Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Moving from GP to Prisma access - Prisma prompts client to choose a certificate.

L1 Bithead

We are trying to replicate our on-prem GP setup on Prisma, since we are migrating to that.

 

The issue is when we try to connect to Prisma portal, the user gets asked to verify the certificate.

However the same setup exists for on-prem GlobalProtect and the certificate does not happen.

 

I have tried various techniques with PA Prof. Services and an active TAC case.

 

I am using GP 6.2.2.

 

EDIT

--------

Resolved. The issue was under Windows Internet settings. We had the <domain.com> as a trusted site, but we also had to add prisma.domain.com through the registry for it to get resolved.

 

1 accepted solution

Accepted Solutions

L1 Bithead

Hello,

If by MU SPN you mean the cloud based Prisma firewall configuration, then yes, the certificate is the same as the on-prem ones.

We are using certificate and user authentication. If Prisma did not have the root CAs installed, it would have not logged in at all, correct?

 

We seem to be getting an issue similar to this.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBVpCAO

 

 

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

in the portal/gateway authentication tab, is the "Allow Authentication with User Credentials OR Client Certificate" set to 'no'?

try setting that to yes (or remove the Certificate Profile)

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

We want both user and certificate authentication. That is the point. We want the user to authenticate on the corporate machines.

 

L2 Linker

Hello @N.Nicolaides , do you have a copy of the server certificate imported and pushed to your Prisma Access MU SPN and not just to your on-premise firewall?

L1 Bithead

Hello,

If by MU SPN you mean the cloud based Prisma firewall configuration, then yes, the certificate is the same as the on-prem ones.

We are using certificate and user authentication. If Prisma did not have the root CAs installed, it would have not logged in at all, correct?

 

We seem to be getting an issue similar to this.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBVpCAO

 

 

Hi @Vickynet , apologies, my writing looks a bit blunt and rude, I assure you it was not my intention.

 

L2 Linker

Hello @N.Nicolaides , not a problem at all and thank you for getting back to me. I reviewed the knowledge based article you referenced, that may also be related. Did you try out what was suggested in the article? I would love to know the outcome. 

 

Thank you,

L1 Bithead

Hello, yes that was the first thing we have tried.

But the issue is that:

- We are using the same certificates as on-prem.

- The Prisma configuration is identical with the one on-prem, since they are both being managed by our Panorama.

- The GP client is the same version.

- The "Confirm certificate" popup only appears when we try to connect to prisma.

 

Therefore, if we deduct that:

- The VPN client is not the issue because we are using the same version and app.

- Configuration is not the issue since it is the same.

- The certificates are identical.

 

I guess the only difference is that on-prem is connected to our local AD, whereas Prisma is on Azure. Could that be the issue?

 

L2 Linker

Hello @N.Nicolaides, everything looks right based on the procedures you itemized in your previous notes. I don't really believe using Azure AD for Prisma should cause this behavior as well. Do you want to try Palo Alto TAC support team so they can have a deeper look on your settings to see if they could narrow down the root cause of the issue? Looking for more info on my side as well in the meantime if I could see you may pay attention to. 

  • 1 accepted solution
  • 3753 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!