GlobalProtect: The server certificate is invalid. Please contact your IT administrator.
123884
Created On 11/18/19 09:29 AM - Last Modified 02/26/21 23:54 PM
Symptom
When trying to connect to GlobalProtect using GP Agent, the Error message "The server certificate is invalid. Please contact your IT administrator" is displayed.
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- New Configuration of GlobalProtect(GP) Portal and Gateway.
Cause
The GlobalProtect gateway name defined in Portal tab is different from the one defined in the certificate in the SSL/TLS service profile attached in the Gateway tab.
Resolution
- Go to GUI: Network > Global Protect > Portals > (Click on the configured Portal) > Agent > (click on the configured Agent) > External > External Gateways >
- Note down the Address configured for the gateway being used. This will be used for step 3. Refer the diagram below for help. In this example, the Address is "pam01.gp"
- Go to GUI: Device > Certificate Management > Certificate and verify the certificate. The common name of the certificate must match the configured "Address" on Step2. In this example, the Certificate GP-PortalnExternalCert has a common name (CN) as pam01.gp which matches with the gateway address of step 2 (CN=pavm01.gp).
- Go to GUI: Network > Global Protect > Gateways > (click on the appropriate Gateway name) > Authentication (tab) > SSL/TLS Service Profile. Note down the name of the configured "SSL/TLS Service Profile" that will be used for step 5.
- Go to GUI: Device > Certificate Management > SSL/TLS Service Profile > (click the SSL/TLS Service profile) from Step 4.] On the Certificate, use the Certificate from Step 3. In the example, the certificate "GP-PortalnExternalCert" is used which matches the one in step 3.
- Commit the changes and test the connectivity. The VPN should connect fine.