This document describes the steps to configure GlobalProtect for authentication using certificates only, without the user being prompted for login.
Create the certificate profile under Device > Certificate Management > Certificate Profile. Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'. Add the root CA under CA Certificates. Certificate Profile
The image below shows the certificates created: Certificates
Configure the GlobalProtect Gateway. Set Authentication Profile to None and select the certificate profile set to the one created in Step 1 above. GlobalProtect Gateway
Configure the GlobalProtect Portal Set the Authentication Profile set to None. Select the Client Certificate and Certificate Profile. Note: Having the firewall generate a Client Certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate. Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment. It may better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA. GlobalProtect Portal
In the Client Configuration tab, disable SSO.
Install the root and the client certificates in the machine local store of the client PC. Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format.
Install the client certificate in the user personal store.
In the GlobalProtect client, there is no need to enter the Username and Password:
Commit the configuration on the firewall. The GlobalProtect client will automatically connect to the gateway. The remote users for the Gateway will show up as the client certificate logging in.