Hi Remo, Thanks for your feedback and input! "Wait? ... What?" was my exact reaction when I was informed that by TAC. I did also immediately reach out to our SE after the implementation failed and got off the phone with TAC. He was stumped as well and he was under the impression our implementation strategy would work, just like me. No advanced use case here; just simply looking for a certificate that is signed by our internal PKI CA. If the certificate is found, we can safely assume that the endpoint is a domain-joined asset and allow it access to connect to the GlobalProtect Gateway. No certificate, no access. Interestingly enough, when I generate the certificates on the firewall, specify the CA certificate in a certificate profile and test like this, it works as you would expect it to work with our own certificates. So maybe the issue is with our own PKI? Still stumped with this one. TAC did inspect the certificates we were trying to use for this while on the call and determined they are valid as well. Confused on this. Thanks, Troy
... View more