https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1205403#M1061 <P>If the CA name matches and it still needs SAN it is strange.</P> Sat, 25 Jan 2025 20:14:23 GMT nikoolayy1 2025-01-25T20:14:23Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1086579#M1053 <P>Guys,</P> <P>I was finally able to confirm that split tunnel config file on a web server works, so I would like to share some tips with you.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host-a-split-tunnel-configuration-file-on-a-web-server" target="_blank">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host-a-split-tunnel-configuration-file-on-a-web-server</A></P> <P>This is an explanation for the link above.</P> <P><BR /><STRONG>Mutual TLS is under the same CA.</STRONG></P> <P>Initially, I used let's encrypt for the server certificate, but it doesn't provide a client certificate, so I used a client certificate that I created on local linux. This resulted in an error in PanGPS.log.(AdvancetST: downloaded content is not authenticated)</P> <P><BR />The engineers at paloalto helped me by giving me some useful links to understand mtls.</P> <P><A href="https://medium.com/@nisanth.m.s/guide-setting-up-mtls-authentication-with-openssl-for-client-server-communication-38c0a5cbfa05" target="_blank">https://medium.com/@nisanth.m.s/guide-setting-up-mtls-authentication-with-openssl-for-client-server-communication-38c0a5cbfa05</A></P> <P>Just to add a little bit, this link does not include the SAN, and when you check the operation with the client's browser, you will get a server certificate error.<BR />When creating a CSR and issuing a certificate, it was necessary to add a few commands to include the SAN. Like this.</P> <P>&nbsp;</P> <P><SPAN>openssl req -new -key server.key.pem -out server.csr&nbsp;</SPAN>-addext "subjectAltName = DNS:example.com"</P> <P>&nbsp;</P> <P>openssl ca -config /root/mtls/openssl.cnf -extfile san.txt -days 1650 -notext -batch -in server.csr -out serve<BR />r.cert.pem</P> <P>san.txt contains&nbsp;subjectAltName = DNS:example.com</P> <P>&nbsp;</P> <P><STRONG>Any private key can be used to sign the file. It has nothing to do with mtls. Register the corresponding public key in Prisma Access.</STRONG></P> <P><BR />Even after looking at the setup guide, I'm still confused as to which private key to use.<BR />However, the palo engineer told me that ``anything is fine,'' and the problem became clear.</P> <P>&nbsp;</P> <P>I'm looking forward to this, as it allows for more flexible route control than internal host detection.</P> Thu, 16 Jan 2025 16:52:13 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1086579#M1053 M.Kitano449950 2025-01-16T16:52:13Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1205403#M1061 <P>If the CA name matches and it still needs SAN it is strange.</P> Sat, 25 Jan 2025 20:14:23 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1205403#M1061 nikoolayy1 2025-01-25T20:14:23Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1205478#M1062 <P>Hi Nikoolayy1,</P> <P>Thank you for your reply.<BR />Starting with Chrome 58, a certificate error will occur if you do not use SAN instead of common name.<BR />I didn't like this error because I first tested it in a browser, but the GP agent may not care.</P> <P>Please let me know if you can get the split tunnel config using only Common Name.</P> <P>&nbsp;</P> Mon, 27 Jan 2025 13:03:47 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/enhanced-split-tunnel-configuration-tips/m-p/1205478#M1062 M.Kitano449950 2025-01-27T13:03:47Z