GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan on using self-signed certificates, generate a CA certificate using your dedicated CA server or Palo Alto Networks firewall, and then issue GlobalProtect portal and gateway certificates signed by the CA or an intermediate CA.
Portal server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the gateway.
Optional) Client certificate
Used to enable mutual authentication when establishing an HTTPS session between the GlobalProtect apps and the gateways/portal. This ensures that only endpoints with valid client certificates are able to authenticate and connect to the network.
Optional) Machine certificates
A machine certificate is a client certificate that is issued to an endpoint that resides in the local machine store or system keychain. Each machine certificate identifies the endpoint in the subject field (for example, CN=laptop1.example.com) instead of the user. The certificate ensures that only trusted endpoints can connect to gateways or the portal.
Machine certificates are required for users configured with the pre-logon connect method
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect App Cryptographic Functions.
Recommended For You
Recommended videos not found.