Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
The GlobalProtect Client connect method that requires the distribution and use of machine certificates is Pre-logon. In the Pre-logon method, a machine certificate is used to authenticate the device before any user logs in. This certificate is typically deployed to the endpoint to ensure it can establish a connection to the network securely, differentiating it from methods that focus on authenticating individual users, such as User-logon or On-demand.
for machine certificate it is B: Pre-Logon if it was client certificate would be USER-LOGON https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK go to part B on cert profile topic.
Rammsdoct you are correct based on the URL that you have provided: It says: Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. Used to authenticate a user. -Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. This is used to authenticate a device, not a user.
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authentication/set-up-client-certificate-authentication
B. Pre-logon requires machine cert
B is correct
Machine certificate refers to device cert, it can be used for 'pre-logon' connect method.
i have literally built this config too many times not to know the correct answer. 100% B and 100% the bane of my existence!
to elaborate, you also need to have the private key and the cert chain visible on the cert when installed on a host.