GlobalProtect App in Tunnel and Proxy Mode fails to download PAC file due to the 'INVALID CA' error
2076
Created On 02/28/24 07:56 AM - Last Modified 04/20/24 02:46 AM
Symptom
- Configuring the Tunnel and Proxy mode as described in GlobalProtect in Tunnel and Proxy Mode.
- GP App fails to download a PAC file due to the 'INVALID CA' error.
- The logs below can be found in the GlobalProtect Client Logs
PanGPS.log
(P3648-T7676)Debug( 64): 11/16/23 12:53:40:486 PanHttp: GET https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)Debug( 125): 11/16/23 12:53:40:486 PanHttp: http server=store.swg.prismaaccess.com, port=443
...
(P3648-T7676)Debug( 329): 11/16/23 12:53:40:486 PanHttp:SendWinHttpRequest enter
(P3648-T7676)Debug( 349): 11/16/23 12:53:40:486 PanHttp: First try to send without client cert
(P3648-T6800)Warn (1056): 11/16/23 12:53:40:517 PanHttp: CertError: INVALID_CA
(P3648-T6800)Debug(1146): 11/16/23 12:53:40:517 PanHttp: WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, result=5, error=12175 (ERROR_WINHTTP_SECURE_FAILURE), m_dwServerCertError=8
(P3648-T7676)Debug( 376): 11/16/23 12:53:40:517 PanHttp:SendWinHttpRequest request error
(P3648-T7676)Error( 104): 11/16/23 12:53:40:517 PanHttp: Failed to send http request, error: failed to send request
PanProxyAgent.log
(P3648-T7676)debug11/16/23 12:53:39:362 (369): TASK: Download Pac file start: https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)error11/16/23 12:53:39:484 (398): pac file download failed for https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)criti11/16/23 12:53:39:484 (420): Didn't download any pac file
Environment
- Prisma Access
- PANOS-10.2.4
- GlobalProtect (in Tunnel and Proxy Mode)
- SSL decryption for the proxy PAC URL is performed on MU or the on-premise firewall using the self-signed intermediate certificate.
Cause
- For certification chain verification, GP App needs all the certificates in the certificate chain to be imported into the client's Trust CA cert store.
- Most web browsers complete the certification chain verification with only the intermediate certificate.
Resolution
- Install all of the certificates in the certificate chain into the user's Trust CA cert store on the client machine.
- This is explained in the following example
- The following certificate chain, SSL decryption is performed with the intermediate CA cert, 'PAN-Decrypt_Trust'.
- Install both 'PAN-Decrypt_CA' and 'PAN-Decrypt_Trust' into the user's Trust CA cert store so the GP App can verify the certificate chain successfully.