Hi Guys,
I have user login working fine, MFA and all, however I then tried to add pre-login.
When I’m at the W10 logon screen and go to the VPN icon it goes through the checking status…connecting… then I get " The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect"
I see SSL hittig and being allowed on the PAN but it never sees any of the ‘PAN-OS GP’ application which I see when I do a user login.
There is a machine certificate (with private key) installed on the machine along with the CA cert in the trusted root store (the ca is the firewall for testing this, eventually I’ll use our internal ‘propper’ CA)
There is a ‘pre-login’ client settings selection critira
Are there any gotchas that its worth checking?
I’ve got a TAC request open and after a 2 hour phone call we got exactly no where so thought I’d check with the smart people!
Cheers!
AirGapped
When I implemented pre-login, we created a separate portal and gateway so we could experiment. Do you have two separate client auth profiles or just one?
Are you using certificate profiles on portal and gateway and or are you using cookie auth?
I would check the pan gps logs from the client they usually tell you exactly what the issue is search under portal prelogin
Edit under your external tab for the pre logon user check the ip/ fqdn is correct
Just to be sure, did you follow this to a tee? As much as you can without disrupting current users?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
The kicker I’ve found to be for some reason is setting both the Pre-Logon Portal config and User Portal Config to use the Connect Method “Pre-Logon (Always On)”. My other big takeaway was this gem mentioned in that article:
Note: One of the following 3 conditions must be met for pre-logon to work:
i. Portal contains ‘certificate profile’ but ‘no’ auth cookies(explained in step 7).
ii. Portal does ‘not’ contain ‘certificate profile’ but has ‘auth cookies’.
(In this case, the very first GP connection must be made by a user, which will create two cookies one for the ‘user’ and other for ‘pre-logon’. From then on the pre-logon will work.)
(Attempting ‘pre-logon’ in the very first time without having a user connected to GP previously will not work in this case since the ‘pre-logon’ cookie will only get generated after a user is logged in the first time.)
iii. Portal contains both ‘certificate profile’ and ‘auth cookies’.
I opted to go with no cookies so am using the Certificate Profile on both the Portal and Gateway in the Authentication section. This also caused me to create a separate portal and gateway for Home users without this and pre-logon. I just got done spending that last 2 weeks heavily in this getting everything setup and configured with our internal PKI and ISP failover. If you need any screenshots or anything just let me know. 
That’s a good idea, at the moment I’m using 1 portal and 1 gateway and tried to do user and pre login on the same one just with different config selection ‘areas’ I’ll log in to the firewall and get the section names later on!
Edit under your external tab for the pre logon user check the ip/ fqdn is correct
Checked this bit.
I’m using the cert profiles for both, I’ve actually tried both but at the moment using cert profiles.
That’s the other weird thing which I should have mentioned, no entries in the GP logs, just SSL hitting the WAN interface
Hi,
So as per others have suggested I’ve created a new portal and gateway for the pre-login stuff but still getting the same error on the end point! I’ve followed the link exactly - except the IP address in 5a which I’ve had to set to none as the portal/gateway for user login has the IP address populated.
If you could send a few screenshots that’d be great, thanks
That’s weird? No logs in gp agent? Are you sure?
What version are you running?
Next check would be the PanGps logs from the agent take a look for errors around the section saying portal pre logon, can you provide these?
So I don’t know that you’ll be able to actually test it unless you have an IP tied to it. Do you have a spare external IP you can add to your interface to use for it? That’s what I ended up doing.
So I screenshotted pretty much everything. There were a few I didn’t but those were defaults that shouldn’t impact this. Your error is regarding the Portal too I noticed so I’d double check the Portal config first. I put the Gateway in here too but I found in my troubleshooting that when I got a Portal related error, it was specific to the Portal and wasn’t Gateway related. The main thing to remember is what I mentioned before about where the certificate is in use.
My setup that I screenshotted for you is one of our VPN’s used for company owned devices and cannot be used with home devices. I did not want to use cookies at all so I opted to require the Certificate Profile on the Authentication Tab on both the Portal and Gateway. Because of that I had to create a separate Portal and Gateway for home users to use. I also separated the subnets from PreLogon to Post-Logon users so that I could allow only what was needed for Security Policies and then implement both a Deny All for the Pre-Logon User and also for the subnet separately. I have two Portals and Gateways for both company owned and home use though too so I had to double up. I’m using Azure Traffic Manager for DNS failover also so you can connect to vpn.company.com and it connects to either vpn1.company.com or vpn2.company.com depending on availability. Those are two separate ISPs in our case so it allows us to maintain redundancy is one goes down. Without using DNS Failover, it would technically work but you have to flush your cache after an outage to find the other IP so this works much better.
Let me know if there’s anything else I can do to help!
https://imgur.com/a/ytQgK8f
Hey just FYI I was able to generate this same error as you on the fly by enabling “Block session if the certificate was not issued to the authenticating device” in the Certificate Profile.
Device > Certificate Management > Certificate Profile
See what you have selected there and try unchecking everything to start and then making a change at a time. In my case this is an issue I still need to work through with my internal PKI but it could be different for you since you’re using the PAN to create the certs. Hope that helps!
That’s what I’m trying to do, does that mean I’m supposed to have different portals and gateways for different auth types? I’m using RAIDUS for users BTW. I was starting to get to that conclusion but talked myself out of it!
My bad! miss-read that! The following two lines repeat during pre-logon attempts:
PAN_GP_Event:
09/03/2021 14:59:17:851 [Error]: No Network Connectivity. Please verify your network connection and try again.
09/03/2021 14:59:17:851 [Error]: The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect.
PanPlapProvider
<response>
<type>portal</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>4100</portal-config-version>
<error-must-show/>
<error-must-show-level>error</error-must-show-level> <error>The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect.</error>
<product-version>5.2.7-37</product-version>
<product-code>########</product-code>
<portal-status>Invalid portal</portal-status>
<user-name>AirGapped_Admin</user-name>
<username-type>regular</username-type> <state>Disconnected</state>
<check-version>no</check-version> <portal>vpn.airgapped.admin.com</portal>
<discover-ready>no</discover-ready>
<mdm-is-enabled>no</mdm-is-enabled></response>
Cheers
Thanks for your response - It’s awesome!
So I’ve had pretty much 6 hours on the phone to TAC today after whining at our account manager that I wasn’t getting any response!
I need to go through the config tomorrow and see what is different compared to what I had configured.
He integrated the pre-login and user login into a single portal and gateway.
From what I was following by the end I think the only difference is that the IP was listed and not ‘none’
So I don’t know that you’ll be able to actually test it unless you have an IP tied to it. Do you have a spare external IP you can add to your interface to use for it? That’s what I ended up doing.
I have a /29 and a /28 so at some point I’ll get it labbed out.
So I screenshotted pretty much everything
Thats awesome, thankyou so much for spending your time doing those, they’re really helpful.
I did not want to use cookies at all so I opted to require the Certificate Profile on the Authentication Tab on both the Portal and Gateway.
I’ve done this too - it was a step beyond the TAC guy so got that sorted after the call!
I also separated the subnets from PreLogon to Post-Logon users so that I could allow only what was needed for Security Policies and then implement both a Deny All for the Pre-Logon User and also for the subnet separately.
This is what I want to achieve - have you got them going into different zones? Are you using the different portals/gateways to achieve this or are you ‘just’ using client config/IP Pools to specify different subnets?
We only have 1 ISP feed coming in so unfortunately not a problem!
Thanks again!!
Interesting, cheers for that, my plan is to integrate it with the AD CA eventually but wanted to get it going in its most basic form first lol, cheers again
Is the dns or pre-logon user traffic being blocked?
This is what I want to achieve - have you got them going into different zones? Are you using the different portals/gateways to achieve this or are you ‘just’ using client config/IP Pools to specify different subnets?
So I’m using the same Portal/Gateways for PreLogon and PostLogon users but different IP scopes and Security Policies. So for example PreLogon would use 10.0.0.0/24 and PostLogon would use 10.0.1.0/24 and then the Security Rules allow the PreLogon user access to the resources it needs - DHCP, DNS, OCSP - and then there’s a Deny for the PreLogon user following and then a full Deny for the subnet(s) that PreLogon uses after that - both Source and Destination to cover your basis. That’s how I have it done at least and it seems to work well.
There’s a discovery phase at the beginning to seeing what Applications are being used and allowing them but after that you should be good. Hope that helps! Let me know if you have any more questions or anything.
https://imgur.com/a/NhHOsea
I would try unchecking all of the boxes to see if that gets you going
Don’t think so, I see SSL being allowed on the firewall and no traffic being dropped from the address of the client but never see the GP app listed in the traffic from the client
