https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34605#M25394 <HTML><HEAD></HEAD><BODY><P>Even if the url and IP address are different?</P></BODY></HTML> Thu, 21 Aug 2014 15:40:35 GMT infotech 2014-08-21T15:40:35Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34603#M25392 <HTML><HEAD></HEAD><BODY><P>My main PA is configured for dual ISP's and I am going to put third party certs for my global protect clients. Do I put two certs on? One for each ISP?</P></BODY></HTML> Thu, 21 Aug 2014 13:51:00 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34603#M25392 infotech 2014-08-21T13:51:00Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34604#M25393 <HTML><HEAD></HEAD><BODY><P>Hello Infotech,</P><P></P><P>You can use the same <SPAN class="GINGER_SOFTWARE_mark">cert</SPAN> for both ISP.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 21 Aug 2014 14:42:23 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34604#M25393 HULK 2014-08-21T14:42:23Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34605#M25394 <HTML><HEAD></HEAD><BODY><P>Even if the url and IP address are different?</P></BODY></HTML> Thu, 21 Aug 2014 15:40:35 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34605#M25394 infotech 2014-08-21T15:40:35Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34606#M25395 <HTML><HEAD></HEAD><BODY><P><SPAN class="GINGER_SOFTWARE_mark">it</SPAN> might give you a certificate CN mismatch warning.</P></BODY></HTML> Thu, 21 Aug 2014 15:43:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34606#M25395 HULK 2014-08-21T15:43:37Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34607#M25396 <HTML><HEAD></HEAD><BODY><P>You can follow the suggestion given by Steven Pulika in the other discussion thread.</P></BODY></HTML> Thu, 21 Aug 2014 15:56:25 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34607#M25396 HULK 2014-08-21T15:56:25Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34608#M25397 <HTML><HEAD></HEAD><BODY><P>infotech,</P><P></P><P>Think of a certificate as belonging to a FQDN - you should have one certificate per FQDN. For example, many people create an A record in their external DNS server for vpn.mycompany.com - then purchase a certificate for vpn.mycompany.com. Via DNS, you can modify the IP behind that URL at anytime, but the certificate will always match the URL.</P><P></P><P>If you have two separate URLs with different FQDNs, you will need two separate certificates. If you have one FQDN but two IP addresses, you only need one certificate.</P></BODY></HTML> Fri, 22 Aug 2014 14:12:12 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34608#M25397 jtyler 2014-08-22T14:12:12Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34609#M25398 <HTML><HEAD></HEAD><BODY><P>So if I use the ip address instead of the FQDM it gives me the cert error but I can go ahead and click continue and it still works right? But if I use the FQDn it doesn't give me an error and passes me on to where I am going. Other than the annoying message how is that batter?</P></BODY></HTML> Mon, 25 Aug 2014 17:17:14 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34609#M25398 infotech 2014-08-25T17:17:14Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34610#M25399 <HTML><HEAD></HEAD><BODY><P>Hello Infotech,</P><P></P><P>Yes you are right, its just an cert error, and it will still work. There is a logic behind error.</P><P></P><P>If user tries to access Site through IP and cert has FQDN than user gets warning that "He might be connected to wrong site because certificate has different CN(FQDN) name".</P><P></P><P>Basically software is trying to inform user that he might be connecting to fake site. So, now user has chance to relook URL and certificate details to validate the same.</P><P></P><P><SPAN>Sometimes Hackers change DNS records. Lets say they change DNS record for bankofamerica.com and point it to their server. Now user is connecting to </SPAN><A class="jive-link-external-small" href="https://bankofamerica.com" rel="nofollow">https://bankofamerica.com</A><SPAN>, he connects to hackers server. But hackers server gives certificate with different CN name. </SPAN></P><P></P><P>Now software prompts user to check certificate, based on certificate CN name he can determine its an attack. So its security mechanism.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 25 Aug 2014 17:27:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34610#M25399 hshah 2014-08-25T17:27:48Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34611#M25400 <HTML><HEAD></HEAD><BODY><P>Well if I am trying to connect through a global protect client does it really matter if the get the error and have to hit continue. It seems like it would be more usefull if they were found not to have the correct cert on them they would be denied access.</P><P>Remoting to a network using global protect is different that going to a wrong web site.</P></BODY></HTML> Mon, 25 Aug 2014 19:29:59 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34611#M25400 infotech 2014-08-25T19:29:59Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34612#M25401 <HTML><HEAD></HEAD><BODY><P>Hello Infotech,</P><P></P><P>GP and accessing website follows same logic as long as certificate is considered.</P><P></P><P>In your case certificate error doesnt matter, user can still access GP, he just need to accept warning. Let me know if you have further query.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 25 Aug 2014 19:33:32 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34612#M25401 hshah 2014-08-25T19:33:32Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34613#M25402 <HTML><HEAD></HEAD><BODY><P>Hello Infotech,</P><P></P><P>You have an option in GP configuration, if the portal certificate is invalid, the user will not be able to connect to the GP.</P><P></P><P>FYI:</P><P><IMG alt="GP-cert.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15069_GP-cert.jpg" style="height: 421px; width: 620px;" /></P><P></P><P>Thanks</P></BODY></HTML> Mon, 25 Aug 2014 19:41:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34613#M25402 HULK 2014-08-25T19:41:57Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34614#M25403 <HTML><HEAD></HEAD><BODY><P>Where is the setting located at hulk I don't see it</P></BODY></HTML> Mon, 25 Aug 2014 19:45:34 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34614#M25403 infotech 2014-08-25T19:45:34Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34615#M25404 <HTML><HEAD></HEAD><BODY><P>Go to Network &gt; Global Protect &gt; Portal &gt;Agent configuration. There you will get these options.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 25 Aug 2014 19:48:06 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34615#M25404 HULK 2014-08-25T19:48:06Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34616#M25405 <HTML><HEAD></HEAD><BODY><P>I went there and I don't see it</P></BODY></HTML> Mon, 25 Aug 2014 19:49:11 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34616#M25405 infotech 2014-08-25T19:49:11Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34617#M25406 <HTML><HEAD></HEAD><BODY><P>Could you please share a screenshot.</P></BODY></HTML> Mon, 25 Aug 2014 19:56:09 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34617#M25406 HULK 2014-08-25T19:56:09Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34618#M25407 <HTML><HEAD></HEAD><BODY><P>what are you referring too when you say external DNS server?</P></BODY></HTML> Mon, 25 Aug 2014 20:30:34 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34618#M25407 infotech 2014-08-25T20:30:34Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34619#M25408 <HTML><HEAD></HEAD><BODY><P>Could you please login as admin user and verify this option.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 25 Aug 2014 20:30:54 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34619#M25408 HULK 2014-08-25T20:30:54Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34620#M25409 <HTML><HEAD></HEAD><BODY><P>Same options when I log in as an admin and my PA version is 5.06</P></BODY></HTML> Mon, 25 Aug 2014 20:54:31 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp/m-p/34620#M25409 infotech 2014-08-25T20:54:31Z