08-31-2020 12:27 AM
Hello Team,
We have a global protect portal and gateways running . GP is currently integrated with AD. The certificate on GP is a wildcard signed by an external CA. Currently no certificate check is being made and authentication is purely on basis of AD creds
Now the requirement is in addition to credentials a certificate check on client machine has to be made. And certificate has to be a machine certificate issued by newly created Internal.CA.
So does PA also need to have a new server certificate signed by Internal CA?
Because it already has a widcard signed by external CA so can we have multiple server certificate ?
Also does GP support machine certificate on client machine or it has to be user certificate?
From my view certificate on GP and client should be from both CA and if we replace the wildcard there will be service disruption?
08-31-2020 05:36 PM
Now the requirement is in addition to credentials a certificate check on client machine has to be made. And certificate has to be a machine certificate issued by newly created Internal.CA.
So does PA also need to have a new server certificate signed by Internal CA?
Nope. When you configure the certificate profile for authentication you'll need to have the root and intermediate (if applicable) certificates loaded onto the firewall so it can validate the machine certificate, but the firewall itself doesn't need to have any additional certificate generated for it or anything like that.
If you configure SCEP that changes things bit, but since we're talking about machine certificates I don't think this is applicable in your deployment.
Because it already has a widcard signed by external CA so can we have multiple server certificate ?
Not Sure what you are asking here. You don't need to change the portal certificate whatsoever. The certificate you are using in the portal configuration under SSL/TLS service profile doesn't have anything to do with machine certificate authentication.
Also does GP support machine certificate on client machine or it has to be user certificate?
Yes. In your Agent configuration you'll want to modify the 'Client Certificate Store Lookup' option to Machine instead of it's default which looks at the machine and user store.
From my view certificate on GP and client should be from both CA and if we replace the wildcard there will be service disruption?
Again the certificate that you place on the Portal under the SSL/TLS service profile really doesn't come into play at all when you setup client certificate authentication as an option. You can leave this as the wildcard certificate if you want, or you can generate a new internal certificate and switch them out. From a functionality standpoint it doesn't matter.
If you do change out the certificate the client will simply reconnect when the certificate is modified, so it really doesn't cause any major outage or anything, but I would still do it during a maintenance window because you will see that reconnect event the next time the agent checks in with the gateway. As long as you properly update the certificate and update the portal and gateway as needed, you won't see an actual outage.
09-01-2020 01:16 AM
@BPry Thanks a lot .This clears a lot of doubts . Great Thanks to you again.
Some more queries :
1) We have two different ADs -old and new and we are in process of migrating users from old to new AD and this may take time / So we have two different CA servers corresponding to two different environments old and new . So Can we Root and Intermediate certificates from both Environments in the same Certificate Profile ? I believe Technically yes but need your input please
2) Currently the Connect Method is User logon ( always on) . Once we have the client certificates pushed /Installed , do we have to change it to Pre-login ? What will be the impact ?
3) We have created a local CA on Palo Alto and generated a certificate from this CA and distributed this certificate to external clients .
We also added this local CA certificate to the same Certificate Profile in Step 1 . This is for non corporate machines where we cant given Internally CA Signed certificate and hence we decided to give all the external clients a common certificate . believe this is OK technically .?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
