This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best Practices for Global Protect Machine and User Cert Authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Practices for Global Protect Machine and User Cert Authentication

Andy3989
L0 Member

‎10-17-2023 11:35 AM

Hello all,
 
We're looking to implement GlobalProtect for our organization, and I'd like to make sure we follow best practices using certificates for authentication.  The only endpoints we need to account for are Windows and a small number of MacOS, and all machines are owned and controlled by our company (no contractor or BYOD devices).  To simplify things, we'll use the same interface/IP for Portal and Gateway unless there is a reason to separate it.
 
We'd like to use Machine Certs for prelogon.  This will allow devices to get minimal connectivity to specific internal resources before the user logs on.  This is what I'm thinking for the portal configuration:
 
  • Server Auth: SSL/TLS Profile with Cert trusted by Clients
  • Client Auth:
    • LDAP Auth Profile
      • Allow Authentication with User Credentials OR Client Certificate" set to YES - this will allow just the machine cert to authenticate the prelogon user
    • Certificate Profile: Specify the cert profile that references the internal CA that signed the machine cert, Username Filed set to None
  • Agent 1
    • User: pre-logon
    • OS: Windows, Mac
    • External Gateway: External-GW
    • App Config:
      • Connect Method: Pre-logon (Always On)
      • Client Certificate Store Lookup: Machine
  • Agent 2
    • User: any
    • OS: Windows, Mac
    • External Gateway: External-GW
    • App Config:
      • Connect Method: Pre-logon (Always On)
      • Client Certificate Store Lookup: User
 
For the Gateway, we'd like to implement two factor authentication with User Certificate and LDAP.  This is what I'm planning for the gateway auth configuration:
 
  • Server Auth: Same SSL/TLS Profile as portal
  • Client Auth:
    • LDAP Auth Profile
      • Allow Authentication with User Credentials OR Client Certificate" set to NO - force cert and LDAP credentials
    • Certificate Profile: Any reason not to use the same certificate profile as the portal client auth if the same internal CA signed user and machine certs?
 
Is the above config fairly standard for GlobalProtect with machine and user certificates, or are we missing something?
 
One general question I have is how important is it to use both machine certs and user certs in this scenario?  What if I used the machine cert for prelogon and then also used the machine cert for the Gateway Client Authentication rather than User cert?  I know the Machine Cert wouldn't have the username in it, but if we're also requiring LDAP auth for Gateway, LDAP could get the username from SSO.  So is there much security benefit to using Machine Cert and User Cert, or should we simplify and only use Machine Cert?
0 Likes Likes
2 REPLIES 2

Mick_Ball
L7 Applicator

‎10-19-2023 01:22 AM

All looks good to me but not sure why you would also use LDAP with cert auth if incorporating with SSO. The user will obviously need to login to laptop for cert auth to kick in so why forward those “cached” creds as a 2nd factor..

we only use cert auth for pre-logon/client logon but also incorporate bitlocker to laptops as another factor.

 

This is all on the assumption that each of your users have their own personal user cert…. 

 

As for your general question, the client auth will not detect the pre-logon cert in machine store as it has no username associated…

 

HTH.

0 Likes Likes

jrhyman
L0 Member

‎12-09-2024 06:06 AM

I'd like to know if it's possible to use TPM certificates since Windows permits biometrics or pin.  Maybe a combination of simply using a cert for pre-logon network access with Global Access and then a pin with TPM might work. Has anyone tried it? 

 

 

0 Likes Likes
  • 2521 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks