Hi Leo_yuanyang, Try checking these articles: Set up 2FA (client certificate) https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-two-factor-authentication#61604 Set up client certificate authentication https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-client-certificate-authentication#17347 You'll need an auth profile based on your LDAP server (or alternative) and a certifcate profile that has your client certificates & root CA in it. In the user name field of your certificate profile, select the appropriate value of where you have configured the username to be in your certificates. When your user tries to authenticate they will present their client certificate for authorisation and if the username in the configured certificate value matches what your LDAP/auth profile services is expecting then you will be authenticated, just make sure your certificate profile is applied to your GP components. hope this helps, Ben
... View more