Palo Alto Networks Knowledgebase: GlobalProtect client doesn’t trust GlobalProtect Portal Certificate

GlobalProtect client doesn’t trust GlobalProtect Portal Certificate

Created On 02/07/19 23:41 PM - Last Updated 02/07/19 23:41 PM
GlobalProtect GlobalProtect cloud service

GlobalProtect versions 2.1.1-25 and above


GlobalProtect Agent fails to connect to the GlobalProtect portal when using the portal’s FQDN. It generates the following error message:


(T8728) 02/13/15 13:58:55:137 Info (2184): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000001CE29A0)
(T8728) 02/13/15 13:58:55:137 Info (2197): winhttpObj, dwCertError is:
(T8728) 02/13/15 13:58:55:137 Info (2202): WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID


This issue is not seen when the portal’s IP address is configured in GlobalProtect Agent, instead of FQDN.



The GlobalProtect Agent performs an additional check in order to protect the SSL connection with the portal by comparing the portal’s certificate common name with the FQDN name put in the GlobalProtect Agent. The GlobalProtect Agent will consider the portal’s certificate as invalid if the CN doesn’t match the locally configured FQDN name.

  • Print
  • Copy Link

Choose Language