Professional Documents
Culture Documents
Tech Note
PAN-OS 4.1
Prerequisites
• GlobalProtect Gateway
Support for X-AUTH was introduced in PAN-OS 4.1 as a feature of GlobalProtect Gateway and doesn’t require
any specific license to be activated. To support Android Devices, version 4.1.6 of PAN-OS and above is
required.
• Google Android
Android OS 4.0.3 or later is supported.
Certificate Creation
In order to setup certificate-based IKE phase 1 authentication, you need to create three certificates either in the PAN-OS
management UI or from an external certificate authority.
Like every product leveraging certificate based authentication, GlobalProtect requires the existence of a Root Certificate,
which can be either created within PAN-OS or from an external certificate authority (CA). If an external certificate authority
is used, the Root Certificate needs to be imported into PAN-OS.
1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.
2. Enter a unique name for the certificate in the configuration.
3. Leave the Signed By field empty and select the Certificate authority checkbox underneath.
4. Click Generate.
Identity Certificate
In the case of certificate based authentication, the client and the gateway go through a mutual authentication. Therefore the
Android device requires a certificate from a certificate authority trusted by the gateway. This certificate can be created in
PAN-OS or imported from an external certificate authority. This section describes how to generate a client certificate
(referred to as an IPSec user certificate in Android), in PAN-OS, and the process to export the certificate.
©2012, Palo Alto Networks, Inc. [4]
1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.
2. Enter a unique name for the certificate in the configuration.
3. Enter any name in the Common Name (CN).
4. Select the certificate authority to issue this certificate.
5. Click Generate.
Certificate Profile
In order to validate the client certificate, a Client Certificate Profile needs to be created which includes the CA certificate
used to create the Identity Certificate. Please refer to the corresponding section on creating Client Certificate Profiles in the
Palo Alto Networks Administrator’s Guide.
Note: If there is no existing GlobalProtect Portal/Gateway, please refer to the corresponding section in the Palo Alto
Networks Administrator’s Guide on how to configure a GlobalProtect Portal/Gateway.
1. In the Server Certificate drop-down, select the gateway certificate created in the “Gateway Certificate” section of
this document.
2. In the Client Certificate Profile drop-down, select the certificate profile, which includes the CA certificate used to
issue the client certificate in the “Client Certificate” section.
3. Enable “Tunnel Mode” and select “Enable IPSec”.
4. Enable “Enable X-Auth Support” to enable Extended Authentication.
5. Leave the “Group Name” and “Group Password” fields empty to enable certificate authentication in IKE phase 1.
6. Click OK and commit the configuration changes.
Your VPN profile is now configured and you can enable the VPN connection through the VPN settings in the “Wireless &
Network” section of your device settings. Once you click on the connection entry, a username and password dialog will
appear and you will be prompted for your user credentials.