Hello,
My organization is testing out GlobalProtect for Linux and we've quickly realized that the certificates we deploy through SCEP (MS NDES, Certmonger) can be utilized on other systems than whom they were intended for. This opens up for users with root access (dev's) to set up a non company owned/managed devices with GlobalProtect and this prevents us from going live (paying for the license).
So this weekend we were looking at the certificate profile option "Block session if the certificate was not issued to the authenticating device". The documentation says the following about this option
(GlobalProtect only) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-certificate-man...
... and Host ID for linux is supposedly the Product UUID retrieved from the system DMI table.
So what I'm confused about is what they mean with "serial number attribute" in the subject of the client certificate. To my knowledge that attribute is not available in the subject field.
I've tried a couple of different scenarios, such as setting the CommonName to the UUID but all of my tests has resulted in the error "the certificate is invalid". As soon as I uncheck the setting in the Certificate Profile things start working again, so I'm pretty sure the issue lies within me not understanding the documentation.
Does anyone here have this thing working? All replies are appreciated!
