GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan on using self-signed certificates, we recommend that you generate a CA certificate on the portal, and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the gateway.
(Optional) Client certificate
Used to enable mutual authentication when establishing an HTTPS session between the GlobalProtect apps and the gateways/portal. This ensures that only endpoints with valid client certificates are able to authenticate and connect to the network.
(Optional) Machine certificates
A machine certificate is a client certificate that is issued to an endpoint. Each machine certificate identifies the endpoint in the subject field (for example, CN=laptop1.example.com) instead of the user. The certificate ensures that only trusted endpoints can connect to gateways or the portal.
Machine certificates are required for users configured with the pre-logon connect method
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect App Cryptographic Functions.
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Set Up Access to the GlobalProtect Portal
Set Up Access to the GlobalProtect Portal After you have completed the Prerequisite Tasks for Configuring the GlobalProtect Portal , configure the GlobalProtect portal as ...
Deploy Server Certificates to the GlobalProtect LSVPN Compo...
Deploy Server Certificates to the GlobalProtect LSVPN Components The GlobalProtect LSVPN components use SSL/TLS to mutually authenticate. Before deploying the LSVPN, you must assign an ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
How Does the App Know Which Certificate to Supply?
How Does the App Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on macOS or Windows endpoints, GlobalProtect ...
GlobalProtect Portals Authentication Configuration Tab
GlobalProtect Portals Authentication Configuration Tab Network GlobalProtect Portals Authentication Select the Authentication tab to configure the various GlobalProtect™ portal settings: An SSL/TLS service profile that ...
Client Certificate Authentication
Client Certificate Authentication For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the ...
Prerequisite Tasks for Configuring the GlobalProtect Portal
Prerequisite Tasks for Configuring the GlobalProtect Portal Before you can configure the GlobalProtect portal, you must complete the following tasks: Create the interfaces (and zones) ...