02-25-2024 12:57 AM
Hi,
Few of my users have not connected to GP (and to AD) for extended period of time and their computer certificate has expired.
They are remote, so coming to office would be problematic - continent-size problematic 🙂
I was under impression, that when i change Authentication profile from "Require username AND device cert" to "Require username OR device cert", I will be able to allow them to connect - that way their comp cert would renew and they'd be ok going forward.
But I was wrong, GP client was not willing to connect. i know there is a way, as previous Manager was allowing it through, but at that time I was not working on Palo's, so not sure what else I need to amend to make it happen..
02-26-2024 06:05 AM
did you change this setting on both the portal AND the gateway? Make sure you're allowing it on both for those users to be able to connect
02-27-2024 10:04 AM
Hi,
I have today, have also as per other suggestion I saw somewhere to remove a cert profile from portal - nothing worked, it has thou for one sec showed me MFA prompt for user.. but at the end it refused to connect anyway - with same "Client certificate not found" message..
Logging call with my Palo Support company for it, but any other suggestion welcome..
Is there any way I can generate a machine cert on my CA and install it on remote comp? Problem is that I use a specific template for it and unsure if it would work if problematic machine has no access to internal CA..
Any other way of generating maybe self-signed cert on palo firewall (or Panorama) to allow it through?
02-28-2024 05:51 AM
Have you checked the certificate profile to see if any options here are ticked
02-28-2024 06:03 AM
Can you not email a new certificate to the users device or do they have no connection without GlobalProtect?
07-07-2024 12:37 AM
Hi, Just realised have not posted how we dealt with it, so just as a closure:
We have decided easiest way would be to remove cert from authentication requirements for brief moments when we have that issue, so have set "user credentials OR device cert required", allowed user to log in, then recreated cert once user was in.
After that I just changed that back to "creds AND cert required". Few minutes of lowered protection, but solved that problem just fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
