Error seen when trying to connect GlobalProtect "Valid client certificate is required" when using Client Certificate for authentication (User certificate rather than a Machine Certificate)..
1. Please confirm if you are indeed using an User certificate for the client authentication
2. Below is the GP logs seen when the GP connection fails when the firewall blocks sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint
[PanGPS.log]
(T6032) 11/05/19 16:27:47:757 Error(5880): pre-login error message: Valid client certificate is required
(T6032) 11/05/19 16:27:47:757 Debug(6662): Non-OnDemand mode valid client cert is required.
(T6032) 11/05/19 16:27:47:757 Info (8111): Portal config does not exist, try registry/plist
(T6032) 11/05/19 16:27:47:757 Info (6676): failed to retrieve value of the tag version.
(T6032) 11/05/19 16:27:47:757 Debug(6687): Failed to get portal config from portal gptest.paloaltonetworks.com.
(T6032) 11/05/19 16:27:47:757 Debug(6715): Try to restore last portal config from file.
(T6032) 11/05/19 16:27:47:757 Debug(6757): Skip retrieve cached portal configuration for empty user
(T6032) 11/05/19 16:27:47:757 Debug(6697): Set portal status to valid client cert needed.
(T6032) 11/05/19 16:27:47:757 Debug(6707): portal status is Client Cert Required.
(T6032) 11/05/19 16:27:47:757 Debug(6017): Portal required client certificate is not found.
3. For User Certificate, make sure the option "Block session if certificate was not issued to the authentication device" is unchecked.
"(GlobalProtect only) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication."
"The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by device type:
Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)"