GlobalProtect Pre-logon using a machine certificate - PAN-OS 10.0.6

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey what is up guys welcome to mb tech talker my name is matt in this video i'm going to show you how to configure globalprotect pre-logon using a machine certificate so this lab is a continuation of my global portal and gateway configuration video so don't forget to watch that video first what is pre logon well global protect prelogon does exactly that it allows global tech to connect before the user logs into the machine this is particularly useful when there is a requirement for the machine to run scripts or connect to internal resources while the os is booting up or even when at the login screen before the user authenticates pre-logon is most commonly used in conjunction with user logon and sso so that the global protect connection is seamless to the user in essence we are dealing with two users pre-log on and the actual user so separate client configs need to be created under the portal configuration one for the pre-logon user and another for the user or user group additionally separate security rules are also needed to provide access for these two users once the actual user is connected to global text or user logon the user will see a disable option if allowed by the admin to disable the global application when needed so to successfully configure pre-log on at least one of the three conditions need to be met number one the portal contains a certificate profile but no auth cook is enabled number two the portal does not contain a certificate profile but has auth cookies enabled so if a user has never logged into global tech and is attempting to use pre-logon for the very first time the user will need to log in in order to generate a cookie and that will mean all subsequent pre-logins will be successful and then number three the portal contains both a certificate profile and auth cookies enabled we're going to use option number three in this lab today okay so i've already logged into the firewall within the portal agent configuration we need two client configs so we'll create a new one for the pre-log on and then we'll use the existing mb tech security team config for the actual users themselves okay so let's start the lab by going to the network tab then under global tech we're going to go to portals and i'm going to click on my mbtech portal and go to the agent section and here i'm going to add a new pre-log on config so let's give it a name mb tech users pre log on client certificate no save user credentials is default yes authentication override i'm going to tick both these boxes generate a cookie for authentication override and accept cookie for authentication overwrite then we need to select a certificate to encrypt and decrypt the cookie so i'm just going to use the existing global tech gateway portal certificate then in the config selection criteria we're going to be changing this file from any to pre-log on and then in the external tab we need to specify the gateway so we've only got one gateway which is on the same file as a portal so i'm just going to give it the same name which is mb tech gateway i'm going to be using an ip which is going to be 192.168.21.250 which is the external interface of the firewall so ethernet one slash one so obviously in a production environment uh i'll be using a fully qualified domain name matching the certificate's common name or the subject alternative name and then in the source region we need to click add and then we're going to change that to any and then we can click ok and then in the app tab we need to change the connect method from user logon always on to pre-login pre-log on always on and then click ok and then next thing we need to do is just mirror the config in the uh mb tech security team and config by ticking the two um authentication override boxes specifying the same certificate we've already um got this set up config selection criteria is just set to any external gateway is the same and what we need to do now is change the connect method to pre-log on always on and then you can just make sure that single sign-on windows is set to yes by default it is and then we can click ok on that and finally we need to make sure that the pre-log-on configuration is above the actual users configuration so we're just going to take that and then move up and then we can click ok next we need to configure a client certificate profile so let's head over to the device tab and then under certificate management we're looking for a certificate profile then we're going to click add so the certificate profile specifies a list of cas and intermediate cas when this certificate profile is applied to the config the portal and gateway will send a client certificate request to the machine to request a client or machine search signed by the ca or intermediate ca specified in the cert profile it's recommending place placing both the root and intermediate cas in this profile instead of just the root ca that's if you're using both if not the root ca will be fine okay so just for a bit of clarity a client certificate refers to a user set it can be used for user logon or on-demand connection methods which is used to authenticate a user whereas a machine cert refers to a device certificate this can be used for pre-log-on this is used to authenticate a device not a user okay so let's call this device search profile and in the ca certificates we need to click add and then we're going to import the root ca and then click ok and then click ok so let's go back to the network tab and then the global tech we're going to gateways so as you can see we already have the mbtec gateway configured we just need to change the gateway authentication settings so that it can check the machine certificate to allow pre-log on to work so let's open that and then let's go to authentication and down here at the bottom and see certificate profile we need to change that to the profile we created a few moments ago and then we need to go to the agent tab and then click on client settings and then we're going to click on the mbtech security team and we need to enable both the authentication override settings like we did in the portal and then we need to select the correct certificate so the existing global tech gateway portal certificate and then we can click ok and then ok and we can commit the changes okay so now we're ready to test from the windows 10 client i'm going to log in with a user that hasn't connected to global tip before so the user we're going to use is sec admin one now this machine is not on the local network so it's acting like an internet machine so i've connected it to essentially to my home internet and it's going to be connecting to the portal address on the 192.168.21.250. as you can see pre-login is not working straight away as discussed before i'm going to need to authenticate first to be able to generate those cookies so i'm going to log in with sec admin and we're connected so now what should happen is when we log in again after this point pre-login should work and we won't need to enter our username and password again so we're going to test that so i'm going to log out then i'm going to click on it sign in options and as you can see global protect status is connected and we're connected to the gateway so we're going to take a look at the logs on the firewall and see what actually happened okay so back at the firewall on the monitor tab looking at the global tech logs if you take a look at these first three logs down here at the bottom this is where we manually entered the username and password on the windows 10 client to establish that first global tech tunnel which was successful then we logged out of the windows 10 machine to simulate a pre-log on situation and this is where the pre-logon took over from sec admin which was also successful the authentication method was cookie authentication this will be used going forward for any subsequent pre-log on connections and then what i did off camera is then re-logged back in as sec admin one this renamed the source user uh and then we are established the tunnels established as the real user again so this has been a successful lab i hope you've enjoyed it and i'll see you on the next one okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto viral features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks [Music]
Info
Channel: MB Tech Talker
Views: 1,075
Rating: undefined out of 5
Keywords:
Id: mWE_liNOnM4
Channel Id: undefined
Length: 11min 18sec (678 seconds)
Published: Sat Sep 25 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.