Palo Alto Networks Knowledgebase: How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect
How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
This document describes the steps to properly generate and apply certificates for a scenario involving multiple GlobalProtect Gateways managed by a single GlobalProtect Portal.
Check licenses. Device hosting the portal should have a portal and gateway license.All the gateways managed by the portal need to have a gateway license.
Generate and install certificates Generate a root Certificate Authority (CA) certificate on the Palo Alto Networks device which will host the portal. (On PAN-OS 4.0.x and 4.1.x go to Device > Certificates. On PAN-OS 5.0.x go to Device > Certificate Management > Certificates.)
Export the generated root CA certificate
Import the certificate to the Palo Alto Networks device which is hosting the external GlobalProtect Gateway. The generated root CA certificate must be imported to all external GlobalProtect Gateways. In this example, there are 2 GlobalProtect Gateways.
First external GlobalProtect Gateway certificate. This certificate should be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
Second External GlobalProtect Gateway certificate. This certificate should also be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
Configure the GlobalProtect Portal (Network > GlobalProtect > Portals).
Configure the Portal Configuration tab. For this example, the same certificate is being used for the GlobalProtect Portal and the first external GlobalProtect Gateway. Note: The "Satellite Configuration" tab shown in the screenshot below is not available before PAN-OS 5.0.
Configure the Client Configuration tab Important: Only FQDNs associated with the gateway IP addresses can be entered under the list of External Gateways.
If IP addresses for the gateways are entered, the following errors would show up in the PANGPS logs:
Make sure the root CA certificate is added under Trusted Root CA:
Configuration of the first external GlobalProtect Gateway:
Configuration of the second external GlobalProtect Gateway: