Didn't mean to "me too" your post! @BPry wrote: If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. Do you know off hand how I would sign up for the beta program? Thanks! Troy
... View more
Hi Remo, Thanks for your feedback and input! "Wait? ... What?" was my exact reaction when I was informed that by TAC. I did also immediately reach out to our SE after the implementation failed and got off the phone with TAC. He was stumped as well and he was under the impression our implementation strategy would work, just like me. No advanced use case here; just simply looking for a certificate that is signed by our internal PKI CA. If the certificate is found, we can safely assume that the endpoint is a domain-joined asset and allow it access to connect to the GlobalProtect Gateway. No certificate, no access. Interestingly enough, when I generate the certificates on the firewall, specify the CA certificate in a certificate profile and test like this, it works as you would expect it to work with our own certificates. So maybe the issue is with our own PKI? Still stumped with this one. TAC did inspect the certificates we were trying to use for this while on the call and determined they are valid as well. Confused on this. Thanks, Troy
... View more
For some background: We recently impelmented a data protection strategy within our organization and would like to restrict the Global Protect remote access VPN service only to domain-joined laptops. Since all our endpoints within our environment receive a machine certificate signed by our Internal PKI Root CA, we wanted to leverage those certificates to validate domain membership. I have our Trusted Root CA certificate (and key) imported on the firewall and leveraged that in a Certificate Profile. After a failed implementation and a 4-hour support call with Palo, TAC determined that either A) the certificates need to be generated on the firewall or B) the machine certificates (all of them) need to be imported into the firewall. For obvious reasons, managing all our domain's machine certificates for external laptops on the firewall is not feasible. We've explored implementing a SCEP server in the past, but had nothing but issues. This leaves us with generating the Root CA and generic machine certificate on the firewall and then having to deploy those to all the endpoints, rather than using existing certificates that are machine-specific. It would be helpful if Palo Alto leveraged the benefits of PKI and a chain of trust and only required the Root CA certificate to be on the firewall and approve any certificates signed by it.
... View more