This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Globalprotect Block sessions if the certificate was not issued to the authenticating device

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect Block sessions if the certificate was not issued to the authenticating device

Tony-Le
L0 Member

‎12-16-2019 03:22 AM

Hello,
My organization is testing out GlobalProtect for Linux and we've quickly realized that the certificates we deploy through SCEP (MS NDES, Certmonger) can be utilized on other systems than whom they were intended for. This opens up for users with root access (dev's) to set up a non company owned/managed devices with GlobalProtect and this prevents us from going live (paying for the license).
So this weekend we were looking at the certificate profile option "Block session if the certificate was not issued to the authenticating device". The documentation says the following about this option
(GlobalProtect only) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-certificate-man...
... and Host ID for linux is supposedly the Product UUID retrieved from the system DMI table.
So what I'm confused about is what they mean with "serial number attribute" in the subject of the client certificate. To my knowledge that attribute is not available in the subject field.
I've tried a couple of different scenarios, such as setting the CommonName to the UUID but all of my tests has resulted in the error "the certificate is invalid". As soon as I uncheck the setting in the Certificate Profile things start working again, so I'm pretty sure the issue lies within me not understanding the documentation.
Does anyone here have this thing working? All replies are appreciated!
2 people had this problem.
0 Likes Likes
2 REPLIES 2

SCantwell_IM
Cyber Elite
Cyber Elite

‎12-16-2019 09:31 AM

Hello!

 

I thought that you could only do HIP checks (like looking at the SN, wherever it is found) AFTER the license was purchased.

Is there something that has changed?

 

So I am not sure how you can test this adequately, because HIP is how it should be done with GP.

 

Let's keep working together towards a resolution.

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Tony-Le
L0 Member
In response to SCantwell_IM

‎12-16-2019 10:38 PM

Hi Steve

 

Thanks for your reply. I've tried with HiP. According our local Palo Alto partner here. Not all features on HiP check is implements for Linux as for Windows.

0 Likes Likes
  • 4025 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks