How to Issue Certificates to GlobalProtect Devices
Resolution
Overview
This document describes the configuration steps that will restrict GlobalProtect access for only certified devices.
Details
This will prevent GlobalProtect users from using unknown devices. The following is a list of requirements that will ensure that the appropriate Windows, Mac OS X, iOS, and Android devices can establish a VPN with GlobalProtect:
- The Palo Alto Networks firewall’s SSL certificate must have a fully qualified domain-name that resolves to the IP address of the GlobalProtect Portal and Gateway to satisfy Apple iOS requirements. (The user can specify an IP address in the Common Name field if iOS is not included in the list of supported devices).
- This certificate will be used to sign a machine certificate
- The portal will not distribute this certificate
- The GlobalProtect Portal and Gateway will use the firewall's SSL certificate, which then requires a device to present the issued machine certificate for verification. The machine certificate certifies the device. A user must still properly authenticate in order to establish the tunnel.
Go to Device > Certificate Management > Certificates
This is the firewall’s primary SSL certificate. When this certificate was created, the fully qualified domain-name was entered in the Common Name field and the Certificate Authority box was checked. It is necessary that a FQDN is presented by the firewall when an iOS device connects to it. The certificate shown below has been selected for other functions, but for this topic, it is going to be used to sign the machine certificate.
Create Machine Certificate
Go to Device > Certificate Management > Certificates, click Generate to create a new certificate. This is the machine certificate that will be provided to all devices that can use it for GlobalProtect. Notice this certificate is signed by the previously illustrated CA certificate. Any title or information can be entered under Certificate Name and Common Name fields.
Below is an example of what the Certificate Information would look like viewing it after it has been created:
Export Machine Certificate
Select the PKCS12 file format and enter a password to encrypt this key. This certificate needs to be installed on a device before it first attempts a GlobalProtect connection:
Create Certificate Profile
The firewall's SSL certificate needs to be added to a Certificate Profile so that the profile can be specified in the GlobalProtect Gateway:
Go to Device > GlobalProtect > Gateway and specify certificates for the Gateway.
The firewall's SSL certificate is selected for the Server Certificate field, as shown below:
Go to Device > GlobalProtect > Portal > Portal Configuration
The Client Certificate field is used to distribute the machine certificate to a GlobalProtect platform, which means that any user who authenticates successfully from any device would receive this certificate. Leave this blank to prevent this from happening.
The Certificate Profile field is used to specify the CA certificate that signs the certificate that the device must present when one goes to the GlobalProtect client software download page on the firewall. The GlobalProtect agent will also present a machine certificate when it connects to the Portal to retrieve updates. The user may want use the certificate profile created earlier once they have this setup working.
Go to Device > GlobalProtect > Portal > Client Configuration
In the Portal dialogue window, select Client Configuration and then open a configuration profile that is listed there. The following dialogue window is displayed. The Client Certificate field specifies the certificate that the GlobalProtect must present to the Gateway to certify the connecting device. This certificate needs to be signed by the Server Certificate that the Gateway is using. This is the same certificate that was exported in the PKCS12 format in the Export Machine Certificate section above.
Once these settings have been committed, a user that authenticates successfully may only do so from a device that has the required machine certificate.
owner: jjosephs