https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/525993#M3550 <P>Hi Team, Do we need to manually install the Client certificate for the Global Protect Certificate authentication or It will automatically fetch from Portal.&nbsp;</P> Thu, 05 Jan 2023 09:09:46 GMT suba_muthuram 2023-01-05T09:09:46Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/525993#M3550 <P>Hi Team, Do we need to manually install the Client certificate for the Global Protect Certificate authentication or It will automatically fetch from Portal.&nbsp;</P> Thu, 05 Jan 2023 09:09:46 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/525993#M3550 suba_muthuram 2023-01-05T09:09:46Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/525995#M3552 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262013">@suba_muthuram</a>&nbsp;<BR /><BR />Yes, the certificate should be installed. However, it depends on how to want to deploy the certificates. Below is the snippet from the <A href="https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/globalprotect/10-1/globalprotect-admin/globalprotect-admin.pdf" target="_self">GlobalProtect Admin-Guide</A>:<BR /><BR />For an agent configuration profile that specifies client certificates, each user receives a client&nbsp;certificate. The mechanism for providing the certificates determines whether a certificate is&nbsp;unique to each user or the same for all users under that agent configuration:</P> <P><BR />• To deploy client certificates that are unique to each user and endpoint, use <STRONG>SCEP</STRONG>. When a user&nbsp;first logs in, the portal requests a certificate from the enterprise’s PKI. The portal obtains a&nbsp;unique certificate and deploys it to the endpoint.<BR />• To deploy the same client certificate to all users that receive an agent configuration, deploy a&nbsp;certificate that is Local to the firewall.</P> <P>&nbsp;</P> Thu, 05 Jan 2023 09:39:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/525995#M3552 Arnesh 2023-01-05T09:39:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/526005#M3553 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262013">@suba_muthuram</a> ,</P> <P>&nbsp;</P> <P>You can manually install the certificate or configure the portal to push the certificate to the client.</P> <P>&nbsp;</P> <P>The portal configuration to push the certificate is found under Network &gt; GlobalProtect &gt; Portals &gt; [edit portal] &gt; Agent &gt; [edit config] &gt; Authentication &gt; Client Certificate.&nbsp; There are 3 options available:&nbsp; Local, SCEP, and None.&nbsp; These are the options described by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/253055">@Arnesh</a> above.&nbsp; Please remember to change this setting back to None once the certificate has been distributed to all of your GP clients.&nbsp; Otherwise, there really is no 2FA with certificates, it is pushed every time.</P> <P>&nbsp;</P> <P>Manual installation can be done by distributing the certificates to the client devices through other means, the most common is MS GPO combined with MS CA server.&nbsp; As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/253055">@Arnesh</a> described, the certificate can be unique to each user or the same for all users.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 05 Jan 2023 14:04:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-client-auth-certification/m-p/526005#M3553 TomYoung 2023-01-05T14:04:09Z