I upgraded my firewalls from 2020's to 3050's on the weekend (oh, and isn't it a joy to have firewalls that I can actually administer without waiting 20 minutes for something to happen on!), but I ran into a bit of a problem with upgrading Global Protect.
My old firewalla ran the 1.2 client because I didn't want to load it up with anything extra - when I put the new firewalls in, I installed/activated the latest client (2.3.1), however it wouldn't connect - I kept getting an error about failing to verify the server cert - when I know my certificate on the SSL portal is valid (and obtained from an external registrar).
Can anyone tell me if there is some difference in config or certificate requirements between the V1.2 client and the V 2.3 client that I missed when I tried the upgrade?
Solved! Go to Solution.
I guess that You havent properly installed ssl cert with intermidiate cert
Please verify it by https://www.sslshopper.com/ssl-checker.html
You can read about Intermediate Certificate Authority (CA):
There is a change in the default behaviour in the global protect from 2.3.0
In Global protect 2.2 and previous version if the Trust CA is configured in the Portal then only the agent will validate the gateway certificate.
From agent 2.3 the agent will always check the validity of the gateway server certificate and if the agent cannot validate the certificate, it will not connect to the GlobalProtect gateway.
Validate means whether the certificate is signed by a CA which is trusted by that machine.
Other thing is If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.
When defining the gateways under the portal configuraiton. If CN have FQDN then specify the FQDN, If CN have IP address then specify IP address.
Rate the helpful answer.
> I guess that You havent properly installed ssl cert with intermidiate cert
You guess incorrectly. The certificate was working fine on the old client - and checks out perfectly using your SSL checker page.
> There is a change in the default behaviour in the global protect from 2.3.0
That's the answer I was looking for. There is a difference.
> Validate means whether the certificate is signed by a CA which is trusted by that machine
The certificate I am using is signed by an external CA, and the entire intermediate chain is included - it's not from a "top level CA", but the full chain is valid and checks out.
Which is kinda why I couldn't understand why the 2.3 client wouldn't validate it.
> When defining the gateways under the portal configuraiton. If CN have FQDN then specify the FQDN, If CN have IP address then specify IP address.
Not sure what you mean here - when I define the portal, the name is the FQDN. Do you mean the "external gateway" name should also be the FQDN rather than the IP address of the gateway?
Sorry this has taken a while to reply to - for some reason, I didn't get a notificaiton of your reply - I'll have to go and check my profile and make sure it's set to send them to me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!