Force to Use Certificate

mohammad_mozamel — Mon, 18 Feb 2019 11:45:10 GMT

Dear Friends !

as i study PAN 7.0 if there is no Certificate installed in Client PC, PAN can not read https secure sites

in this is if i block youtube or other social websites and client uninstall CA from its browser he/she will be able to open blocked websites

is there any solution to configure PAN to force user to use CA Certificate, otherwise block them from every type of internet access

Re: Force to Use Certificate

reaper — Tue, 19 Feb 2019 19:17:45 GMT

The client only needs to have a root certificate installed for ssl decryption (if you use your company Active Directory CA to sign the decryption certificate, no additional cert needs to be installed)

Without decryption, the firewall will still be able to read the site's certificate to tey and determine the actual site
You can make your policy more strict so users who uninstall the root certificate will not get internet access, as this can only be the caee if your policy allows them to donthese actions

You may also want to upgrade to PAN-Os 8.0 or 8.1 as many features have been added to improve these mechanisms

topic Force to Use Certificate in General Topics

Force to Use Certificate

Re: Force to Use Certificate