https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302642#M78858 <P>I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"</P><P>When accessing the portal I see a different certificate in my web browser,</P><P>If I put the same SSL profile on another test portal, I see the correct certificate.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Dec 2019 12:59:43 GMT Trustnet-ET 2019-12-09T12:59:43Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302642#M78858 <P>I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"</P><P>When accessing the portal I see a different certificate in my web browser,</P><P>If I put the same SSL profile on another test portal, I see the correct certificate.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Dec 2019 12:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302642#M78858 Trustnet-ET 2019-12-09T12:59:43Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302681#M78861 <P>How very odd....</P><P>&nbsp;</P><P>the wrong certificate that you are seeing.... Is it one that's on the firewall. or have you no idea where it came from.</P> Mon, 09 Dec 2019 14:14:05 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302681#M78861 Mick_Ball 2019-12-09T14:14:05Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302685#M78863 <P>It is from another test GP portal I have on the same firewall</P> Mon, 09 Dec 2019 14:46:32 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302685#M78863 Trustnet-ET 2019-12-09T14:46:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302686#M78864 <P>so when you ping aaa.com, is it a different address to bbb.com</P> Mon, 09 Dec 2019 14:54:41 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302686#M78864 Mick_Ball 2019-12-09T14:54:41Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302690#M78866 <P>Yes</P> Mon, 09 Dec 2019 15:26:10 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302690#M78866 Trustnet-ET 2019-12-09T15:26:10Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302692#M78867 <P>If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.</P><P>You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.</P><P>The portal /gateway with no IP address takes priority over the portal configured with an IP address.</P><P>Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.</P><P>I think Palo has to alert when this configuration taking place,</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0</A></P><P>&nbsp;</P><P>TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address<BR />Global Protect presents wrong TLS certificate of another portal.</P> Mon, 09 Dec 2019 15:36:04 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302692#M78867 emilta 2019-12-09T15:36:04Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302693#M78868 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83048">@emilta</a>&nbsp;, great info... i was not aware of this, probably because all my portals and gateways are static.</P><P>&nbsp;</P><P>I have read the link provided but cannot see where it mentions certificate priority, could you forward a link with this info...</P><P>&nbsp;</P><P>Many thanks,</P><P>&nbsp;</P> Mon, 09 Dec 2019 15:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-presents-wrong-tls-certificate-of-another-portal/m-p/302693#M78868 Mick_Ball 2019-12-09T15:40:51Z