Global Protect Gateway certificates when using SAML

Reply

Global Protect Gateway certificates when using SAML

We recently switched to using SAML (ADFS) authentication for connecting to our Global Protect Gateways.  These GP Gateways have a SSL/TLS Service Profile with a certificate signed by a CA created within the PaloAlto firewall that serves as the portal.

 

This all still seems to still be the recommended setup at https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/get-started/enable-ssl-betwe...

 

Since we switched to SAML authentication, our Windows users will get certificate error popups.  The errors occur after authentication has happened.  Errors are for "Revocation information for the security certificate for this site is nto available" and then "The security certificate was issued by a company you have not chosen to trust...".  Viewing the certificate shows it is the GP Gateway certificate.  It seems the Global Protect client is doing a POST with the SAML authentication data to the firewall, but does not like the firewall's certificate.  This is somewhat understandable given that the certificate is just signed by a CA on the firewall.

 

Is the best practice when using SAML to use a trusted third party certificate for all Global Protect Gateways? 

Or Is there a way for Global Protect to trust the PaloAlto CA when doing the POST?

L7 Applicator

Re: Global Protect Gateway certificates when using SAML

@alowther_chatham 

Is the best practice when using SAML to use a trusted third party certificate for all Global Protect Gateways?

You would want to have your certificate trusted by either a third party or your own enterprise CA trusted by your endpoints. Either one works.

Or Is there a way for Global Protect to trust the PaloAlto CA when doing the POST?

You can import the certificate onto the endpoints through Active Directory, as GlobalProtect utilizes the built in certificate store the certicate would then be trusted by the endpoint.

L2 Linker

Re: Global Protect Gateway certificates when using SAML

I could easily be way off base with this answer:

 

Portal > GlobalProtect > Portals > Agent. At the bottom Add > Trusted Root CA > Install in Local Root Cert Store

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalp...

 

Re: Global Protect Gateway certificates when using SAML

Thank you.  I think this should work for my situation.  We allow Global Protect to be installed on personal machines, so we don't have the capability to push a trusted cert using group policy or such.

 

However, when I tried checking this option the cert does not get installed.  I found in the PanGP Service debug logs
Saved root CA(...) into file C:\Program Files\Palo Alto Networks\GlobalProtect.tca.cer.

Skip importing trusted root CA to store because portal's server certificate is not verified

 

This is strange since the portal uses a certificate from a trusted 3rd party CA.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!