Palo Alto Networks Knowledgebase: How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect

How to Configure Certificates for Multiple Gateways Managed by a Single Portal for GlobalProtect

4505
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
GlobalProtect Prisma Access
Resolution

Overview

This document describes the steps to properly generate and apply certificates for a scenario involving multiple GlobalProtect Gateways managed by a single GlobalProtect Portal.

 

Steps

  1. Check licenses. Device hosting the portal should have a portal and gateway license.All the gateways managed by the portal need to have a gateway license.
  2. Generate and install certificates
    Generate a root Certificate Authority (CA) certificate on the Palo Alto Networks device which will host the portal. (On PAN-OS 4.0.x and 4.1.x go to Device > Certificates. On PAN-OS 5.0.x go to Device > Certificate Management > Certificates.)rootcert.JPG
  3. Export the generated root CA certificate
    rootexport2.JPG
  4. Import the certificate to the Palo Alto Networks device which is hosting the external GlobalProtect Gateway. The generated root CA certificate must be imported to all external GlobalProtect Gateways. In this example, there are 2 GlobalProtect Gateways.
    rootimport.JPG
  5. First external GlobalProtect Gateway certificate. This certificate should be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
    gtwycert.JPG
  6. Second External GlobalProtect Gateway certificate. This certificate should also be signed by the imported root CA certificate. The Common Name can be either IP or FQDN.
    extgtwy3.JPG
  7. Configure the GlobalProtect Portal (Network > GlobalProtect > Portals).
  8. Configure the Portal Configuration tab. For this example, the same certificate is being used for the GlobalProtect Portal and the first external GlobalProtect Gateway.
    Note: The "Satellite Configuration" tab shown in the screenshot below is not available before PAN-OS 5.0.
    portal1.JPG
  9. Configure the Client Configuration tab
    Important: Only FQDNs associated with the gateway IP addresses can be entered under the list of External Gateways.
    portal2.JPG
    If IP addresses for the gateways are entered, the following errors would show up in the PANGPS logs:
    gperrors.JPG
    Make sure the root CA certificate is added under Trusted Root CA:
    portal3.JPG
  10. Configuration of the first external GlobalProtect Gateway:
    gatewayone-1.JPG
    gatewayone-2.JPG
    gatewaynewwest.JPG
  11. Configuration of the second external GlobalProtect Gateway:
    gatewaytwo-1.JPG
    gatewaytwo-2.JPG
    gatewaytwo-3.JPG

 

See also

How to Configure GlobalProtect

GlobalProtect Configuration Tech Note

 

owner: sraghunandan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language