Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GP Agent Machine Certificate Check

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP Agent Machine Certificate Check

L1 Bithead

Hello,

 

I am trying to find out more information about a GP portal setting called Machine Certificate Check under Portal Configuration / Agent / Agent Config / Config Selection Criteria / Device Checks. I was hoping to use a machine certificate check outside of the authentication tab to allow or disallow machines based on user/user group, but I can't seem to get it to work. I get a "You are not authorized to connect to GlobalProtect Portal" message. If I set the same certificate profile in the authentication tab, it works just fine when the cert is installed in the machine store. GlobalProtect connects as it should.

 

My question is, what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place.

 

PA-220 running 10.2.4

This is a test portal/gateway configuration I am using.

 

Thanks in advance for any input.

 

Michael

4 REPLIES 4

L7 Applicator

I would say that the authentication tab just allows you to connect to the gateway... the device check will decide which config within the gateway agent setting you would get once authenticated, if you only have 1 config in the agent it would not really be of any use...

 

For user/group membership you will need to look at Device>User Identification>user mapping.

L1 Bithead

Hi, have you managed to solve this issue? Struggling with the same problem...

L1 Bithead

Any idea what is the main idea from the above ( what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place) ?

Dhari

Authentication may be shared for several user groups and with a disabled certificate option. But at the same time you might be needed to have several Agent options with different criteria. My personal case: one GW, single Authentication method without cert, several Agent options for different groups. Some users only need authentication, other users need 2FA with a machine cert.

  • 2608 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!