How to Configure GlobalProtect for Authentication Using Only Certificates

How to Configure GlobalProtect for Authentication Using Only Certificates

Created On 09/25/18 17:19 PM - Last Modified 04/28/20 19:42 PM


This document describes the steps to configure GlobalProtect for authentication using certificates only, without the user being prompted for login. 

  • PAN-OS 
  • Global Protect
  • Certificate



  1. Create the certificate profile under Device > Certificate Management > Certificate Profile.
    Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'. Add the root CA under CA Certificates.
Certificate Profile.png
  1. The image below shows the certificates created:
  1. Configure the GlobalProtect Gateway.
    Set Authentication Profile to None and select the certificate profile set to the one created in Step 1 above.

  1. Configure the GlobalProtect Portal
    Set the Authentication Profile set to None. Select the Client Certificate and Certificate Profile.
    Note: Having the firewall generate a Client Certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate.  Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment.  It may better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA.
  1. In the Agent > APP tab, disable SSO.
          User-added image
          User-added image

  1. Install the root and the client certificates in the machine local store of the client PC.
    Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format.

  1. Install the client certificate in the user personal store.
  1. In the GlobalProtect client, there is no need to enter the Username and Password:
  1. Commit the configuration on the firewall. The GlobalProtect client will automatically connect to the gateway.
    The remote users for the Gateway will show up as the client certificate logging in.


Additional Information
In the above example, both the name of certificate profile and SSL/TLS Service profile is kept the same as trust-ca. The names of these profiles can be different and can be chosen independently.

  • Print
  • Copy Link

Choose Language