.
docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses