Palo Alto Networks Knowledgebase: GlobalProtect client doesn’t trust GlobalProtect Portal Certificate

GlobalProtect client doesn’t trust GlobalProtect Portal Certificate

4122
Created On 02/07/19 23:41 PM - Last Updated 02/07/19 23:41 PM
GlobalProtect GlobalProtect cloud service
Resolution

GlobalProtect versions 2.1.1-25 and above

 

Issue
GlobalProtect Agent fails to connect to the GlobalProtect portal when using the portal’s FQDN. It generates the following error message:

 

(T8728) 02/13/15 13:58:55:137 Info (2184): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000001CE29A0)
(T8728) 02/13/15 13:58:55:137 Info (2197): winhttpObj, dwCertError is:
(T8728) 02/13/15 13:58:55:137 Info (2202): WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID

 

This issue is not seen when the portal’s IP address is configured in GlobalProtect Agent, instead of FQDN.

 

Explanation

The GlobalProtect Agent performs an additional check in order to protect the SSL connection with the portal by comparing the portal’s certificate common name with the FQDN name put in the GlobalProtect Agent. The GlobalProtect Agent will consider the portal’s certificate as invalid if the CN doesn’t match the locally configured FQDN name.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clz6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language