Palo Alto Networks Knowledgebase: How to Configure GlobalProtect for Authentication Using Only Certificates

How to Configure GlobalProtect for Authentication Using Only Certificates

Created On 08/14/19 01:17 AM - Last Updated 08/14/19 01:32 AM
GlobalProtect Portal Certificate Management Network Integration GlobalProtect Prisma Access


This document describes the steps to configure GlobalProtect for authentication using certificates only, without the user being prompted for login.



  1. Create the certificate profile under Device > Certificate Management > Certificate Profile.
    Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'. Add the root CA under CA Certificates.
    Certificate Profile.pngCertificate Profile
  2. The image below shows the certificates created:
  3. Configure the GlobalProtect Gateway.
    Set Authentication Profile to None and select the certificate profile set to the one created in Step 1 above.
    gateway.pngGlobalProtect Gateway
  4. Configure the GlobalProtect Portal
    Set the Authentication Profile set to None. Select the Client Certificate and Certificate Profile.
    Note: Having the firewall generate a Client Certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate.  Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment.  It may better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA.
    portal.pngGlobalProtect Portal
  5. In the Client Configuration tab, disable SSO.
    Screen Shot 2013-06-24 at 8.23.43 PM.png
  6. Install the root and the client certificates in the machine local store of the client PC.
    Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format.
  7. Install the client certificate in the user personal store.
  8. In the GlobalProtect client, there is no need to enter the Username and Password:
  9. Commit the configuration on the firewall. The GlobalProtect client will automatically connect to the gateway.
    The remote users for the Gateway will show up as the client certificate logging in.

owner: pvermuri

Additional Information
In the above example, both the name of certificate profile and SSL/TLS Service profile is kept the same as trust-ca. The names of these profiles can be different and can be chosen independently.

  • Print
  • Copy Link

Choose Language