topic Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate. in Prisma Access Discussions

Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

N.Nicolaides — Thu, 04 Apr 2024 12:41:17 GMT

We are trying to replicate our on-prem GP setup on Prisma, since we are migrating to that.

The issue is when we try to connect to Prisma portal, the user gets asked to verify the certificate.

However the same setup exists for on-prem GlobalProtect and the certificate does not happen.

I have tried various techniques with PA Prof. Services and an active TAC case.

I am using GP 6.2.2.

EDIT

--------

Resolved. The issue was under Windows Internet settings. We had the <domain.com> as a trusted site, but we also had to add prisma.domain.com through the registry for it to get resolved.

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

reaper — Thu, 28 Mar 2024 10:02:19 GMT

in the portal/gateway authentication tab, is the "Allow Authentication with User Credentials OR Client Certificate" set to 'no'?

try setting that to yes (or remove the Certificate Profile)

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

N.Nicolaides — Thu, 28 Mar 2024 11:07:48 GMT

We want both user and certificate authentication. That is the point. We want the user to authenticate on the corporate machines.

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

Vickynet — Thu, 28 Mar 2024 21:00:09 GMT

Hello @N.Nicolaides , do you have a copy of the server certificate imported and pushed to your Prisma Access MU SPN and not just to your on-premise firewall?

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

N.Nicolaides — Sat, 30 Mar 2024 21:49:00 GMT

Hello,

If by MU SPN you mean the cloud based Prisma firewall configuration, then yes, the certificate is the same as the on-prem ones.

We are using certificate and user authentication. If Prisma did not have the root CAs installed, it would have not logged in at all, correct?

We seem to be getting an issue similar to this.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBVpCAO

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

N.Nicolaides — Sun, 31 Mar 2024 11:21:38 GMT

Hi @Vickynet , apologies, my writing looks a bit blunt and rude, I assure you it was not my intention.

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

Vickynet — Mon, 01 Apr 2024 21:46:48 GMT

Hello @N.Nicolaides , not a problem at all and thank you for getting back to me. I reviewed the knowledge based article you referenced, that may also be related. Did you try out what was suggested in the article? I would love to know the outcome.

Thank you,

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

N.Nicolaides — Tue, 02 Apr 2024 08:13:03 GMT

Hello, yes that was the first thing we have tried.

But the issue is that:

- We are using the same certificates as on-prem.

- The Prisma configuration is identical with the one on-prem, since they are both being managed by our Panorama.

- The GP client is the same version.

- The "Confirm certificate" popup only appears when we try to connect to prisma.

Therefore, if we deduct that:

- The VPN client is not the issue because we are using the same version and app.

- Configuration is not the issue since it is the same.

- The certificates are identical.

I guess the only difference is that on-prem is connected to our local AD, whereas Prisma is on Azure. Could that be the issue?

Re: Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

Vickynet — Wed, 03 Apr 2024 04:58:19 GMT

Hello @N.Nicolaides, everything looks right based on the procedures you itemized in your previous notes. I don't really believe using Azure AD for Prisma should cause this behavior as well. Do you want to try Palo Alto TAC support team so they can have a deeper look on your settings to see if they could narrow down the root cause of the issue? Looking for more info on my side as well in the meantime if I could see you may pay attention to.