I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"
When accessing the portal I see a different certificate in my web browser,
If I put the same SSL profile on another test portal, I see the correct certificate.
Solved! Go to Solution.
How very odd....
the wrong certificate that you are seeing.... Is it one that's on the firewall. or have you no idea where it came from.
If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.
You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.
The portal /gateway with no IP address takes priority over the portal configured with an IP address.
Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.
I think Palo has to alert when this configuration taking place,
TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.
@emilta , great info... i was not aware of this, probably because all my portals and gateways are static.
I have read the link provided but cannot see where it mentions certificate priority, could you forward a link with this info...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!