https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329303#M83614 <P>Hi Team,</P><P>&nbsp;</P><P>I have question, currently, on firewall PA-500, we do 2 gateway VPN. Its mean have 2 WAN(ISP).&nbsp; So few users will use VPN via WAN1, and few users will use VPN via WAN2.&nbsp; Existing VPN using WAN1. So certificate CN name(IP address) point to Gateway WAN1.&nbsp; after added WAN2 and new gateway from WAN2. We notice have certificate mismatch when users try to connect GP VPN IP gateway WAN2.<BR /><BR />So if I rename CN name of certificate from IP ADDRESS TO FQDN, have any charge from Palo Alto.? Or free to rename. not need to pay.?</P><P>&nbsp;</P><P>Thanks.</P> Fri, 22 May 2020 03:12:16 GMT abdulhakam 2020-05-22T03:12:16Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329303#M83614 <P>Hi Team,</P><P>&nbsp;</P><P>I have question, currently, on firewall PA-500, we do 2 gateway VPN. Its mean have 2 WAN(ISP).&nbsp; So few users will use VPN via WAN1, and few users will use VPN via WAN2.&nbsp; Existing VPN using WAN1. So certificate CN name(IP address) point to Gateway WAN1.&nbsp; after added WAN2 and new gateway from WAN2. We notice have certificate mismatch when users try to connect GP VPN IP gateway WAN2.<BR /><BR />So if I rename CN name of certificate from IP ADDRESS TO FQDN, have any charge from Palo Alto.? Or free to rename. not need to pay.?</P><P>&nbsp;</P><P>Thanks.</P> Fri, 22 May 2020 03:12:16 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329303#M83614 abdulhakam 2020-05-22T03:12:16Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329312#M83615 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/134123">@abdulhakam</a>&nbsp;,</P><P>&nbsp;</P><P>It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.</P><P>&nbsp;</P><P>If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.</P><P>&nbsp;</P><P>There shouldn't be any cost or charges involved in this.</P><P>&nbsp;</P><P>Hope it helps!</P><P>Mayur</P> Fri, 22 May 2020 05:49:41 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329312#M83615 SutareMayur 2020-05-22T05:49:41Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329816#M83687 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;<BR /><BR />Thanks For Answer,</P><P>&nbsp;</P><P>Yes, I can't rename the CN existing. I will generate new certificate and CN name will be FQDN not IP Address.</P><P>&nbsp;</P><P>It will work if i have using two gateway(VPN1 and VPN2) using CN name FQDN.?</P><P>&nbsp;</P><P>Thanks</P> Tue, 26 May 2020 07:13:23 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329816#M83687 abdulhakam 2020-05-26T07:13:23Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329832#M83688 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/134123">@abdulhakam</a>&nbsp;,</P><P>&nbsp;</P><P>Yes it will work using certificate which is generated for FQDN as well. If you are using FQDN to connect GP then that certificate will get accepted and trust will be build. If you are using IP address to connect GP and certificate used is generated for CN as FQDN then there will be mismatch. So you need to check in this regard also.</P><P>&nbsp;</P><P>Mayur</P> Tue, 26 May 2020 07:55:08 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/329832#M83688 SutareMayur 2020-05-26T07:55:08Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/332238#M84016 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp; ,</P><P>&nbsp;</P><P>"Best way is to generate new cert and use it for VPN2."</P><P>&nbsp;</P><P>U mean generate new cert and setup same like existing cert. I mean setup From A to Z..&nbsp;<BR /><BR />like this <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK</A><BR /><BR /><BR /></P> Mon, 08 Jun 2020 08:21:27 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/332238#M84016 abdulhakam 2020-06-08T08:21:27Z https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/332483#M84054 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/134123">@abdulhakam</a>,</P><P>&nbsp;</P><P>Yes, you can generate new certificate on Palo Alto. Then create new SSL/TLS profile and map that certificate in it. You can use this SSL/TLS profile for VPN2.</P><P>&nbsp;</P><P>Mayur</P> Tue, 09 Jun 2020 04:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/rename-cn-name-certificate-globalprotect/m-p/332483#M84054 SutareMayur 2020-06-09T04:47:34Z