topic Re: GP upgrade beyond 2.2.x in General Topics

GP upgrade beyond 2.2.x

MCmgt — Wed, 29 Mar 2017 17:39:17 GMT

Hi,

I'm running GlobalProtect 2.2.1 on PANOS 7.0.7. I'm preparing to upgrade to 2.3 (and beyond) to finally support some newer client devices. This caveat in the 2.3 release notes made me pause:

If your GlobalProtect 2.2 or earlier release configuration uses a gateway server certificate that is
not issued by a CA that is trusted by your endpoints (for example, self-signed certificates), then
you must add the CA for that certificate to the Trusted Root CA list in the portal client configuration
when upgrading to GlobalProtect 2.3 and later releases to ensure that the GlobalProtect agent
can connect to the GlobalProtect gateway.

I am using a self-signed cert (SSLVPNCert) produced by the firewall as CA on the Gateway.

(As an aside, I'm guessing that the SSL/TLS Service Profile used here was autogenerated during some upgrade that introduced the SSL/TLS Service Profile feature? Note that it does not appear in the list of SSL/TLS Service Profiles. Should this concern me?)

The Portal uses the same cert.

The Portal Agent has the CA (MCVPN_CA) in the Trusted Root CA list.

The CA does not have the Trusted Root CA box checked under Usage.

Am I good-to-go? Or, is the Trusted Root CA checkbox going to bite me? (If so, is it just a matter of clicking it and commiting?)

Re: GP upgrade beyond 2.2.x

BPry — Wed, 29 Mar 2017 18:43:55 GMT

You'll likely need to install the certificate into the trusted certificates of your end-user devices through GPO to get this to function properly.

Re: GP upgrade beyond 2.2.x

ansharma — Wed, 29 Mar 2017 19:19:36 GMT

Hi MCmgt,

The SSL/TLS profile cannot be empty. Please create one and use the certificate that you were using earlier (SSLVPNcert). This profile needs to be used in the portal and gateway. If SSLVPNcert is signed by the MCVPN_CA, then you are fine. Any particular reason, you aren't moving to a 3.1.x version?

Regards,

Anurag

Re: GP upgrade beyond 2.2.x

MCmgt — Wed, 29 Mar 2017 19:39:05 GMT

But the SSL/TLS Profile can be empty...because it works 🙂

The goal is definitely >2.3 ... gotta get those MacOS 10.12 people off my case 🙂

Re: GP upgrade beyond 2.2.x

ansharma — Wed, 29 Mar 2017 19:51:39 GMT

Maybe not when you have your configuration upgraded. This is the first time I am seeing it working like this. No commit errors in your case? I have always seen it working with some profile. For the version, I'd say 3.1.4/5/6. They are the most common in my experience.

Regards,

Anurag

Re: GP upgrade beyond 2.2.x

BPry — Wed, 29 Mar 2017 20:09:55 GMT

@ansharma is actually right in this case this setup shouldn't be working without a SSL/TLS profile assigned, it would be intereseting to see your XML config and see if it's maybe in the reference but the GUI has stopped picking it up after an update or something?

You will likely see this stop functing after upgrading the client if the certificate actually isn't being assigned to your portal.

Re: GP upgrade beyond 2.2.x

BPry — Wed, 29 Mar 2017 20:11:17 GMT

Sidenote: MCVPN_CA still needs to be trusted by your client machines. If they do not trust this CA then they will likely still give you an error.