Palo Alto Networks Knowledgebase: GlobalProtect Gateway Certificate Error When Trying to connect GlobalProtect

GlobalProtect Gateway Certificate Error When Trying to connect GlobalProtect

40832
Created On 09/25/18 20:36 PM - Last Updated 02/08/19 00:06 AM
Resolution

Issue

When trying to connect GlobalProtect to the Palo Alto Networks firewall, it is successfully connecting to the portal, but gives a certificate error when it tries to connect to the gateway. When using older versions of the agent it connects without issue.

 

Cause

This issue might be caused by a new check that was introduced in GlobalProtect version 2.1.0. The validation check makes sure that the gateway address configured in the GlobalProtect portal matches the CN of the certificate that the gateway is configured to use. This check was not implemented in older versions, so this issue was not encountered.

Note: When the gateway address is a FQDN and this FQDN is in the certificate, GlobalProtect Agent v2.1.0  and up produces the certificate error until the PTR record is created in DNS.

 

Resolution

  1. Determine which certificate the gateway is configured to use and write it down. Screen Shot 2016-04-13 at 5.42.21 pm.png
  2. Go to Device > Certificate Management > Certificates and write down the CN of the certificate that was copied in Step 1.
    Screen Shot 2016-04-13 at 5.41.27 pm.png
  3. Adjust the address of the gateway in the GlobalProtect portal client configuration to the CN that was copied in Step 2.
    Screen Shot 2016-04-13 at 5.43.25 pm.png
  4. Commit the changes and try to reconnect with the agent.

 

Note:

If the gateway certificate includes a hostname (dnsname) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate as indicated in the article above.

 

 

Important! Before making this change, make sure the DNS servers that are used on the firewall are able to resolve the "GlobalProtect Portal" hostname to a public IP address and that there is also a PTR record to resolve the IP address back to the hostname. If it resolves to an internal IP address, this will make the portal inaccessible from the external interface.

 

owner: jwebb



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClixCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language