https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/577645#M4982 <P>Hi, have you managed to solve this issue? Struggling with the same problem...</P> Mon, 19 Feb 2024 11:33:01 GMT Merl 2024-02-19T11:33:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/551500#M4240 <P>Hello,</P> <P>&nbsp;</P> <P>I am trying to find out more information about a GP portal setting called Machine Certificate Check under Portal Configuration / Agent / Agent Config / Config Selection Criteria / Device Checks. I was hoping to use a machine certificate check outside of the authentication tab to allow or disallow machines based on user/user group, but I can't seem to get it to work. I get a "You are not authorized to connect to GlobalProtect Portal" message. If I set the same certificate profile in the authentication tab, it works just fine when the cert is installed in the machine store. GlobalProtect connects as it should.</P> <P>&nbsp;</P> <P>My question is, what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place.</P> <P>&nbsp;</P> <P>PA-220 running 10.2.4</P> <P>This is a test portal/gateway configuration I am using.</P> <P>&nbsp;</P> <P>Thanks in advance for any input.</P> <P>&nbsp;</P> <P>Michael</P> Thu, 27 Jul 2023 23:09:07 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/551500#M4240 Michael.Martin 2023-07-27T23:09:07Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/552191#M4251 <P>I would say that the authentication tab just allows you to connect to the gateway... the device check will decide which config within the gateway agent setting you would get once authenticated, if you only have 1 config in the agent it would not really be of any use...</P> <P>&nbsp;</P> <P>For user/group membership you will need to look at Device&gt;User Identification&gt;user mapping.</P> Wed, 02 Aug 2023 13:06:41 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/552191#M4251 Mick_Ball 2023-08-02T13:06:41Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/577645#M4982 <P>Hi, have you managed to solve this issue? Struggling with the same problem...</P> Mon, 19 Feb 2024 11:33:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/577645#M4982 Merl 2024-02-19T11:33:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/588136#M5394 <P>Any idea what is the main idea from the above (&nbsp;<SPAN>what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place) ?</SPAN></P> Tue, 28 May 2024 19:05:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/588136#M5394 DKh Al Obaidi 2024-05-28T19:05:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/588238#M5399 <P>Authentication may be shared for several user groups and with a disabled certificate option. But at the same time you might be needed to have several Agent options with different criteria. My personal case: one GW, single Authentication method without cert, several Agent options for different groups. Some users only need authentication, other users need 2FA with a machine cert.</P> Wed, 29 May 2024 09:53:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-agent-machine-certificate-check/m-p/588238#M5399 Merl 2024-05-29T09:53:03Z