The design is that you should be able to authenticate to the portal and as the pre-logon user with the machine certificate, but should not be able to establish a full session without having the user certificate. However, an enterprising contractor reached out to me with a lead on a possible gap (or bug) with our GlobalProtect setup. That individual discovered that if you logged into a client endpoint using a service account, GlobalProtect would still establish a valid login session even though it was missing a user certificate. How can I troubleshoot this?
Our client has a Panorama running PAN-OS 9.1.8 which seems to simultaneously succeed and fail at performing a scheduled config export to a Linux server. The "failed" job repeatedly tries to run for several hours before giving up. Has anyone seen this behavior? tyvm