So, I recently did some work with an organization that uses the VPN features of the Palo Alto firewall.

The desired configuration was to have users use autoenrollment to get user certificates that would be used to connect to the VPN. If for some reason a user was not able to autoenroll for a certificate they would be provisioned a certificate from the firewall. The firewall used the SCEP protocol to enroll for a certificate from the Network Device Enrollment Server (NDES).

We were able to get the firewall to work with an NDES certificate, but not an autoenrolled certificate. After some troubleshooting, we realized that when a certificate was enrolled from the NDES server that the VPN requested an additional field in the subject. That field was serial number and it included a guid as the value data for that attribute. We realized that that serial number was key to authenticating the client. In fact it is mentioned in Palo Alto’s documentation:

If you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint, select Block sessions if the certificate was not issued to the authenticating device. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile

Since we cannot add customer fields into certificates during autoenrollment, without writing a policy module we decided to disable this feature.

This article has the details on how to configure the Certificate Profile for Palo Alto: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

We had to disable the setting Block session if the certificate was not issued to the authenticating device.

After this change we could use certificates that did not contain the serial number field and could then use autoenrolled certificates.