SSL Global Protect Certificate authentication checklist

SSL Global Protect Certificate authentication checklist

10092
Created On 04/13/19 07:09 AM - Last Modified 09/29/20 00:20 AM


Objective


In this articles we will discuss checklist when doing client certificate authentication.

Environment


  • Pan-OS
  • Global Protect

Procedure


Certificate Chain:

Root -> INTERCA1 ->INTERCA2 -> Server certificate
Root -> INTERCA1 ->INTERCA2 -> Client wildcard certificate

User-added image

1- Confirm that certificate profile include [ Root , INTERCA1 and INTERCA2 ]

User-added image

2- Confirm that SSL profile for Portal& Gateway has Server Certificate 

User-added image

3- Confirm that setting Network > GlobalProtect > Portals > [Portal] > Agent > App > Client Certificate Store Lookup is set to User and Machine 

Note:

- User then client certificate should be imported in User account personal certificate store.
- Machine client certificate should be installed in Compute account personal certificate store.
- User and Machine client certificate can be installed in any (Computer or User) personal certificate store

4- Confirm that the Client wildcard certificate is imported to client personal repositories with private key // [Export from firewall Encrypted Private Key and Certificate (PKCS12) and import it to client] 

User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLZoCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language