About MickBall

@Adrian_Jensen , try using the copy of the root CA on it’s own in the cert profile, that’s pretty much what we do… @mkroell1  be careful no to set timeout too low as may cause a reconnect on the occasional packet loss… ... View more

@mkroell1  when this happens… When I switch back to Corp, it just reconnects the tunnel and does not switch back to internal.   select refresh… what happens ??? ... View more

Is that process documented, I use a different approach. Our AD is issuing user certs but we just have a copy of the AD root CA on the palo. Perhaps you should generate a self signed root CA on the palo and then use that to generate a user cert. Only to check that you are setting up cert profiles correctly. Then perhaps compare that user cert with the AD user cert….  ... View more

no, are you using groups or just individual names and are they local users or ldap. ... View more

Hi Adrian,,,,   I am no cert guru but i can answer some of your questions.. 1. No. there is no link between ssl/tls profile and authentication certificate profile.  we have an externally signed cert for ssl/tls and a mixture of AD corp cert and PA self signed for user auth.. 2. not sure..  usually th PA willl determine which cert can be used against what the user is offering..  in one of our cert profiles there is a few different CA's and any user cert generated by them will work..  can't really answer on the dependencies...   3. the username here is not really relevant as long as the user cert was generated by the CA, the profile will then log you in as whatever is in your field.  if you set this to none then commit will fail because your cert is the only auth method. if you set this to none then you must add another auth profile..   how do you generate your  certs and by what method do you distribute them? ... View more

Cert auth works fine for us, seems you are falling at the first hurdle… we have used cert auth since day one and had no issues…   happy to advise if I can…     ... View more

Have you restricted GP to certain users or groups...   the authentication is working but seems the palo cannot find an agent config for them... ... View more

Yes that would be a problem as mentioned in my previous post. You could change DNS to point to a different portal address but that will take time to propagate to users.   you could also use a wildcard certificate and give users the choice of 2 portals. Certificate = *.vpn.test.com, portal 1 = p1.vpn.test.com and portal 2 =p2.vpn.test.com   ... View more

You can just have 1 portal with 2 gateways…. If the portal address is unavailable then the the GP client will used a cached portal from the last known connection. It will then try both gateways and connect to the fastest responder.. ( depending on GW priority setting).  This will of course be an issue if it’s a first time connection as there will be no local cached portal. Is this for load balancing or resilience? ... View more

If you check Monitor/GlobaProtect, does the username in the logs match the username in the agent config?. Perhaps you have added or omitted some domain information in the authentication profile…… ... View more

Yes this is the correct behaviour.  Internal host detection was originally added to determine whether internal or external gateways should be used but has become a convenient way to prevent external gateway connection when connected to the corp lan (By not actually entering any internal gateways). Could you not use cert auth to the portal and MFA to GW when prompted… or select your current app config to “on demand”. ... View more

The policy sequence already kind of does “if then”...   if match policy 1 then do...   if not then next policy...   i would be more granular on your allow as per @SutareMayur  and only allow those intended.. if this is not possible then move your more specific deny policy above the allow... that is why we have policy numbering and the ability to move them up or down...   ... View more

Are you using the username modifier in the auth profile... i only ask as I’m sure this is ignored when using cli.   i would use Monitor/Packet Capture with the ldap server in a filter to see what the palo is sending. It may be adding additional information to the request... ... View more