GlobalProtect machine cert pre-login OR SAML

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect machine cert pre-login OR SAML

L3 Networker

My customer switched from a cloud URL filter to PAN-OS on-prem. For remote users to be filtered, they must be connected to the network in this case via GP. To force those endpoints to always be protected, the VPN must be always-on and ideally users prevented from disabling the client. Without pre-login or cert auth, the endpoint is unprotected until VPN is established. If the user fails to authenticate, the VPN fails and the endpoint is unprotected, so machine-cert based pre-login is mandatory.


Customer also wants to auth users in AzureAD (via SAML) before allowing access to the network, and use the same portal & gateway for external users/devices with limited network access. Ideally pre-logon with machine cert followed by SAML should achieve this, but I can't get it working without requiring the machine cert for all devices incl. external. Those devices should _not_ hold a trusted machine cert and key, otherwise an external device could match a HIP profile for corporate/internal devices and be allowed additional access.


The ideal process...

Corporate device:

Pre-login & GP gateway predefined in reg, machine cert installed

GP authenticates machine to gateway using machine cert pre-login, network access is restricted (user cannot bypass URL filtering controls)

User logs into device

GP re-authenticates user to portal/gateway using SAML

Portal uses presence of machine cert for config selection, sets always-on

User/device combo gets privileged network access


External device:

GP authenticates user to portal/gateway using SAML

Portal uses absence of machine cert for config selection, sets on-demand

User/device combo gets restricted network access


Building blocks:

SAML auth profile for AzureAD

Cert profile with root & issuing CA

Portal referencing auth & cert profiles for client auth (Allow Authentication with User Credentials OR Client Certificate = Yes, because we want to allow endpoints without the cert to login)

1st portal config using same cert profile for config selection criteria & setting connect method always-on (currently testing without pre-login) & tamper protection (don't allow users to disable/uninstall)

2nd portal config with connect method on-demand, only gets matched if machine cert not present and allows external users to disable/uninstall

Gateway referencing auth & cert profiles for client auth (Allow Authentication with User Credentials OR Client Certificate = Yes, because we want to allow endpoints without the cert to login)


On commit, we get a warning that "no username field is configured in certificate profile ", I assume that's because we are using the OR option, and portal/gateway needs to be able to extract a username from a cert if it's either/or? From what we can see the effective result is AND, and only internal devices can connect - external devices are presented with the usual "valid client certificate is required" message as if both the cert and user auth are required. Internal clients are first authenticated by the certificate and subsequently SAML as there's no user associated with the certificate (I assume this is pre-login state?). When we set the Username field in the cert profile, external devices can login (using SAML) however internal device users are not re-authenticated, and I'm assuming this is because the OR operator is working and some ID was extracted from the cert (machine CN). Unfortunately those internal users don't match policy based on group membership because their identity was already extracted from the client cert (machine CN).


IF it was possible for the machine cert to be used for pre-login (no Username field in the cert profile) while also allowing external devices to authenticate without the cert (GP auth OR option) this should work the way we need, ensuring those corporate machines are always connected (pre-login) while allowing external devices to connect on-demand (without the machine cert). Why it's breaking is because PAN-OS needs the Username field defined int he cert profile to support cert OR user creds.


I think all these requirements lead to mutual exclusion without spinning up a new portal & gateway combo per site to support the external users.

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!