How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect

How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect

25862
Created On 09/25/18 17:52 PM - Last Modified 04/15/21 03:28 AM


Symptom

This document describes the steps to properly generate and apply certificates for a scenario involving multiple GlobalProtect Gateways managed by a single GlobalProtect Portal.



Environment
  • Palo Alto Firewall.
  • Certificate configuration for GlobalProtect Gateway.


Resolution
 
  1. Generate and install certificates Generate a root Certificate Authority (CA) certificate on the PAN which will host on the portal:
        User-added image

        2.Export the generated root CA certificate
        rootexport2.JPG

        3.Import the certificate to the Palo Alto Networks device which is hosting the external GlobalProtect Gateway. The generated root CA                certificate must be imported to all external GlobalProtect Gateways. In this example, there are 2 GlobalProtect Gateways.
        rootimport.JPG

       4.First external GlobalProtect Gateway certificate. This certificate should be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
        gtwycert.JPG

        5.Second External GlobalProtect Gateway certificate. This certificate should also be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
        extgtwy3.JPG

       6.Configure the GlobalProtect Portal (Network > GlobalProtect > Portals).
       7.Configure the Portal Configuration tab. For this example, the same certificate is being used for the GlobalProtect Portal and the first external GlobalProtect Gateway.
       User-added image

       User-added image

       8.Configure the Client Configuration tab
       Important: Only FQDNs associated with the gateway IP addresses can be entered under the list of External Gateways.
       User-added image
       If IP addresses for the gateways are entered, the following errors would show up in the PANGPS logs:
       gperrors.JPG
        Make sure the root CA certificate is added under Trusted Root CA and check mark the Install in local Root Certificate store.


          9.Configuration of the first external GlobalProtect Gateway:
           User-added image  

           User-added image

           User-added image

           User-added image
           10.Configuration of the second external GlobalProtect Gateway:
            User-added image

            User-added image

            User-added image


            User-added image

 

 



Additional Information

See also

How to Configure GlobalProtect

GlobalProtect Resource List

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language