topic GP certificate differences in 2.3 and 3.1 in General Topics https://live.paloaltonetworks.com/t5/general-topics/gp-certificate-differences-in-2-3-and-3-1/m-p/140566#M48294 <P>Hi,</P><P>&nbsp;</P><P>We have an internal CA, we have a certificate generated and it is used for GP portal/gateway only, clients are authenticating via usual credentials. Nothing fancy overall. So there are external clients who do not have CA cert installed, so they are getting "untrusted certificate" warning when connecting to the GP gateway. But the GP agent behavior differs between versions 2.3 and 3.1 wen connecting to the gateway.</P><P>2.3 - click continue, accept the untrusted cert and roll on - login succeeds.</P><P>3.1 - click continue, login (because reject happens if invalid credentials are entered), but that is when connection fails with the message: "Gateway 1: Server certificate verification failed". Won't expand on tshoot logs and everything, but is that&nbsp;way it goes? Is there a workaround other than installing CA cert to trust the issuer? Because if there is trusted cert installed for the issuer CA on the client/agent computer, connection happens fine with both versions.</P><P>I've found this: <A href="https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior#99749" target="_blank">https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior#99749</A>, but as far as I understand, this should already happen on 2.3 according to this document. Can't seem to find anything related to 3.1 and what specifically changed there.</P><P>Any expierence with this?</P><P>Cheers!</P> Wed, 01 Feb 2017 21:34:32 GMT nikoo 2017-02-01T21:34:32Z GP certificate differences in 2.3 and 3.1 https://live.paloaltonetworks.com/t5/general-topics/gp-certificate-differences-in-2-3-and-3-1/m-p/140566#M48294 <P>Hi,</P><P>&nbsp;</P><P>We have an internal CA, we have a certificate generated and it is used for GP portal/gateway only, clients are authenticating via usual credentials. Nothing fancy overall. So there are external clients who do not have CA cert installed, so they are getting "untrusted certificate" warning when connecting to the GP gateway. But the GP agent behavior differs between versions 2.3 and 3.1 wen connecting to the gateway.</P><P>2.3 - click continue, accept the untrusted cert and roll on - login succeeds.</P><P>3.1 - click continue, login (because reject happens if invalid credentials are entered), but that is when connection fails with the message: "Gateway 1: Server certificate verification failed". Won't expand on tshoot logs and everything, but is that&nbsp;way it goes? Is there a workaround other than installing CA cert to trust the issuer? Because if there is trusted cert installed for the issuer CA on the client/agent computer, connection happens fine with both versions.</P><P>I've found this: <A href="https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior#99749" target="_blank">https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior#99749</A>, but as far as I understand, this should already happen on 2.3 according to this document. Can't seem to find anything related to 3.1 and what specifically changed there.</P><P>Any expierence with this?</P><P>Cheers!</P> Wed, 01 Feb 2017 21:34:32 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-certificate-differences-in-2-3-and-3-1/m-p/140566#M48294 nikoo 2017-02-01T21:34:32Z Re: GP certificate differences in 2.3 and 3.1 https://live.paloaltonetworks.com/t5/general-topics/gp-certificate-differences-in-2-3-and-3-1/m-p/140758#M48307 <P>Server certificate verification failed usually points to the new check that was added where the Palo Alto will check the CN of the certificate used and the Global Protect Gateway FQDN/IP. These HAVE to match, either both as an IP or both as an FQDN. The gateway IP&nbsp;is where you set an external or internal gateway options.</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-When-Trying-to-Use/ta-p/57043" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-When-Trying-to-Use/ta-p/57043</A></P><P>&nbsp;</P><P>&nbsp;</P><P>- Peter</P> Thu, 02 Feb 2017 16:15:26 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-certificate-differences-in-2-3-and-3-1/m-p/140758#M48307 sullivanpj2 2017-02-02T16:15:26Z