https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/543421#M111260 <P>Dear Team,</P> <P>&nbsp;</P> <P>I'm trying to set up GlobalProtect's 'Serial Number Check' feature, but I'm having a hard time.</P> <P>&nbsp;</P> <P>GlobalProtect is already being used in conjunction with LDAP.</P> <P>&nbsp;</P> <P>So, when I do not use the function, I log in normally.</P> <P>&nbsp;</P> <P>I want to control by matching the serial number to the LDAP user.</P> <P>&nbsp;</P> <P>Is it correct that the serial number mentioned here means the device ID of Windows/Mac?</P> <P>&nbsp;</P> <P>And in the firewall, there seems to be nothing to set other than changing the function to 'yes'.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_0-1685060942772.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50348iAC4F314E9F9B2084/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_0-1685060942772.png" alt="CHOEKyungJun_0-1685060942772.png" /></span></P> <P>I tried entering the device ID in Serial Number among the LDAP properties, but it doesn't work.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_1-1685060964833.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50349i8992EC79AF96117E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_1-1685060964833.png" alt="CHOEKyungJun_1-1685060964833.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_2-1685060974068.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50350iAFE743F1C13E937F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_2-1685060974068.png" alt="CHOEKyungJun_2-1685060974068.png" /></span></P> <P>&nbsp;</P> <P>If anyone has done the above setup or knows how to do it, please let me know.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 26 May 2023 00:31:31 GMT CHOE-KyungJun 2023-05-26T00:31:31Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/543421#M111260 <P>Dear Team,</P> <P>&nbsp;</P> <P>I'm trying to set up GlobalProtect's 'Serial Number Check' feature, but I'm having a hard time.</P> <P>&nbsp;</P> <P>GlobalProtect is already being used in conjunction with LDAP.</P> <P>&nbsp;</P> <P>So, when I do not use the function, I log in normally.</P> <P>&nbsp;</P> <P>I want to control by matching the serial number to the LDAP user.</P> <P>&nbsp;</P> <P>Is it correct that the serial number mentioned here means the device ID of Windows/Mac?</P> <P>&nbsp;</P> <P>And in the firewall, there seems to be nothing to set other than changing the function to 'yes'.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_0-1685060942772.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50348iAC4F314E9F9B2084/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_0-1685060942772.png" alt="CHOEKyungJun_0-1685060942772.png" /></span></P> <P>I tried entering the device ID in Serial Number among the LDAP properties, but it doesn't work.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_1-1685060964833.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50349i8992EC79AF96117E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_1-1685060964833.png" alt="CHOEKyungJun_1-1685060964833.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CHOEKyungJun_2-1685060974068.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50350iAFE743F1C13E937F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CHOEKyungJun_2-1685060974068.png" alt="CHOEKyungJun_2-1685060974068.png" /></span></P> <P>&nbsp;</P> <P>If anyone has done the above setup or knows how to do it, please let me know.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 26 May 2023 00:31:31 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/543421#M111260 CHOE-KyungJun 2023-05-26T00:31:31Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/543679#M111315 <P>In looking at the help for this section. </P> <TABLE class="FormatA" style="color: #000000; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" summary=""> <TBODY> <TR> <TD class="Table_Cell" style="border-bottom: thin solid black; border-left: thin solid black; border-right: thin solid black; padding-left: 3px; padding-top: 1px; vertical-align: top;"> <DIV class="Table_Cell" style="font-family: 'Decimal Book', Lato; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 4pt; margin-top: 4pt;"><A name="ID0EOK4Y" target="_blank"></A>Machine account exists with device serial number</DIV> </TD> <TD class="Table_Cell" style="border-bottom: thin solid black; border-left: thin solid black; border-right: thin solid black; padding-left: 3px; padding-top: 1px; vertical-align: top;"> <DIV class="Table_Cell" style="font-family: 'Decimal Book', Lato; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 4pt; margin-top: 4pt;"><A name="ID0EYK4Y" target="_blank"></A>Configure matching criteria based on whether the endpoint serial number exists in the Active Directory.</DIV> </TD> </TR> </TBODY> </TABLE> <P><BR />I think it will be to tie to the device (not the user) to LDAP.<BR />So I think GP can get confirmation that the device belongs in AD (as long as AD responds back).<BR />I am not sure of the mechanism, but it is best to open a TAC case to get confirmation on the solution.&nbsp;</P> Sun, 28 May 2023 00:11:45 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/543679#M111315 S.Cantwell 2023-05-28T00:11:45Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/544239#M111392 <P>I read additional information that the Serial number check is used by the Cloud Identity Engine for registering endpoints.<BR /><BR />If you are using GlobalProtect and you have enabled Serial Number Check, select the Endpoint Serial Number option to allow the Cloud Identity Engine to collect serial numbers from managed endpoints. This information is used by the GlobalProtect portal to check if the serial number exists in the directory for verification that the endpoint is managed by GlobalProtect.</P> Wed, 31 May 2023 20:19:00 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-machine-account-exists-with-device-serial-number/m-p/544239#M111392 S.Cantwell 2023-05-31T20:19:00Z