Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

L4 Transporter


We are running Global Protect with pre-logon. The GP Portal needs to allow users to login from "clean" computers without machine certificates, and at the same time allow pre-logon user(and other users) to authenticate with machine certificate. This has in 5.0 been done by using a certificate profile with the username field set to "none".

This was working fine in 5.0, but after upgrading to 6.0 I get a "valid certificate is required" when accessing the GP portal page through a web-browser.

I found the following article describing change in default behavior from 4.1 to 5.0 due to implementation of pre-logon.

GP Portal No Longer Prompting for Client Certificates Following PAN-OS v5.0.x Upgrade

Has this been changed again in 6.0? How can I get a Global Protect Portal to support both user/password and machine certificate authentication in 6.0?

- Tor


Not applicable

I'm trying to figure this out as well. I've been working on this for a day or so now with no luck. I'll let you know if I am able to figure it out. Hopefully someone from PA can offer some assistance.

Not applicable

Okay I finally got it to work. I followed the config in the global protect admin guide for 6.0 and download the latest client and I can see that it works now

Thanks for your reply!

Are able to authenticate to the portal using bot username/password and computer/client certificate?

Or are you using just username/password for the portal? Read through the admin guide one more time, and it seems like I got it wrong, and that you donæt need a certificate profile on the portal for pre-logon after all. Is this correct?

"After authentication succeeds, the portal pushes the client configuration to the agent along with a

cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system

attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon

client configuration."

Ensure that the certificates and their signer certificates (in a chain) are all included in the GP Portal >> Client Configuration >> Root CA section. That became mandatory in the later versions of PAN OS v5.0x

  • 4 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!