GlobalProtect
GlobalProtect Certificate Best Practices
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
GlobalProtect Certificate Best Practices
The GlobalProtect components require valid SSL/TLS certificates to establish
connections. The best practices include using a well-known, third-party CA for the portal
server certificate, using a CA certificate to generate gateway certificates, optionally
using client certificates for mutual authentication, and using machine certificates for
pre-logon access.
The GlobalProtect components must have valid certificates to establish connection using
SSL/TLS. The connection fails if you have invalid or expired certificates.
The following table summarizes the SSL/TLS certificates you will need, depending on which
features you plan to use:
Certificate | Usage | Issuing Process/Best
Practices |
---|---|---|
CA certificate | Used to sign certificates issued to the GlobalProtect components. | If you plan on using self-signed certificates, generate
a CA certificate using your dedicated CA server or Palo Alto Networks
firewall, and then issue GlobalProtect portal and gateway certificates signed
by the CA or an intermediate CA. |
Portal server certificate | Enables GlobalProtect apps to establish
an HTTPS connection with the portal. |
|
Gateway server certificate | Enables GlobalProtect apps to establish
an HTTPS connection with the gateway. |
|
(Optional) Client certificate | Used to enable mutual authentication when
establishing an HTTPS session between the GlobalProtect apps and
the gateways/portal. This ensures that only endpoints with valid client
certificates are able to authenticate and connect to the network. |
|
(Optional) Machine certificates | A machine certificate is a client certificate
that is issued to an endpoint that resides in the local machine
store or system keychain. Each machine certificate identifies the endpoint
in the subject field (for example, CN=laptop1.example.com) instead
of the user. The certificate ensures that only trusted endpoints
can connect to gateways or the portal. Machine certificates
are required for users configured with the pre-logon connect method |
|
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication
between the GlobalProtect endpoint and the portals and gateways,
see Reference:
GlobalProtect App Cryptographic Functions.