https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-with-gp-client-certificate-authentication/m-p/1235457#M6959 <P>1) Yes</P> <P>2) You'll need an internal gateway</P> <P>3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.</P> Tue, 05 Aug 2025 12:35:08 GMT sk_display 2025-08-05T12:35:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-with-gp-client-certificate-authentication/m-p/1234978#M6934 <P>Hi,</P><P>I have questions regarding user-id operation with GP client certificate authentication only for iOS/Android devices.</P><P>&nbsp;</P><P><STRONG>Current state:</STRONG></P><UL><LI>We have GlobalProtect portal and external gateway on the same firewall with <U>SAML authentication</U> for mobile devices - iOS (on-demand, but <EM>enforcement to use VPN is achieved with proxy file) and </EM>Chrombook (always-on)</LI><LI>IHD (Internal Host Detection) is not used hence mobile devices are always tunnelled to the external gateway even they are on the internal network.</LI></UL><P>&nbsp;</P><P><STRONG>Target state:</STRONG></P><UL><LI>Reconfigure GlobalProtect with a unique <U>client certificate profile for authentication</U> without other authentication methods. (Remove SAML authentication)</LI><LI>Configure Certificate profile with username field of Subject (common-name)</LI><LI>Change App connection method to always-on for iOS devices.</LI><LI>Enable IHD(Internal Host Detection) to make clients on internal network won’t be tunnelled.</LI><LI>Create new GP internal gateway without establishing a VPN tunnel to the firewall &nbsp;to collect user-id information</LI></UL><P>&nbsp;</P><P><STRONG>Questions:</STRONG></P><P>1) For devices on the internal network, is an internal GlobalProtect gateway required to report User-ID information to the firewall?</P><P>&nbsp;</P><P>2) If we switch to client certificate-only authentication (no user credentials), will the GlobalProtect gateways still report User-ID mappings?<BR />I assume the gateways extract the username from the certificate’s Subject (e.g., CN), so this should still work — can you confirm?</P><P>&nbsp;</P><P>3) For accurate User-ID mapping, should we use user certificates rather than machine certificates?</P><P>Machine certificates contain the device name or host FQDN in the subject. So I assume firewall may end up mapping the IP to a device name, not the user which is not expected.</P><P>&nbsp;</P><P>Thanks</P> Wed, 30 Jul 2025 04:38:19 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-with-gp-client-certificate-authentication/m-p/1234978#M6934 ahwang2929 2025-07-30T04:38:19Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-with-gp-client-certificate-authentication/m-p/1235457#M6959 <P>1) Yes</P> <P>2) You'll need an internal gateway</P> <P>3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.</P> Tue, 05 Aug 2025 12:35:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-with-gp-client-certificate-authentication/m-p/1235457#M6959 sk_display 2025-08-05T12:35:08Z