About MickBall

@Adrian_Jensen , try using the copy of the root CA on it’s own in the cert profile, that’s pretty much what we do… @mkroell1  be careful no to set timeout too low as may cause a reconnect on the occasional packet loss… ... View more

@mkroell1  when this happens… When I switch back to Corp, it just reconnects the tunnel and does not switch back to internal.   select refresh… what happens ??? ... View more

Is that process documented, I use a different approach. Our AD is issuing user certs but we just have a copy of the AD root CA on the palo. Perhaps you should generate a self signed root CA on the palo and then use that to generate a user cert. Only to check that you are setting up cert profiles correctly. Then perhaps compare that user cert with the AD user cert….  ... View more

no, are you using groups or just individual names and are they local users or ldap. ... View more

Hi Adrian,,,,   I am no cert guru but i can answer some of your questions.. 1. No. there is no link between ssl/tls profile and authentication certificate profile.  we have an externally signed cert for ssl/tls and a mixture of AD corp cert and PA self signed for user auth.. 2. not sure..  usually th PA willl determine which cert can be used against what the user is offering..  in one of our cert profiles there is a few different CA's and any user cert generated by them will work..  can't really answer on the dependencies...   3. the username here is not really relevant as long as the user cert was generated by the CA, the profile will then log you in as whatever is in your field.  if you set this to none then commit will fail because your cert is the only auth method. if you set this to none then you must add another auth profile..   how do you generate your  certs and by what method do you distribute them? ... View more