How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect

 

1. Generate and install certificates Generate a root Certificate Authority (CA) certificate on the PAN which will host on the portal:

       

        2.Export the generated root CA certificate
        

        3.Import the certificate to the Palo Alto Networks device which is hosting the external GlobalProtect Gateway. The generated root CA                certificate must be imported to all external GlobalProtect Gateways. In this example, there are 2 GlobalProtect Gateways.
        

       4.First external GlobalProtect Gateway certificate. This certificate should be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
        

        5.Second External GlobalProtect Gateway certificate. This certificate should also be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
       

       6.Configure the GlobalProtect Portal (Network > GlobalProtect > Portals).
       7.Configure the Portal Configuration tab. For this example, the same certificate is being used for the GlobalProtect Portal and the first external GlobalProtect Gateway.
       

       

       8.Configure the Client Configuration tab
       Important: Only FQDNs associated with the gateway IP addresses can be entered under the list of External Gateways.
       
       If IP addresses for the gateways are entered, the following errors would show up in the PANGPS logs:
       
        Make sure the root CA certificate is added under Trusted Root CA and check mark the Install in local Root Certificate store.


          9.Configuration of the first external GlobalProtect Gateway:
             

           

           

           
           10.Configuration of the second external GlobalProtect Gateway: