Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. It is recommended to place both the root and intermediate CAs in this profile, instead of just root CA. When this certificate profile is applied to the config, the portal/gateway will send a client certificate request to the client to request for a client/machine cert signed by the CA/intermediate CA specified in the cert profile. (Location: Device>Certificate Management>Certificate Profile)Ĭertificate profile specifies a list of CAs and Intermediate CAs.
If SAN exists with atleast one entry, then the IP or FQDN being used for portal/gateway 'must' be present in that SAN list.ĭ. In PAN firewalls, SAN can be created under the optional 'certificate attributes' of type 'hostname', 'IP' or 'email'.ī. This cert's common name 'must' match the portal/gateway's IP or FQDN if subj alt name(SAN) does not exist in this cert. Generate a sever cert signed by the above intermediate cert.Ī. (other than IP or FQDN of portal/gateway)ģ. Specify its common name as any unique value. (optional) Generate a intermediate cert signed by above root cert. (Location: Device>Certificate Management>Certificates click Generate at the bottom of the screen)Ģ. (other than IP or FQDN of portal/gateway) Generate a root cert with common name of any unique value. If the server cert needs to be generated on the Palo Alto Networks firewallġ. Reference this SSL/TLS profile in portal/gateway as needed. Protocol Settings - Select the minimum and maximum versions of ssl/tls for the ssl transaction between client and serverĥ. Certificate - Reference the server cert from step 3 (Location: Device>Certificate Management>SSL/TLS Service Profile) if portal/gateway can be reached at fqdn '' or IP 1.1.1.1 and if the certificate references the fqdn '', then the users 'must' use '' instead of '1.1.1.1'.
Certificate profile(if any) - Used by portal/gateway to request client/machine certificateĬ. SSL/TLS service profile - Specifies Portal/gateway server cert, every portal/gateway needs one.ī. Please note that there can be other ways to deploy certificates for GlobalProtect which are not covered in this document.Ī. This document describes the basics of configuring certificates in GlobalProtect setup.