GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates
you will need, depending on which features you plan to use:
Certificate | Usage | Issuing Process/Best
Practices |
---|---|---|
CA certificate | Used to sign certificates issued to the GlobalProtect components. | If you plan on using self-signed certificates, generate
a CA certificate using your dedicated CA server or Palo Alto Networks
firewall, and then issue GlobalProtect portal and gateway certificates signed
by the CA or an intermediate CA. |
Portal server certificate | Enables GlobalProtect apps to establish
an HTTPS connection with the portal. |
|
Gateway server certificate | Enables GlobalProtect apps to establish
an HTTPS connection with the gateway. |
|
( Optional ) Client certificate | Used to enable mutual authentication when
establishing an HTTPS session between the GlobalProtect apps and
the gateways/portal. This ensures that only endpoints with valid client
certificates are able to authenticate and connect to the network. |
|
( Optional ) Machine certificates | A machine certificate is a client certificate
that is issued to an endpoint that resides in the local machine
store or system keychain. Each machine certificate identifies the endpoint
in the subject field (for example, CN=laptop1.example.com) instead
of the user. The certificate ensures that only trusted endpoints
can connect to gateways or the portal. Machine certificates
are required for users configured with the pre-logon connect method |
|
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication
between the GlobalProtect endpoint and the portals and gateways,
see Reference:
GlobalProtect App Cryptographic Functions.
Recommended For You
Recommended Videos
Recommended videos not found.