Palo Alto Networks Knowledgebase: GlobalProtect Portal and Gateway use same Certificate Profile when on the same interface

GlobalProtect Portal and Gateway use same Certificate Profile when on the same interface

2474
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
GlobalProtect Prisma Access
Resolution

 

Issue

Different Certificate Profiles on GlobalProtect Portal and GlobalProtect Gateway which are using the same interface

 

Setup

Certificate Profile #1: Cert-Prof-1

Certificate Profile #2: Cert-Prof-2

 

GlobalProtect Portal configured on ethernet1/3 (IP Address: x.x.x.x) using Cert-Prof-1

GlobalProtect Gateway configured on same ethernet1/3 (IP Address: x.x.x.x) using Cert-Prof-2

 

Outcome

The Palo Alto Networks firewall will use "Cert-Prof-2" even for GlobalProtect Portal.

 

NOTE: In cases where Certificate Profiles are differently configured, connecting to GlobalProtect Portal might fail as the firewall will use the Gateway's Certificate Profile even for connection on GlobalProtect Portal.

 

Cause/Resolution

When GlobalProtect Portal and Gateway are configured on the same interface and Certificate Profile is needed for Client Authentication on both GlobalProtect Portal and Gateway, please use the same Certificate Profile on both GlobalProtect Portal and Gateway as Dataplane (DP) on the Palo Alto Networks firewall uses only GlobalProtect Gateway's Certificate Profile for connections to both GlobalProtect Portal and Gateway.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language