Globalprotect - machine/device cert for Portal and Gateway "certificate profiles" - how to best distribute

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Globalprotect - machine/device cert for Portal and Gateway "certificate profiles" - how to best distribute

L1 Bithead

I have successfully configured a working POC for exactly how I want our users to connect to Globalprotect.


We have a SAML authentication profile configured for both the Portal and Gateway each each with the same certificate profile configured. 


I created the "machinecert" using the firewall as a CA and manually installed the cert.


When it comes time to mass deploy the cert, I'm unsure of which method to choose as I don't know all the pros/cons. It should suffice to simply use a GPO and install the machinecert on all PCs.


But it also seems like it may be a better idea to use the Windows CA server we already have. For the SSL decryption we used that server to create a subordinate CA authority and when we imported that certificate to the Palo Alto we were able to then used a certificate signed by the subordinate certificate and it was inherently trusted by all of our Windows PCs since they were part of the domain. This way, we didn't need to push out any kind of certificate.


So my question is if I can also use the Windows CA server in a similar way to be used for the certificate profile? If yes, I have not come across a guide specific to this. 


L0 Member


Yes, you can use your Windows CA server for GlobalProtect certificates. To do this, create a certificate template on your Windows CA for machine certificates, then use Group Policy to auto-enroll these certificates to all relevant PCs. Export the subordinate CA certificate from your Windows CA and import it into your Palo ADPVantage Alto firewall as a trusted root CA. Configure the certificate profile on the GlobalProtect portal and gateway to use the certificates signed by the Windows CA. This method leverages existing trust within your domain and simplifies certificate deployment.

  • 1 replies
  • 47 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!