03-27-2024 09:01 AM - edited 04-04-2024 05:41 AM
We are trying to replicate our on-prem GP setup on Prisma, since we are migrating to that.
The issue is when we try to connect to Prisma portal, the user gets asked to verify the certificate.
However the same setup exists for on-prem GlobalProtect and the certificate does not happen.
I have tried various techniques with PA Prof. Services and an active TAC case.
I am using GP 6.2.2.
EDIT
--------
Resolved. The issue was under Windows Internet settings. We had the <domain.com> as a trusted site, but we also had to add prisma.domain.com through the registry for it to get resolved.
03-30-2024 02:49 PM
Hello,
If by MU SPN you mean the cloud based Prisma firewall configuration, then yes, the certificate is the same as the on-prem ones.
We are using certificate and user authentication. If Prisma did not have the root CAs installed, it would have not logged in at all, correct?
We seem to be getting an issue similar to this.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBVpCAO
03-28-2024 03:02 AM
in the portal/gateway authentication tab, is the "Allow Authentication with User Credentials OR Client Certificate" set to 'no'?
try setting that to yes (or remove the Certificate Profile)
03-28-2024 04:07 AM
We want both user and certificate authentication. That is the point. We want the user to authenticate on the corporate machines.
03-28-2024 02:00 PM
Hello @N.Nicolaides , do you have a copy of the server certificate imported and pushed to your Prisma Access MU SPN and not just to your on-premise firewall?
03-30-2024 02:49 PM
Hello,
If by MU SPN you mean the cloud based Prisma firewall configuration, then yes, the certificate is the same as the on-prem ones.
We are using certificate and user authentication. If Prisma did not have the root CAs installed, it would have not logged in at all, correct?
We seem to be getting an issue similar to this.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBVpCAO
03-31-2024 04:21 AM
Hi @Vickynet , apologies, my writing looks a bit blunt and rude, I assure you it was not my intention.
04-01-2024 02:46 PM
Hello @N.Nicolaides , not a problem at all and thank you for getting back to me. I reviewed the knowledge based article you referenced, that may also be related. Did you try out what was suggested in the article? I would love to know the outcome.
Thank you,
04-02-2024 01:13 AM
Hello, yes that was the first thing we have tried.
But the issue is that:
- We are using the same certificates as on-prem.
- The Prisma configuration is identical with the one on-prem, since they are both being managed by our Panorama.
- The GP client is the same version.
- The "Confirm certificate" popup only appears when we try to connect to prisma.
Therefore, if we deduct that:
- The VPN client is not the issue because we are using the same version and app.
- Configuration is not the issue since it is the same.
- The certificates are identical.
I guess the only difference is that on-prem is connected to our local AD, whereas Prisma is on Azure. Could that be the issue?
04-02-2024 09:58 PM
Hello @N.Nicolaides, everything looks right based on the procedures you itemized in your previous notes. I don't really believe using Azure AD for Prisma should cause this behavior as well. Do you want to try Palo Alto TAC support team so they can have a deeper look on your settings to see if they could narrow down the root cause of the issue? Looking for more info on my side as well in the meantime if I could see you may pay attention to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
