GlobalProtect Portal and Gateway need same Certificate Profile when on same IP address

GlobalProtect Portal and Gateway need same Certificate Profile when on same IP address

24077
Created On 09/25/18 17:30 PM - Last Modified 04/19/24 18:59 PM


Symptom


This article is designed to explain why GlobalProtect Portal and Gateway need to have the same Certificate Profile when on same IP address

Environment


  • PAN-OS firewall
  • GlobalProtect Portal and Gateway
  • Certificate Profile

Cause


Client certificate authentication fails on Portal when only Portal has the Certificate Profile and both Portal and Gateway are on same IP address

Resolution


For GlobalProtect client certificate authentication, the Certificate Profile on Gateway takes precedence and would be used for authentication on both Portal and Gateway. Since Gateway does not have the Certificate Profile, the authentication fails. Hence, both Portal and Gateway need to have the same Certificate Profile for the authentication to be successful when both are on same IP address

Additional Information


Following are various scenarios explaining the client certificate authentication behavior:

  1. Scenario#1

  • GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1

  • GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) with no Certificate Profile

Client certificate authentication will fail since Gateway does not have any Certificate Profile configured when both are on same IP address

  1. Scenario#2

  • GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) no Certificate Profile

  • GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1

Client certificate authentication will work since Certificate Profile is on Gateway when both are on same IP address

  1. Scenario#3

  • GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1

  • GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-2

Certificate Profile Cert-Prof-2 would be used for both Portal and Gateway client certificate authentication

  1. Scenario#4

  • GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1

  • GlobalProtect Gateway configured on same ethernet1/3 (IP Address: 10.0.0.2) using Certificate Profile Cert-Prof-2

Certificate Profile Cert-Prof-1 would be used for Portal and Cert-Prof-2 for Gateway for client certificate authentication since both have different IP addresses; though both are on same interface
  1. Scenario#5

  • GlobalProtect Portal configured on ethernet1/3 (IP Address: 10.0.0.1) using Certificate Profile Cert-Prof-1

  • GlobalProtect Gateway configured on same ethernet1/4 (IP Address: 10.1.0.1) using Certificate Profile Cert-Prof-2

Certificate Profile Cert-Prof-1 would be used for Portal and Cert-Prof-2 for Gateway for client certificate authentication since both are on different IP addresses and interfaces
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language