Global protect authentication

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global protect authentication

L0 Member

Hello Team,

I have one question with GP remote access

Current, I have a global protect remote access VPN running on production

global protect client > when clients connect to publish address gateway on PA 

client require to have as below requirement in order to get success to connect VPN

1- have a valid user/pwd 

2- have a valid certificate installed on the laptop  (certificate generated by PA FW)


New requirement:

I want to specific user or group when connecting to global protect without check the certificate 

and other groups still keep and required to check a valid user/PWD plus a certificate in order to connect remote VPN 


Can Palo alto do with the requirements above? if can is here have any document link to do this?


Appreciated for reply 


L3 Networker



I believe you could use device checks as a config selection criteria which would match a certificate to a GP config. See 'Device Checks' > 'Certificate Profile' here:

GlobalProtect Portals Agent Config Selection Criteria Tab (


So you could have it like this for example:


Config 1:

  • Group cn=no_cert matches this config
  • No Device Check


Config 2:

  • Group cn=cert_needed matches this config
  • Device check cert profile


Users in group no_cert would match config 1 whether they have a cert or not.

Users in group cert_needed would match config 2, but only if they have a cert. Users without a cert won't match this config, and if you have no other configs they can match, they can't connect due to no config found.


There is a caveat. Auth override cookies don't work with this config, which will be seen upon commit:

Authentication Override and Config Seletcion Criteria -> Device Checks/Custom Checks are both configured, Authentication Override will be disabled.


You can then remove the cert profile from the authentication tab if pre-logon is not needed. If it's needed, you need to set the Allow Authentication with User Credentials OR Client Certificate  option to Yes (User Credentials OR Client Certificate Required). This is would allow the pre-logon user to auth with certificate, but the user can bypass it if they have valid credentials and cert will be checked using the config selection criteria mentioned above.


2nd possible option is to use no cert profile on the Portal, and then have 2 gateways configured - 1 with a cert profile and 1 without it. Use config selection criteria to direct users in certain groups to either gateway 1 which needs a cert, or 2 which doesn't.


- DM

Sr. Technical Support Engineer, Strata
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!