How to configure Global Protect for certificate-based HIP match

How to configure Global Protect for certificate-based HIP match

9924
Created On 07/06/22 19:45 PM - Last Modified 03/15/26 09:16 AM


Objective


Steps to configure the Global Protect for certificate-based HIP match
 

Environment


  • GlobalProtect
  • Prisma Access
  • Existing PKI  

Procedure


  1. Navigate to Device > Certificates and import the CA certificate
import ca certificate on the device

 

  1. Navigate to Device> Certificate Profile and configure certificate profile
certificate profile
  1. Navigate to Portal > Agent > (Config-name) > HIP data collection and use the certificate profile configured in step 2 for HIP processing ​​​​​
certificate profile for HIP processing
  1. Navigate to Objects > HIP Objects and configure the HIP object with match criteria. 
    NOTE: Do note the format in which the value is configured. The value has to match the subject in the Certificate information. Here it is /DC=local/DC=su-lab/CN=SU-LAB-CA
  1. Import the client certificate on the user's machine in the local machine store. The certificate should be installed with the KEY.
local machine store
 
  1. Navigate to the Global Protect App Host information tab for validation
Global Protect client validation
 

Additional Information


For best practices regarding certificate configuration for GlobalProtect, please refer to the following document:
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkrvCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail