https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/328078#M112 <P>Hi,</P><P>&nbsp;</P><P>Did you ensure that&nbsp;<SPAN>serial number attribute in the subject of the client certificate matches the&nbsp;</SPAN><A title="" href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-general-tab.html" target="_blank" rel="noopener">host ID</A><SPAN>&nbsp;that the GlobalProtect app reports for the endpoint?</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile</A></SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P>VRA</P><DIV>&nbsp;</DIV><P><SPAN>.</SPAN></P> Thu, 14 May 2020 22:37:18 GMT vathreya 2020-05-14T22:37:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/327497#M105 <P>Basic GP setup, portal and gateway using certificate authentication only, certificates issues by internal CA, Palo Alto firewall is not involved in the certificate enrollment process.</P><P>&nbsp;</P><P>Certificate profile used is configured with Root and&nbsp;intermediate certificate, set for using CRL and options (block session if certificate status cannot be retrieved within timeout,&nbsp;<SPAN>Block session if the certificate was not issued to the authenticating device and&nbsp;Block sessions with expired certificate) has been selected.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Clients now tries to connect, but fails with message (Client certificate could not be authenticated), if I then remove the option&nbsp;Block session if the certificate was not issued to the authenticating device, then the clients are able to authenticate and connect.</SPAN></P><P>&nbsp;</P><P><SPAN>My question:</SPAN></P><P><SPAN>Is the option "Block session if the certificate was not issued to the authenticating device" only valid e.g can be used if the Palo Alto firewall handles the original certificate enrolment&nbsp;process, and shouldn't be used if this is done using other methods ?</SPAN></P> Tue, 12 May 2020 09:37:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/327497#M105 Rene_Belloni 2020-05-12T09:37:36Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/328078#M112 <P>Hi,</P><P>&nbsp;</P><P>Did you ensure that&nbsp;<SPAN>serial number attribute in the subject of the client certificate matches the&nbsp;</SPAN><A title="" href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-general-tab.html" target="_blank" rel="noopener">host ID</A><SPAN>&nbsp;that the GlobalProtect app reports for the endpoint?</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile</A></SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P>VRA</P><DIV>&nbsp;</DIV><P><SPAN>.</SPAN></P> Thu, 14 May 2020 22:37:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/328078#M112 vathreya 2020-05-14T22:37:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/329342#M134 <P>Dear Vathreya</P><P>&nbsp;</P><P>Thank you for the reply, yes we added&nbsp;the IPAD UDID into the Common Name in the certificate, but it seems like in GP for IOS in version 5.0, the client isnt able any longer to grap the UDID straight from the IPAD, but needs to be specific configured via VPN profile to map the UDID with Mobile-ID in order to get the correct information sent in the HIP report to the gateway.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-released-in-gp-agent-5_0/globalprotect-app-for-ios-user-experience-enhancements/mobile-device-management-changes.html#ide03e60d2-363a-4cec-9fb4-65e65bbb011f_id9b855032-eda8-4143-9da8-b66e22293559" target="_blank">https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-released-in-gp-agent-5_0/globalprotect-app-for-ios-user-experience-enhancements/mobile-device-management-changes.html#ide03e60d2-363a-4cec-9fb4-65e65bbb011f_id9b855032-eda8-4143-9da8-b66e22293559</A></P><P>&nbsp;</P><P>Our MDM platform used is Intunes and so far we havent been able to find the ability to perform such a customization of the VPN profile.</P><P>&nbsp;</P><P>I missed to include information in the orginal post that it was issue with IPAD's</P> Fri, 22 May 2020 09:12:14 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-profile-option-block-session-if-the-certificate-was/m-p/329342#M134 Rene_Belloni 2020-05-22T09:12:14Z