topic Re: Configuring GlobalProtect with Wildcard Certificate in General Topics

Configuring GlobalProtect with Wildcard Certificate

Bocsa — Fri, 08 Jan 2016 16:37:12 GMT

Hi All,

I'm configuring GlobalProtect for the first time and would like to ask a few questions about using a Wildcard certificate to set this up. After going through the below document, I have some questions:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Use-a-Wildcard-SSL-Certificate-with-Subject-Alternative/ta-p/52849

1. The first steps says a Root CA should be created.Does this mean setting the 'Common name' as the wildcard domain name, 'Signed by' External Authority CSR and still ticking the 'Certificate Authority' checkbox (e.g image attached)?

2. I would like the users to access Globalprotect using the address 'vpn.example.com'. If I configure this under the Certificate attributes, will this automatically map it to the Interface IP address I choose for my Gateway IP address?

Your contributions are appreciated.

Re: Configuring GlobalProtect with Wildcard Certificate

pankaku — Tue, 28 Apr 2020 14:26:44 GMT

1> If you are using a public certificate then yes. "https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signing-Request-and-Import-the/ta-p/53593"

2> You have to have a entry in external dns server for mapping of vpn.example.com to the interface IP address.

Re: Configuring GlobalProtect with Wildcard Certificate

abjain — Mon, 11 Jan 2016 02:25:35 GMT

1. If you are using PA as the Certificate Authority (i.e using self signed certificate), then generate the Root certificate on the firewall (Signed by Field as Blank and Certificate Authority check box ticked). If you are using external CA, then Root CA certificate just needs to be imported on the firewall. In this step, you do NOT need any wildcards.

Only when you are generating certificates for portal or gateway, you have to use the wildcard in the common name (Step 2)

2. Certificate attributes will not map anything. They are static field in the certificate. If you want users to resolve vpn.example.com to your Interface IP address, that should be recorded on the DNS server.