Deploy Machine Certificates for Authentication
To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine certificates to each endpoint (recommended) or generate a self-signed machine certificate for export. With the pre-logon connect methods, a machine certificate is required and must be installed on the endpoint before GlobalProtect components will grant access.
To confirm that the endpoint belongs to your organization, you must also configure an authentication profile to authenticate the user. See Set Up Two-Factor Authentication.
client certificates to GlobalProtect clients and endpoints. This
enables the GlobalProtect portal and gateways to validate that the
device belongs to your organization.
- Create the root CA certificate for issuing self-signed certificates for the GlobalProtect components.
- Select DeviceCertificate ManagementCertificatesDevice Certificates and then click Generate.
- Enter a Certificate Name. The certificate name cannot contain any spaces.
- Configure cryptographic settings for the certificate
including the encryption Algorithm, key length (Number
of Bits), Digest algorithm (use
sha1, sha256, or sha384; sha512 is not supported with client certificates),
and Expiration (in days) for the certificate.If the firewall is in FIPS-CC mode and the key generation algorithm is RSA, the RSA keys must be 2,048 bits or 3072 bits.
- In the Certificate Attributes section, Add and define the attributes that uniquely identify the GlobalProtect clients as belonging to your organization. Keep in mind that if you add a Host Name attribute (which populates the SAN field of the certificate), it must be the same as the value you defined for the Common Name.
- In the Signed By field, select your root CA.
- Select an OCSP Responder to verify the revocation status of certificates.
- (Optional) In the Certificate Attributes section, click Add and define the attributes to identify the GlobalProtect clients as belonging to your organization if required as part of your security requirements.
- Click OK to generate the certificate.
certificates in the personal certificate store on the endpoints.If you are using unique user certificates or machine certificates, you must install each certificate in the personal certificate store on the endpoint prior to the first portal or gateway connection. Install machine certificates to the Local Computer certificate store on Windows and in the System Keychain on Mac OS. Install user certificates to the Current User certificate store on Windows and in the Keychain on Mac OS.For example, to install a certificate on a Windows system using the Microsoft Management Console:
- From the command prompt, enter mmc to launch the console.
- Select FileAdd/Remove Snap-in.
- Select Certificates, click Add and
then select one of the following, depending on what type of certificate you
- Computer account—Select this option if you are importing a machine certificate.
- My user account—Select this option if you are importing a user certificate.
- Expand Certificates and select Personal and then in the Actions column select PersonalMore ActionsAll TasksImport and follow the steps in the Certificate Import Wizard to import the PKCS file you got from the CA.
- Browse to the .p12 certificate file to import (select Personal Information Exchange as the file type to browse for) and enter the Password that you used to encrypt the private key. Select Personal as the Certificate store.
- Verify that the certificate has been added to the personal
certificate store.Navigate to the personal certificate store:
the root CA certificate used to issue the client certificates onto
the firewall.This step is required only if an external CA issued the client certificates, such as a public CA or an enterprise PKI CA. If you are using self-signed certificates, the root CA is already trusted by the portal and gateways.
- Download the root CA certificate used to issue the client certificates (Base64 format).
- Import the root CA certificate from the CA that generated
the client certificates onto the firewall:
- Select DeviceCertificate ManagementCertificatesDevice Certificates and click Import.
- Use the Local certificate type (the default).
- Enter a Certificate Name that identifies the certificate as your client CA certificate.
- Browse to the Certificate File you downloaded from the CA.
- Select Base64 Encoded Certificate (PEM) as the File Format and then click OK.
- Select the certificate you just imported on the Device Certificates tab to open it.
- Select Trusted Root CA and then click OK.
a client certificate profile.
- Select DeviceCertificatesCertificate ManagementCertificate Profile, click Add, and enter a profile Name.
- Select a value for the Username Field to
specify which field in the certificate will contain the user’s identity information.If you plan to configure the portal or gateways to authenticate users with certificates only, you must specify the Username Field. This enables GlobalProtect to associate a username with the certificate.If you plan to set up the portal or gateway for two-factor authentication, you can leave the default value of None, or, to add an additional layer of security, specify a username. If you specify a username, your external authentication service verifies that the username in the client certificate matches the username requesting authentication. This ensures that the user is the one to which the certificate was issued.Users cannot change the username that is included in the certificate.
- In the CA Certificates field, click Add, select the Trusted Root CA certificate you imported in 4 and then click OK.
- Save the configuration.Click Commit.
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile) With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...
Pre-logon then On-Demand Connect Method
Pre-logon then On-Demand Connect Method This feature requires Content Release version 590-3397 or later. You can now configure a new hybrid connect method called pre-logon ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...
Deploy Shared Client Certificates for Authentication
Deploy Shared Client Certificates for Authentication To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: GlobalProtect Certificate Requirements ...
How Does the Agent Know Which Certificate to Supply?
How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...