How to configure GlobalProtect with Certificate Only Authentication in PAN-OS 9.0?

How to configure GlobalProtect with Certificate Only Authentication in PAN-OS 9.0?

3877
Created On 04/02/20 06:16 AM - Last Modified 04/28/20 20:55 PM


Objective
This document discusses the steps necessary to configure GlobalProtect for certificate only client authentication for PAN-OS 9.0

Environment
  • Palo Alto Networks Firewall.
  • PAN-OS 9.0.


Procedure
1. Confirm that all required certificates have been generated and/or imported onto the firewall (ie: root, client, machine certificates.)
 
List of required certificates to configure client certificate authentication (ie: root, intermediate, and client certificates)

 

2. Create the Certificate Profile and add the appropriate CA certificates under Device > Certificate Management > Certificate Profile. 

  • Add the necessary root CA(s) that will be used to authenticate clients to the profile.
Screenshot displaying where to configure the Certificate Profile found under Device > Certificate Management > Certificate Profile
 
3. Configure the Global Protect Gateway to use the Certificate Profile by navigating to Network > GlobalProtect > Gateways.
  • Select the appropriate gateway from the list, choose the "Authentication" tab, and select the correct profile from the dropdown list. Leave the client Authentication Profile blank.
Screenshot displaying where to configure the Gateway to use the Certificate Profile for Authentication without Client Authentication configured.
 
 
4. Configure the Global Protect Portal to use the Certificate Profile by navigating to Network > GlobalProtect > Portals.
  • Select the appropriate portal from the list, choose the "Authentication" tab, and select the correct profile from the dropdown list. Leave the client Authentication Profile blank.
Note: Having the firewall generate a client certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate.  Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment.  It may be better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA.
 
Screenshot displaying where to configure the Portal to use the Certificate Profile for Authentication without a client Authentication Profile configured.

 
5. Disable SSO within the Global Protect Portal by navigating to Network > GlobalProtect > Portals.
  • Select the appropriate portal from the list, choose the "Agent" tab, and select the client config. Then choose the "App" tab and modify the "Use Single Sign On" settings. 
  • Commit all changes 
Screenshot displaying the Portal Agent Configuration.
 
Screenshot displaying the App tab content which is where you disable SSO

 
 6. Export and install the root and client certificates into the local store of the client's endpoint.

Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format.

Screenshot displaying the root and client certificates installed on the endpoint's local store.
 

7. Install the client certificate into the user's local store.
 
Screenshot displaying the client certificate installed in the user's personal store.


8. When connecting to the GlobalProtect Gateway, the user will not be required to provide a username and password. 
  • You can view information regarding the clients connection via either the GlobalProtect Agent settings or the specific Gateway's "Remote Users" information section in the firewall's GUI.
Agent View:

Screenshot displaying the GlobalProtect Agent settings location.

Screenshot displaying GlobalProtect client connection information within the Agent settings.

GUI View:

Screenshot displaying GlobalProtect client connection information within the GUI.


Additional Information
Please note that this document only refers to the components within GlobalProtect that involves client certificate authentication. 
For additional details on configuring the entire GlobalProtect infrastructure, please refer the following documentation listed here.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQCCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments