GlobalProtect VPN with Windows-PKI (W2K8R2)

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect VPN with Windows-PKI (W2K8R2)

Not applicable


Currently we have a beta-environment for GlobalProtect-VPN on Windows7 (64bit).

Authentication with LDAP works fine.

But we want to use a client-certificate (user) from our internal Windows-PKI which is already rolled out to the endpoints.

Where can i find a complete step-by-step-guide?

Thanks for your help



L5 Sessionator

You can find a global protect guide on Support portal under technical documentation. I have attached the guide for your reference.


I am sorry. I know this guide but it doesn't cover my needs.

It starts on page 6 with "In this example the firewall is configured as CA server and this certificate to sign Gateway and Client certificates." - the guide is quiet good and it works with this configuration.

But we need it working together with our internal Windows-PKI and the depending client-certificates.

In the best case it works in the same way with iOS-devices (also with an already rolled out client-certificate).



Palo Alto Networks Guru

The client certificate that is used internally in GlobalProtect is provided to the client through the GlobalProtect Portal. If you'd like to use a client certificate from your PKI here, you have to import into the Portal including the private key. The certificate is actually shared across all GlobalProtect clients in your deployment to ensure that only clients from your deployment can connect to your configured GlobalProtect Gateways. It doesn't provide true machine authentication and authorization as you are looking for.


Thank you. This is a bit disappointing that there is no way to fully use the Windows-PKI.

Could it be possible to use RADIUS instead?


Yes, you can use RADIUS (secure ID) as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and  is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level

You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password  as the password

Hi Mwalter,

Will their be a working together with an  internal Windows-PKI in future PANOS versions?

We are looking at IOS and Android devices using an individual client certificate.



  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!