GlobalProtect App fails to connect to Portal or Gateway after upgrade to macOS Sequoia 15.x

• GlobalProtect users are experiencing connection issues on macOS Sequoia 15.x following an upgrade
• The client fails to connect to the Portal, returning the error: 'Cannot connect to the network. The portal is unresponsive
• When using the Portal's cached configuration (bypassing the initial error), the same issue occurs when attempting to connect to the Gateway, showing the error: 'The network connection is unreachable or the gateway is unresponsive
• PanGPS logs display "Connection error Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

• Palo Alto Firewalls
• Prisma Access Firewalls
• Supported PAN-OS
• GlobalProtect App
• macOS: Sequoia 15.4.x or higher 

• This issue has become widespread in environments where the certificate used for GlobalProtect server-side authentication is a root CA certificate
• Accessing the Portal also fails when using the Safari web browser due to a recent OS update.

The root cause is an OS change of the default behavior.To fix the issue, use the security best practices:

1. Avoid using a root CA as server cert for the GlobalProtect TLS/SSL service profile.
2. Use a server cert (end entity/leaf cert) instead.
3. Ensure that the server certificate contains the proper ExtendedKeyUsage x509 extension for the intended use: TLS server authentication.