topic Re: GlobalProtect - Client Certificates Deployment in General Topics

GlobalProtect - Client Certificates Deployment

Creid — Tue, 16 Aug 2016 13:53:31 GMT

Greetings,

I have used the following article to distribute client certificates for GlobalProtect:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Issue-Certificates-to-GlobalProtect-Devices/ta-p/53642

My understanding is that with this method of certificate distribution, all client machines will have the same client certificate.

I understand that with any system, there's always a risk with regards to security, and that the risk will have to be managed accordingly.

My question is are there any major security concerns with each client machine having the same client certificate? If there's any documentation that I can reference, that would be helpful as well.

Re: GlobalProtect - Client Certificates Deployment

BPry — Tue, 16 Aug 2016 18:24:18 GMT

Since they still have to sign into globalprotect with their credentials I wouldn't be to worried about having the same cert on all of their equipment, as anybody who gets the cert would still need the username and password. Most organziations use certs pretty heavily and many will have the same cert on all of their machines. We use a cert for one of our wireless SSIDS that uses a common cert, then have another SSID that uses the machine cert to authenticate.

Re: GlobalProtect - Client Certificates Deployment

Creid — Tue, 16 Aug 2016 19:27:45 GMT

Makes sense. Thanks for the response.