GlobalProtect Pre-logon using a machine certificate - PAN-OS 10.0.6

I have had tons of issues with Pre-logon because the documentation was not that helpful. This video is great!!! Is there any way you could go more in depth on the machine certificate settings and how to configure that piece? The Portal and Gateway configs were clear but when talking about the Certs and CA' i wasnt sure if you were referring to an Internal CA or the CA that signs the Public cert used in the Portal. Maybe you could do a part 2 or in depth demo on that side of things. Thank you!!!

Thanks for sharing. I hope there will be more teachings.

Great Video. So So much better than online document. Thanks for this.
1 Query while creating Cert Profile you selected Root CA, instead of this can I use my Local Enterprise Root CA & Intermediate CA? Bcoz machine & user cert are signed using Local Enterprise CA?

Am I correct in saying that this is using authentication cookies and not using machine certificates?

This works if I login, connect with the GPC, log out, then log back in. It does not work after a startup/reboot.

Out of the 3 option that you mentioned, looks like you used option 2 as I think no cert were used in the portal and you need to login to the gp client for the first time to generate the cookie. Is that right?

Can this be done without using auth cookies and just a machine cert for the pre-logon? We have a scenario where laptops are being built for new users and they need connection to the VPN to have their profiles/GPOs applied etc but can’t because they’ve never logged in. Kind of a chicken before the egg scenario. I’ve read that it’s possible but I’ve never gotten it to work

Where do you get the RootCA cert from?