09-19-2017 02:36 AM
Hi,
I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients.
Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each user.
As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out.
I would like to have a intermediate solution where I can test this first.
Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this?
Remko
09-19-2017 08:43 AM
ok just to confirm .... save some embarrassment...
you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.
Mick.
09-19-2017 03:07 AM
hmmmm... certificate auth is global to the gateway and portal.
I was thinking perhaps you could keep the portal auth just LDAP, then for you as a user, you can give yourself a different gateway to test cert/ldap auth but with only one external address you are going to struggle.
I was hoping you could add :4433 to your new gateway address and then do something clever with a loopback address listening on port 4433.
I don't think this is possible but some members of this forum have come up with some clever workarounds so you never know, you could of course try it yourself.
If not many users then just test out of hours or during a low traffic period. I would just export/import the cert to yourself first and test, this will not affect current connections, only those connecting at the time of commit.
09-19-2017 04:53 AM
I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant.
Let me give this a try. Thanks for your thoughts on this.
09-19-2017 05:12 AM
No problem...
do you have a gateway license, this is required for multiple gateways.
If not then just create a new test portal for yourself. this can then have its own gateway.
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
good luck....
09-19-2017 05:23 AM
Learning something new everyday 🙂
I was not aware an extra license was required. So I need to create a new portal and a new gateway.
Will give this a try.
About your remark
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto.
So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate.
Would this be possible?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!