>
    Strata Copilot
    Enable Two-Factor Authentication Using Certificate and Authentication Profiles
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect User Authentication
    5. Set Up Two-Factor Authentication
    6. Enable Two-Factor Authentication Using Certificate and Authentication Profiles
    Download PDF
    GlobalProtect

    Enable Two-Factor Authentication Using Certificate and Authentication Profiles

    Table of Contents

    Enable Two-Factor Authentication Using Certificate and Authentication Profiles

    Configure GlobalProtect to require users to authenticate using both a certificate profile and an authentication profile for enhanced security.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    The following workflow describes how to configure GlobalProtect to require users to authenticate to both a certificate profile and an authentication profile. The user must successfully authenticate using both methods in order to connect to the portal/gateway. For more details on this configuration, see Remote Access VPN with Two-Factor Authentication.
    If the certificate profile specifies a Username Field, from which GlobalProtect can obtain a username, the external authentication service automatically uses that username to authenticate the user to the external authentication service specified in the authentication profile. For example, if the Username Field in the certificate profile is set to Subject, the common-name field value of the certificate is used as the username when the authentication server tries to authenticate the user. If you do not want to force users to authenticate with a username from the certificate, make sure the Username Field in the certificate profile is set to None. See Remote Access VPN with Two-Factor Authentication for an example configuration.
    1. Create an authentication server profile.
      The authentication server profile determines how the firewall connects to an external authentication service and retrieves the authentication credentials for your users. For information on creating an authentication server profile, refer to Set Up External Authentication.
    2. Create an authentication profile that identifies the service for authenticating users. You later have the option of assigning the profile on the portal and gateways. For information on creating an authentication profile, refer to Set Up External Authentication.
    3. Create a client certificate profile that the portal uses to authenticate the client certificates that come from user endpoints.
      When you configure two-factor authentication to use client certificates, the external authentication service uses the username value to authenticate the user, if specified, in the client certificate. This ensures that the user who is logging is in is actually the user to whom the certificate was issued.
      1. Do one of the following:
        • On Panorama, select DeviceCertificate ManagementCertificatesDevice Certificates, and then Generate a new certificate.
        • On Strata Cloud Manager, select ManageConfiguration NGFW and Prisma accessObjectsCertificate Management, and then Generate a new certificate.
      2. Enter a Name for the profile.
      3. Select one of the following Username Field values:
        • If you intend for the client certificate to authenticate individual users, select the certificate field that identifies the user.
        • If you are deploying the client certificate from the portal, select None.
        • If you are setting up a certificate profile for use with a pre-logon connect method, select None.
      4. Add the CA Certificates that you want to assign to the profile, and then configure the following settings:
        1. Select the CA certificate, either a trusted root CA certificate or the CA certificate from a SCEP server. If necessary, import the certificate.
        2. (Optional) Enter the Default OCSP URL.
        3. (Optional) Select a certificate for OCSP Verify Certificate.
        4. (Optional - Panorama only) Enter the Template Name for the template that was used to sign the certificate.
      5. (Optional) Select the following options to specify when to block the user’s requested session:
        1. Status of certificate is unknown.
        2. GlobalProtect component does not retrieve certificate status within the number of seconds in Certificate Status Timeout.
        3. Serial number attribute in the subject of a client certificate does not match the host ID that the GlobalProtect app reports for the endpoint.
        4. Certificates have expired.
      6. Click OK.
    4. (Optional) Issue client certificates to GlobalProtect clients and endpoints.
      To deploy client certificates transparently, configure your portal to distribute a shared client certificate to your endpoints or configure the portal to use SCEP to request and deploy unique client certificates for each user.
      1. Use your enterprise PKI or a public CA to issue a client certificate to each GlobalProtect user.
      2. For the pre-logon connect methods, install certificates in the personal certificate store on the endpoint.
    5. Save the GlobalProtect configuration.
      Click Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.