GlobalProtect Portal and Gateway need same Certificate Profile when on same IP address
Symptom
This article is designed to explain why GlobalProtect Portal and Gateway need to have the same Certificate Profile when on same IP address
Environment
- PAN-OS firewall
- GlobalProtect Portal and Gateway
- Certificate Profile
Cause
Client certificate authentication fails on Portal when only Portal has the Certificate Profile and both Portal and Gateway are on same IP address
Resolution
Additional Information
Following are various scenarios explaining the client certificate authentication behavior:
- Scenario#1
-
GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1
- GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) with no Certificate Profile
Client certificate authentication will fail since Gateway does not have any Certificate Profile configured when both are on same IP address
- Scenario#2
-
GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) no Certificate Profile
- GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1
Client certificate authentication will work since Certificate Profile is on Gateway when both are on same IP address
- Scenario#3
-
GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1
-
GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-2
Certificate Profile Cert-Prof-2 would be used for both Portal and Gateway client certificate authentication
- Scenario#4
-
GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1
-
GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.2) using Certificate Profile Cert-Prof-2
- Scenario#5
-
GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1
-
GlobalProtect Gateway configured on same ethernet1/4 (IP Address: 10.1.0.1) using Certificate Profile Cert-Prof-2
Certificate Profile Cert-Prof-1 would be used for Portal and Cert-Prof-2 for Gateway for client certificate authentication since both are on different IP addresses and interfaces