GP upgrade beyond 2.2.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP upgrade beyond 2.2.x

L2 Linker

Hi,

 

I'm running GlobalProtect 2.2.1 on PANOS 7.0.7. I'm preparing to upgrade to 2.3 (and beyond) to finally support some newer client devices. This caveat in the 2.3 release notes made me pause:

 

 

If your GlobalProtect 2.2 or earlier release configuration uses a gateway server certificate that is
not issued by a CA that is trusted by your endpoints (for example, self-signed certificates), then
you must add the CA for that certificate to the Trusted Root CA list in the portal client configuration
when upgrading to GlobalProtect 2.3 and later releases to ensure that the GlobalProtect agent
can connect to the GlobalProtect gateway.

 

I am using a self-signed cert (SSLVPNCert) produced by the firewall as CA on the Gateway.

 

 gateway.png

 

(As an aside, I'm guessing that the SSL/TLS Service Profile used here was autogenerated during some upgrade that introduced the SSL/TLS Service Profile feature? Note that it does not appear in the list of SSL/TLS Service Profiles. Should this concern me?)

 

 

blankprofile.png

The Portal uses the same cert.

 

portal.png

 

The Portal Agent has the CA (MCVPN_CA) in the Trusted Root CA list.

 

portalagent.png

 

The CA does not have the Trusted Root CA box checked under Usage.

 

Cert.png

 

Am I good-to-go? Or, is the Trusted Root CA checkbox going to bite me? (If so, is it just a matter of clicking it and commiting?)

 

 

 

 

6 REPLIES 6

Cyber Elite
Cyber Elite

You'll likely need to install the certificate into the trusted certificates of your end-user devices through GPO to get this to function properly. 

L4 Transporter

Hi MCmgt,

 

The SSL/TLS profile cannot be empty. Please create one and use the certificate that you were using earlier (SSLVPNcert). This profile needs to be used in the portal and gateway. If SSLVPNcert is signed by the MCVPN_CA, then you are fine. Any particular reason, you aren't moving to a 3.1.x version?

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

But the SSL/TLS Profile can be empty...because it works 🙂

 

The goal is definitely >2.3 ... gotta get those MacOS 10.12 people off my case 🙂

Maybe not when you have your configuration upgraded. This is the first time I am seeing it working like this. No commit errors in your case? I have always seen it working with some profile. For the version, I'd say 3.1.4/5/6. They are the most common in my experience.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

@ansharma is actually right in this case this setup shouldn't be working without a SSL/TLS profile assigned, it would be intereseting to see your XML config and see if it's maybe in the reference but the GUI has stopped picking it up after an update or something? 

You will likely see this stop functing after upgrading the client if the certificate actually isn't being assigned to your portal. 

Sidenote: MCVPN_CA still needs to be trusted by your client machines. If they do not trust this CA then they will likely still give you an error. 

  • 2828 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!