topic Re: Host certificate check HIP objects configuration in GlobalProtect Discussions

Host certificate check HIP objects configuration

ngd-netsec — Wed, 30 Aug 2023 09:23:14 GMT

we are planning to configure certificate check HIP object and authentication based on that. we are not getting any clear picture in online or palo alto portal. please help up to provide resource...

Re: Host certificate check HIP objects configuration

TomYoung — Wed, 30 Aug 2023 12:48:20 GMT

Hi @ngd-netsec ,

You can configure GlobalProtect to authenticate the client with a certificate and/or username/password. You do not have to configure HIP checks. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0

You can also Google "globalprotect client certificate authentication" and you will find more docs and videos.

I have configured GP certificate authentication for a few of my customers, and it is easy once you get the hang of it.

Thanks,

Tom

Re: Host certificate check HIP objects configuration

FranklinV — Mon, 04 Sep 2023 01:08:49 GMT

Hey @TomYoung,

When you configure CBA for customers, do you use a second factor i.e., SAML/MFA? or CBA is the only factor?

Re: Host certificate check HIP objects configuration

TomYoung — Mon, 04 Sep 2023 02:14:34 GMT

Hi @FranklinV ,

Under the Client Authentication config, you can choose certificate only or certificate and username/password. The username/password can reference many Authentication Profile types including SAML. MFA can be built into many authentication methods.

Thanks,

Tom

Re: Host certificate check HIP objects configuration

FranklinV — Mon, 04 Sep 2023 03:00:58 GMT

@TomYoung thanks! I am familiar with this setting. Was just curious to know if others are okay with a single factor (CBA only).

BTW - would you know if when CBA and username/password are configured with SAML (+built in MFA) as the second factor, would users receive the SAML prompt for the second factor (username/password) or the MFA prompt?

As an example: First factor is certificate, Second factor MFA (no username/password).

Re: Host certificate check HIP objects configuration

TomYoung — Mon, 04 Sep 2023 09:35:52 GMT

Hi @FranklinV ,

Got it! I understand your question now. I do not configure Certificate Based Authentication only. It is recommended to use 2FA for GlobalProtect (RA VPN) because if you use one factor and it is compromised, then threats have access to your network. RA VPN is a commonly exploited means of gaining access.

With regard to SAML+MFA without a u/p prompt, I know the portal can be configured to accept authentication cookies, but I have never configured it or seen it on the 1st login. GP also can use HW/SW tokens, although I have not seen a lot of documentation on it.

Another possibility is to use RADIUS/EAP-TLS and have the RADIUS server extract the username from the certificate and communicate with the MFA software.

Thanks,

Tom