Globalprotect Block sessions if the certificate was not issued to the authenticating device

Reply
Highlighted
L0 Member

Globalprotect Block sessions if the certificate was not issued to the authenticating device

Hello,
My organization is testing out GlobalProtect for Linux and we've quickly realized that the certificates we deploy through SCEP (MS NDES, Certmonger) can be utilized on other systems than whom they were intended for. This opens up for users with root access (dev's) to set up a non company owned/managed devices with GlobalProtect and this prevents us from going live (paying for the license).
So this weekend we were looking at the certificate profile option "Block session if the certificate was not issued to the authenticating device". The documentation says the following about this option
(GlobalProtect only) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-certificate-man...
... and Host ID for linux is supposedly the Product UUID retrieved from the system DMI table.
So what I'm confused about is what they mean with "serial number attribute" in the subject of the client certificate. To my knowledge that attribute is not available in the subject field.
I've tried a couple of different scenarios, such as setting the CommonName to the UUID but all of my tests has resulted in the error "the certificate is invalid". As soon as I uncheck the setting in the Certificate Profile things start working again, so I'm pretty sure the issue lies within me not understanding the documentation.
Does anyone here have this thing working? All replies are appreciated!
Highlighted
Cyber Elite

Hello!

 

I thought that you could only do HIP checks (like looking at the SN, wherever it is found) AFTER the license was purchased.

Is there something that has changed?

 

So I am not sure how you can test this adequately, because HIP is how it should be done with GP.

 

Let's keep working together towards a resolution.

 

 

Help the community: Like helpful comments and mark solutions
Highlighted
L0 Member

Hi Steve

 

Thanks for your reply. I've tried with HiP. According our local Palo Alto partner here. Not all features on HiP check is implements for Linux as for Windows.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!