Now the requirement is in addition to credentials a certificate check on client machine has to be made. And certificate has to be a machine certificate issued by newly created Internal.CA.
So does PA also need to have a new server certificate signed by Internal CA?
Nope. When you configure the certificate profile for authentication you'll need to have the root and intermediate (if applicable) certificates loaded onto the firewall so it can validate the machine certificate, but the firewall itself doesn't need to have any additional certificate generated for it or anything like that.
If you configure SCEP that changes things bit, but since we're talking about machine certificates I don't think this is applicable in your deployment.
Because it already has a widcard signed by external CA so can we have multiple server certificate ?
Not Sure what you are asking here. You don't need to change the portal certificate whatsoever. The certificate you are using in the portal configuration under SSL/TLS service profile doesn't have anything to do with machine certificate authentication.
Also does GP support machine certificate on client machine or it has to be user certificate?
Yes. In your Agent configuration you'll want to modify the 'Client Certificate Store Lookup' option to Machine instead of it's default which looks at the machine and user store.
From my view certificate on GP and client should be from both CA and if we replace the wildcard there will be service disruption?
Again the certificate that you place on the Portal under the SSL/TLS service profile really doesn't come into play at all when you setup client certificate authentication as an option. You can leave this as the wildcard certificate if you want, or you can generate a new internal certificate and switch them out. From a functionality standpoint it doesn't matter.
If you do change out the certificate the client will simply reconnect when the certificate is modified, so it really doesn't cause any major outage or anything, but I would still do it during a maintenance window because you will see that reconnect event the next time the agent checks in with the gateway. As long as you properly update the certificate and update the portal and gateway as needed, you won't see an actual outage.