GlobalProtect Gateway Certificate Error When Trying to connect GlobalProtect
When trying to connect GlobalProtect to the Palo Alto Networks firewall, it is successfully connecting to the portal, but gives a certificate error when it tries to connect to the gateway. When using older versions of the agent it connects without issue.
- Global Protect
This issue might be caused by a new check that was introduced in GlobalProtect version 4 and later. The validation check makes sure that the gateway address configured in the GlobalProtect portal matches the CN of the certificate that the gateway is configured to use. This check was not implemented in older versions, so this issue was not encountered.
Note: When the gateway address is a FQDN and this FQDN is in the certificate, GlobalProtect Agent v4 and up produces the certificate error until the PTR record is created in DNS.
If the gateway certificate includes a hostname (dnsname) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate as indicated in the article above.
Important! Before making this change, make sure the DNS servers that are used on the firewall are able to resolve the "GlobalProtect Portal" hostname to a public IP address and that there is also a PTR record to resolve the IP address back to the hostname. If it resolves to an internal IP address, this will make the portal inaccessible from the external interface.