The design is that you should be able to authenticate to the portal and as the pre-logon user with the machine certificate, but should not be able to establish a full session without having the user certificate.
However, an enterprising contractor reached out to me with a lead on a possible gap (or bug) with our GlobalProtect setup. That individual discovered that if you logged into a client endpoint using a service account, GlobalProtect would still establish a valid login session even though it was missing a user certificate.
How can I troubleshoot this?
Is the machine certificate signed by the same CA as you require for the user cert? You might have a double positive hit as both certificates may be valid. If you need 2 different certs for pre/post logon, you should have 2 different gateways with different cert profiles, one set for only prelogon users, one for regular users