GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan to use self-signed certificates, a best practice is to generate a CA certificate on the portal and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the gateway.
(Optional) Client certificate
Used to enable mutual authentication in establishing an HTTPS session between the GlobalProtect agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.
(Optional) Machine certificates
A machine certificate is a client certificate that is issued to a device. Each machine certificate identifies the device in the subject field (for example, CN=laptop1.example.com) instead of a user. The certificate ensures that only trusted endpoints can connect to gateways or the portal. Machine certificates are required for users whose connect method is pre-logon, which enables GlobalProtect to establish a VPN tunnel before the user logs in.
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Enable SSL Between GlobalProtect LSVPN Components
Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Pre-logon then On-Demand Connect Method
Pre-logon then On-Demand Connect Method This feature requires Content Release version 590-3397 or later. You can now configure a new hybrid connect method called pre-logon ...
Network > GlobalProtect > Portals
Network > GlobalProtect > Portals Select Network > GlobalProtect > Portals to set up and manage a GlobalProtect™ portal. The portal provides the management functions ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
How Does the Agent Know Which Certificate to Supply?
How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...
Enhanced Two-Factor Authentication
Enhanced Two-Factor Authentication Two-factor authentication enables strong authentication by using a pre-deployed client certificate or a dynamic password, such as one-time password (OTP), and supports ...
Configure the GlobalProtect Portal for LSVPN
Configure the GlobalProtect Portal for LSVPN The GlobalProtect portal provides the management functions for your GlobalProtect LSVPN. Every satellite system that participates in the LSVPN ...