topic Re: Global protect certificate in General Topics

Global protect certificate

infotech — Mon, 11 Aug 2014 15:05:05 GMT

What are the steps to apply a 3rd party certificate to a global protect client instead of using a self signed cert?

Re: Global protect certificate

VinceM — Mon, 11 Aug 2014 15:15:54 GMT

Hi,

Import both your public cert authority and your certificate CA in your palo.

Then use your CA in authent profile.

Re: Global protect certificate

VinceM — Mon, 11 Aug 2014 15:18:11 GMT

Hi,

Refer to: GlobalProtect Administrator's Guide 6.0 (English)

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 15:24:23 GMT

I will check this out

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 15:34:20 GMT

By public you mean a cert purchased by a 3rd party and I don't believe we have a CA server

Re: Global protect certificate

HULK — Mon, 11 Aug 2014 15:43:02 GMT

Few more reference DOC:

PAN SSL Certificates

Global_Protect_PAN_OS5.pdf

Hope this helps.

Thanks

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 15:50:00 GMT

Good information thanks. We currently have a self signed cert for our global protect and I want to change it to a third party. I assume it only has to be imported to the PA device and does not have to be on a pc that has the GP client installed

Re: Global protect certificate

HULK — Mon, 11 Aug 2014 15:53:50 GMT

Yes, that is correct. During the SSL handshake, PAN will push the certificate information to the client.

GlobalProtect

Thanks

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 15:56:07 GMT

This is what is currently configured

Re: Global protect certificate

_slv_ — Mon, 11 Aug 2014 18:31:35 GMT

Hi Infotech

You will; be probablyh faced with intermediary cert problem, so here You are solution:

How to Install a Chained Certificate Signed by a Public CA

Regards

SLawek

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 18:39:14 GMT

This looks like instrucations on how to install it on a server

Re: Global protect certificate

_slv_ — Mon, 11 Aug 2014 19:02:26 GMT

yes, PAN is a server for GP, please follow Importing Chained PEM Format Certificates - Using Text Editor and import Your cert into PAN.

You can verify is that properly configured using SSL Checker - SSL Certificate Verify

Regards

Slaweke

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 19:04:59 GMT

So you have to do like for any server that has a cert on it export the existing key, send it to a 3rd party vendor,get anothe key and import it onto the PA

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 19:15:01 GMT

I think this link I found inside one of the responses is what I really need

How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 19:19:53 GMT

What do you put that FQDN?

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 19:57:56 GMT

What I meant to say in my last comment is what do you enter for the FQDM since that PA is not a server. It was pointed out to use during a security audit that we were using a self signed certs and one of my tasks is to put a more secure 3rd party cert on the global protect clients.

Re: Global protect certificate

HULK — Mon, 11 Aug 2014 20:09:04 GMT

It should be a domain name, which will resolve to PAN public IP address (portal address). You can specify the IP address of that interface also.

Thanks

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 20:11:43 GMT

Well I don't have any records in DNS for the PA and it has more than one ISP address

Re: Global protect certificate

HULK — Mon, 11 Aug 2014 20:13:15 GMT

You may specify the GP-portal IP address.

Re: Global protect certificate

infotech — Mon, 11 Aug 2014 21:03:30 GMT

So would it be the 66.94.208.114 address indicated in the pic that I have uploaded with this message and also what if I have a secondary ISP that I fail over too. Will global protect still work? Do I need another cert for that secondary ISP address?