Diferences between Global protect 1.2 and 2.3 clients?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Diferences between Global protect 1.2 and 2.3 clients?

L4 Transporter

Folks.

 

I upgraded my firewalls from 2020's to 3050's on the weekend (oh, and isn't it a joy to have firewalls that I can actually administer without waiting 20 minutes for something to happen on!), but I ran into a bit of a problem with upgrading Global Protect.

 

My old firewalla ran the 1.2 client because I didn't want to load it up with anything extra - when I put the new firewalls in, I installed/activated the latest client (2.3.1), however it wouldn't connect - I kept getting an error about failing to verify the server cert - when I know my certificate on the SSL portal is valid (and obtained from an external registrar).

 

Can anyone tell me if there is some difference in config or certificate requirements between the V1.2 client and the V 2.3 client that I missed when I tried the upgrade?

 

Thanks.

1 accepted solution

Accepted Solutions

When defining the gateways under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

 

While defining the external gateway you are right

View solution in original post

6 REPLIES 6

L4 Transporter

Hi

 

I guess that You havent properly installed ssl cert with intermidiate cert

Please verify it by https://www.sslshopper.com/ssl-checker.html

 

You can read about Intermediate Certificate Authority (CA):

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15690

 

 

Regards

Slawek

L5 Sessionator

 

There is a change in the default behaviour in the global protect from 2.3.0

In Global protect 2.2 and previous version if the Trust CA is configured in the Portal then only the agent will validate the gateway certificate.

From agent 2.3 the agent will always check the validity of the gateway server certificate and if the agent cannot validate the certificate, it will not connect to the GlobalProtect gateway.

Validate means whether the certificate is signed by a CA which is trusted by that machine.

Other thing is If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

 

When defining the gateways under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

 

Rate the helpful answer.

> I guess that You havent properly installed ssl cert with intermidiate cert

 

You guess incorrectly. The certificate was working fine on the old client - and checks out perfectly using your SSL checker page.

 

Thanks anyway

> There is a change in the default behaviour in the global protect from 2.3.0

 

That's the answer I was looking for. There is a difference.

 

> Validate means whether the certificate is signed by a CA which is trusted by that machine

 

The certificate I am using is signed by an external CA, and the entire intermediate chain is included - it's not from a "top level CA", but the full chain is valid and checks out.

 

Which is kinda why I couldn't understand why the 2.3 client wouldn't validate it.

 

> When defining the gateways under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

 

Not sure what you mean here - when I define the portal, the name is the FQDN. Do you mean the "external gateway" name should also be the FQDN rather than the IP address of the gateway?

 

Sorry this has taken a while to reply to - for some reason, I didn't get a notificaiton of your reply - I'll have to go and check my profile and make sure it's set to send them to me.

When defining the gateways under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

 

While defining the external gateway you are right

OK, I've reconfigured appropriately, and will test the latest client to make sure it works.

 

Thanks!

  • 1 accepted solution
  • 2940 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!