https://live.paloaltonetworks.com/t5/globalprotect-discussions/policy-to-only-allow-specific-host-id-auth-thru-globalprotect/m-p/537420#M3864 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/282912">@logmpang</a> ,</P> <P>&nbsp;</P> <P>The common solution to this issue is to deploy certificates to the hosts and require certificate AND username/password for GlobalProtect.&nbsp; The GlobalProtect client will check for the certificate 1st.&nbsp; If it does not exist, an error will be displayed instead of the username/password prompt.&nbsp; You can use the same certificate for each client or a unique certificate for each client.</P> <P>&nbsp;</P> <P>Make sure that you configure "No (User Credentials AND Client Certificate Required)" under the client authentication entry on the portal.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 03 Apr 2023 10:47:16 GMT TomYoung 2023-04-03T10:47:16Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/policy-to-only-allow-specific-host-id-auth-thru-globalprotect/m-p/537192#M3856 <P>i'm seeing bad guys trying to bruteforce my GlobalProtect VPN and I want to stop that.</P> <P>I want to achieve only specific laptop Host-ID can go thru GlobalProtect authentication and bad guys when they trying to auth with wrong account/pwd should not able to or&nbsp;GlobalProtect shall not prompt 'wrong account/password'.</P> <P>Can I do this via policy?</P> Fri, 31 Mar 2023 05:33:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/policy-to-only-allow-specific-host-id-auth-thru-globalprotect/m-p/537192#M3856 logmpang 2023-03-31T05:33:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/policy-to-only-allow-specific-host-id-auth-thru-globalprotect/m-p/537420#M3864 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/282912">@logmpang</a> ,</P> <P>&nbsp;</P> <P>The common solution to this issue is to deploy certificates to the hosts and require certificate AND username/password for GlobalProtect.&nbsp; The GlobalProtect client will check for the certificate 1st.&nbsp; If it does not exist, an error will be displayed instead of the username/password prompt.&nbsp; You can use the same certificate for each client or a unique certificate for each client.</P> <P>&nbsp;</P> <P>Make sure that you configure "No (User Credentials AND Client Certificate Required)" under the client authentication entry on the portal.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 03 Apr 2023 10:47:16 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/policy-to-only-allow-specific-host-id-auth-thru-globalprotect/m-p/537420#M3864 TomYoung 2023-04-03T10:47:16Z