GlobalProtect Prompts Me to Choose a Certificate???

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Prompts Me to Choose a Certificate???

L0 Member

Does someone know why I'm being prompted by GlobalProtect to choose a certificate...under what circumstances does this happen...is it by design or a BUG?  How can I stop it from happening!!!

5 REPLIES 5

L0 Member

It's most likely because you have client certificate authentication enabled, so he is asking you to provide the certificate to authenticate with. Just a guess.

Community Team Member

Hi @PANLUser,

 

How is GlobalProtect configured ? Are you required to use a client certificate for authentication ?

 

Client Certificate is used to enable mutual authentication in establishing an HTTPS session between the agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.

 

How can you stop it ? Install the client certificate on your device (if this is actually the issue).

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

GlobalProtect was rolled out by my company with very little fanfare.  The only people that received any sort of notice or communication were those that used the previous vendors VPN.  Soooo, I know very little about this product...and even less about how it was installed and configured on my notebook PC.  I can view minimal GlobalProtect Settings.  There are tabs for General which shows the User and which Portal it's connected to; Connection which shows a list of gateways and that's about it; Host Profile which shows a lot of info about my PC specs; Troubleshooting which allows me to turn on various logs for PanGP Service and/or PanGP Agent; Notification which shows a blank screen.  I have two options when it prompts me to select a certificate to connect to GlobalProtect...one of the options contains the word Auto, so I thought choosing that would eliminate future prompting....not so.  I talked to my Help Desk and they did not have any suggestions or answers.  Would you suggest talking to palo alto support directly?  I think I tried that and ended up at this forum??

L7 Applicator

You should only get a prompt if the client has multiple certificates signed by the same CA on the firewall's GP cert profile config.

 

If you have any other client certificates from the same CA as the one for GP, the prompt will happen each time. If you don't need those other certs for any reason, you can delete them to avoid the prompt.

We preloaded the next certificate before the expiry of the previous cert when we first observed the prompt. Using MDM logic we created a workflow (configuration profile) to exclude/remove the expiring cert the new cert was loaded.

  • 10962 Views
  • 5 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!