09-25-2020 12:49 AM
Hello ,
I have a requirement , Currently both Internal and external users ( both are AD users) connect to GP via their AD user name and Password
Requirement is enroll Machine certificate to Internal Users and a Common Certificate issued by Palo Alto Generate Root CA to all External users
Internal Users are having Machine Certificate issued by PKI on their Windows 10
External Users have a Common User certificate in their User certificate store. Certificate Profile is OK and has Root CA certificate from PKI and PA Root CA
So my queries are :
1) Can I still use Logon Method as User Logon ( Always on ) as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?
2) Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store
Is this OK ?
In the config selection criteria ,
I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ?
09-25-2020 10:21 PM
1) Can I still use Logon Method as User Logon ( Always on ) as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?
Yes, but if you are going through and deploying machine certificates to machines it makes more sense in the majority of situations to go with pre-logon. Obviously if that doesn't meet your requirements you can stick with User Logon but I really recommend looking into pre-logon since you've already done all of the work for these internal clients.
2) Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store
Correct. The thing to keep in mind here though is that anything in the user certificate store that actually matches your certificate profile is going to take priority over the machine certificate.
I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ?
Only if you are actually going to deploy pre-logon mode. The thing to make sure here in testing prior to actual deployment is that the user is going to be identified from the certificate as you actually expect it to be for the users. It's not abundantly clear if you're talking about just doing certificate authentication for the internal users or if you plan on doing a certificate AND credential deployment instead.
Talking about internal and external just has me curious on what you actually mean by this. Generally you would want to see an internal and an external gateway configured if you are actually utilizing GlobalProtect for internal hosts. So you might only have one portal address, but you would have two separate gateway configurations. It kind of sounds like you are lumping your internal and external GlobalProtect clients on one gateway, which would be somewhat odd from a deployment. Is that just odd word choice, or what was the reason behind the sole gateway deployment?
09-25-2020 11:06 PM
@BPry thanks for your reply.
The goal is to use both AD creds plus certificate check
Corp users have machine certificate
Non corp users have user certificate
1) if I use user logon for a machine certificate ,how the gp willl check the certificate?
I understand that prelogon is preferred way .
If I use prelogon then I need three rules in total on agent configuration:
1) prelogon to be selected under user/ user group
Logon method prelogon and certificate store look machine only
2) specific users under user/ user group .
Logon method prelogon and certificate store look machine only
3) specific users under user/ user group and logon methods user logon and certificate store look user only.
Gatway and portal use same interface .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
