Host certificate check HIP objects configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Host certificate check HIP objects configuration

L0 Member

we are planning to configure certificate check HIP object  and authentication based on that. we are not getting any clear picture in online or palo alto portal. please help up to provide resource...

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @ngd-netsec ,

 

You can configure GlobalProtect to authenticate the client with a certificate and/or username/password.  You do not have to configure HIP checks.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0

 

You can also Google "globalprotect client certificate authentication" and you will find more docs and videos.

 

I have configured GP certificate authentication for a few of my customers, and it is easy once you get the hang of it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hey @TomYoung,

 

When you configure CBA for customers, do you use a second factor i.e., SAML/MFA? or CBA is the only factor? 

Cyber Elite
Cyber Elite

Hi @FranklinV ,

 

Under the Client Authentication config, you can choose certificate only or certificate and username/password.  The username/password can reference many Authentication Profile types including SAML.  MFA can be built into many authentication methods.

 

Thanks,

 

Tom

 

TomYoung_0-1693793520839.png

 

 

 

Help the community: Like helpful comments and mark solutions.

@TomYoung thanks! I am familiar with this setting. Was just curious to know if others are okay with a single factor (CBA only). 

 

BTW - would you know if when CBA and username/password are configured with SAML (+built in MFA) as the second factor, would users receive the SAML prompt for the second factor (username/password) or the MFA prompt? 

 

As an example: First factor is certificate, Second factor MFA (no username/password). 

Cyber Elite
Cyber Elite

Hi @FranklinV ,

 

Got it!  I understand your question now.  I do not configure Certificate Based Authentication only.  It is recommended to use 2FA for GlobalProtect (RA VPN) because if you use one factor and it is compromised, then threats have access to your network.  RA VPN is a commonly exploited means of gaining access.

 

With regard to SAML+MFA without a u/p prompt, I know the portal can be configured to accept authentication cookies, but I have never configured it or seen it on the 1st login.  GP also can use HW/SW tokens, although I have not seen a lot of documentation on it.

 

Another possibility is to use RADIUS/EAP-TLS and have the RADIUS server extract the username from the certificate and communicate with the MFA software. 

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1728 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!