- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 02:36 AM
Hi,
I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients.
Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each user.
As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out.
I would like to have a intermediate solution where I can test this first.
Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this?
Remko
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 08:43 AM
ok just to confirm .... save some embarrassment...
you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.
Mick.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 03:07 AM
hmmmm... certificate auth is global to the gateway and portal.
I was thinking perhaps you could keep the portal auth just LDAP, then for you as a user, you can give yourself a different gateway to test cert/ldap auth but with only one external address you are going to struggle.
I was hoping you could add :4433 to your new gateway address and then do something clever with a loopback address listening on port 4433.
I don't think this is possible but some members of this forum have come up with some clever workarounds so you never know, you could of course try it yourself.
If not many users then just test out of hours or during a low traffic period. I would just export/import the cert to yourself first and test, this will not affect current connections, only those connecting at the time of commit.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 04:53 AM
I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant.
Let me give this a try. Thanks for your thoughts on this.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 05:12 AM
No problem...
do you have a gateway license, this is required for multiple gateways.
If not then just create a new test portal for yourself. this can then have its own gateway.
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
good luck....
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 05:23 AM
Learning something new everyday :-)
I was not aware an extra license was required. So I need to create a new portal and a new gateway.
Will give this a try.
About your remark
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto.
So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate.
Would this be possible?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 06:36 AM
i'm sure it would work, I only say this as I have no idea cos never tried...
not sure why you would need a user cert as well as LDAP. why not just a device cert. this is the same as user cert but all have same cert and doesn't use username field so no need to create a cert for each user.
also. i wonder what would happen if the user cert cn was different to the ldap name.
I have a feeling that the cn in the cert is ignored as long as the root CA for it is in the cert profile.
ah.. hold on...
I have just connected with my ipad via LDAP and user cert. the cn in the user cert is not the same as LDAP but still connected and connected as LDAP name. so yes it will work but dont see the point of assigning individual certs to users. just give them a global one.
when we first started using mixed auths we used to get a pop up saying username fiels is incorrect. this must have changed at sometime. hence my previous offering.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-19-2017 08:43 AM
ok just to confirm .... save some embarrassment...
you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.
Mick.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-20-2017 05:28 AM
I have been playing with this some more and managed to get things working.
I created a ROOT certificate and two user certificates based on this ROOT certificate.
The user certificates have a Common-Name the same as there LDAP login username.
I created an extra tunnel, portal and gateway on a different external IP address and created a public DNS record.
On the Portal and Gateway I enabled a certificate profile which has the ROOT certificate defined and in the Username Field: Subject
Then I tested the connection without a user cert.
The connection failed as expected with the warning that no valid certicate was found.
When I imported the Certificate of User "A" the userfield on Global Protect was automatically entered and greyed out.
The same when I delete the certicate of User "A" and import User "B".
So I believe that I got what I want. Thanks for pointing me out in the right direction!
I can tweak the settings some more to for example use SSO with the Windows Credentials. Then the user does not need to enter his password for the second time. This seems to also work as expected.
- MS Graph Integration Issues in Cortex XSOAR Discussions
- Global Protect pre-logon then on-demand configuration in GlobalProtect Discussions
- AD Group Mapping - Azure SAML Auth in Prisma Access Discussions
- Global Protect (SSL VPN) OTP with e-mail in GlobalProtect Discussions
- Global Protect portal page error in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
