Global Protect presents wrong TLS certificate of another portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect presents wrong TLS certificate of another portal

L1 Bithead

I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"

When accessing the portal I see a different certificate in my web browser,

If I put the same SSL profile on another test portal, I see the correct certificate.

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

View solution in original post

6 REPLIES 6

L7 Applicator

How very odd....

 

the wrong certificate that you are seeing.... Is it one that's on the firewall. or have you no idea where it came from.

It is from another test GP portal I have on the same firewall

so when you ping aaa.com, is it a different address to bbb.com

Yes

L1 Bithead

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

@emilta , great info... i was not aware of this, probably because all my portals and gateways are static.

 

I have read the link provided but cannot see where it mentions certificate priority, could you forward a link with this info...

 

Many thanks,

 

  • 1 accepted solution
  • 5710 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!