topic Re: PAN-OS and Global Protect software in General Topics

PAN-OS and Global Protect software

VSU_ITSEC — Wed, 07 Oct 2015 18:50:42 GMT

I plan to update to PAN-OS 6.1.6 and GP 2.3.1.

Currently at 6.1.0, and 2.1.1.

Any suggestions or issues?

Thanks in advance

//moe

Re: PAN-OS and Global Protect software

pankaku — Wed, 07 Oct 2015 19:44:42 GMT

There is a change in the default behaviour in the global protect from 2.3.0

In Global protect 2.2 and previous version if the Trust CA is configured in the Portal then only the agent will validate the gateway certificate.

From agent 2.3 the agent will always check the validity of the gateway server certificate and if the agent cannot validate the certificate, it will not connect to the GlobalProtect gateway.

Validate means whether the certificate is signed by a CA which is trusted by that machine.

Other thing is If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN then specify the FQDN, If CN have IP address then specify IP address.

Re: PAN-OS and Global Protect software

VSU_ITSEC — Wed, 07 Oct 2015 21:27:52 GMT

Thank you for that.

How doe sthis apply to a wildcard cert?

Re: PAN-OS and Global Protect software

VinceM — Thu, 08 Oct 2015 07:46:06 GMT

Hi,

If you really need GP, it can be interesting for you to upgrade to V7. In this release, licence had been simplify.

According the VY RN: "You can now use GlobalProtect to provide a secure, remote access or virtual private network (VPN) solution via single or multiple external gateways, without any GlobalProtect licenses. The portal license, which was required to enable this functionality, has been deprecated. However, advanced features including Host Information Profile (HIP) checks and support for the GlobalProtect mobile app for iOS and Android still require a gateway subscription. To take advantage of the new license structure, you need to upgrade only the device running the GlobalProtect portal to PAN-OS 7.0 or later."

We are in 7.0.2 and everything works well 🙂

Hope help.

Re: PAN-OS and Global Protect software

pankaku — Thu, 08 Oct 2015 09:11:23 GMT

If you are using a certifiacte signed by a trusted CA so you don't have to worry about it.

Just take care of the following part

If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN then specify the FQDN, If CN have IP address then specify IP address.

Re: PAN-OS and Global Protect software

VSU_ITSEC — Thu, 08 Oct 2015 19:05:34 GMT

Thanks, V., but PA tech support didn't sound as convincing as you ;^).

I'll consider... perhaps there are others seeing this who share your experience? (holla!)

Re: PAN-OS and Global Protect software

VSU_ITSEC — Thu, 08 Oct 2015 19:10:31 GMT

Forgive my limited knowlegde of certs, Pakumar. Are you saying that the GP config on the remote device should match what is on the cert?

Re: PAN-OS and Global Protect software

pankaku — Thu, 08 Oct 2015 19:19:52 GMT

Check the highlihted area the CN name is a IP address so in the portal config I have sepecified IP address for gateway.

If thhe CN is vpn.abc.com then I have to specify vpn.abc.com in the portal config for gateway.

and the nslookup for vpn.abc.com should map to the IP address that you are using for portal.

Re: PAN-OS and Global Protect software

VSU_ITSEC — Thu, 08 Oct 2015 20:48:18 GMT

crystal clear! thanks....

Re: PAN-OS and Global Protect software

VSU_ITSEC — Mon, 12 Oct 2015 20:08:02 GMT

A note to all - the upgrade to 6.1.6 only worked on one of my 2 PA-5020s. The dataplane kept crashing on my primary (Dataplane is down: too many dataplane processes exited). has anyone experienced similar? Rebooting with the interfaces disconnected (all except managment and HA) did not solve.

Re: PAN-OS and Global Protect software

glastra1 — Tue, 13 Oct 2015 20:17:26 GMT

Try to upgrade to 6.1.7 where multiple dataplane restart issues were solved

Check the release notes for the following IDs and try to match them with your enviroment,

80720

82370

80251

79719

76875

66681

If that doesn't solve your issue, opean a TAC case,

Regards,

Gerardo.

Re: PAN-OS and Global Protect software

CHANDRASHEKHAR.BRAMAPRAKASH — Wed, 15 Dec 2021 06:01:42 GMT

Hi Team,

I am facing the same issue, I have global protect installed, the version is 5.2.8-23, on the gateway i am using FQDN.

when i try to connect GP i am getting the error "the certificate is not signed by a trusted certificate authority". if i install the root certificate on the local machine, it works fine. but I am not doing any certificate based authentication. Could you please tell me is it mandatory to install the root certificate on all the end machines to connect global protect.?

Re: PAN-OS and Global Protect software

aleksandar.astardzhiev — Wed, 15 Dec 2021 16:22:12 GMT

Hi @CHANDRASHEKHAR.BRAMAPRAKASH ,

When you configure GlobalProtect Portal and Gateway, you need to assign SSL certificate that firewall will provide as server certificate when connecting to GP. It looks like you are using certificate that is self-signed or signed by internal PKI, that is not trusted by default. You have few options:

- Request SSL server certificate from public Certificate Authority.

- If you are using self-signed server certificate you must install the root CA (that was used to generate the server cert) to each machined that will connect to GP

- Strongly against this option, but if you still want to use self-signed certificate, without installing the root CA - there is an option to ignore the invalid SSL certificate and continue with vpn connection. This is under GP portal -> Agent Config -> App

I would recommend to use this option only in test/PoC environment, because it will completely bypass certificate validation, which is only protection agains man-in-the-middle attack