GlobalProtect Prompts Me to Choose a Certificate???


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

GlobalProtect Prompts Me to Choose a Certificate???

Does someone know why I'm being prompted by GlobalProtect to choose a certificate...under what circumstances does this it by design or a BUG?  How can I stop it from happening!!!

L0 Member

It's most likely because you have client certificate authentication enabled, so he is asking you to provide the certificate to authenticate with. Just a guess.

Community Team Member

Hi @PANLUser,


How is GlobalProtect configured ? Are you required to use a client certificate for authentication ?


Client Certificate is used to enable mutual authentication in establishing an HTTPS session between the agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.


How can you stop it ? Install the client certificate on your device (if this is actually the issue).


Hope this helps,


L0 Member

GlobalProtect was rolled out by my company with very little fanfare.  The only people that received any sort of notice or communication were those that used the previous vendors VPN.  Soooo, I know very little about this product...and even less about how it was installed and configured on my notebook PC.  I can view minimal GlobalProtect Settings.  There are tabs for General which shows the User and which Portal it's connected to; Connection which shows a list of gateways and that's about it; Host Profile which shows a lot of info about my PC specs; Troubleshooting which allows me to turn on various logs for PanGP Service and/or PanGP Agent; Notification which shows a blank screen.  I have two options when it prompts me to select a certificate to connect to of the options contains the word Auto, so I thought choosing that would eliminate future prompting....not so.  I talked to my Help Desk and they did not have any suggestions or answers.  Would you suggest talking to palo alto support directly?  I think I tried that and ended up at this forum??

L7 Applicator

You should only get a prompt if the client has multiple certificates signed by the same CA on the firewall's GP cert profile config.


If you have any other client certificates from the same CA as the one for GP, the prompt will happen each time. If you don't need those other certs for any reason, you can delete them to avoid the prompt.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!