I am trying to configure GlobalProtect (hereafter: "GP") TLS VPN on a PA-3050 running PAN-OS 8.0.6-h3. I am working with a GP client version 4.0.5.
I have successfully configured GP so that I am able to connect when using a self-signed certificate in the SSL/TLS Service Profile used on both the GP Portal and Gateway configuration; however, when I try to switch the SSL/TLS Service Profile in use to one that uses a certificate signed by our trusted internal certificate authority, I recieve the following error after authenticating:
"Gateway <external gateway name*>: The server certificate is invalid. Please contact your IT administrator."
* This is the name of the external gateway configured in the GP Portal on the Agent tab, not the name of the GP Gateway on the Gateways section of the Network | GlobalProtect setup.
We do not have any sort of client certificate authentication configured.
Regarding the internal CA-signed certificate... I used a certificate template that we use for web servers. The internal CA's root certificate is already marked as a trusted root CA certificate on the PAN NGFWs as well as all of our workstations and servers, including the client machine I am testing with. When I visit the GP Portal web page, the web browser shows the Portal's server certificate as trusted; I do not see any sort of certificate warning (which I do when I use the self-signed certificate instead).
My assumption is that it has something to do with the marked capabilities of the internal-CA-signed certificate vs. the self-signed certificate.
The self signed certificate has the following attibutes on the Key Usage property: Digital Signature, Key Encipherment, Data Encipherment, and Key Agreement (b8). It has the following attributes on the Enhanced Key Usage property: Server Authentication (126.96.36.199.188.8.131.52.1), Client Authentication (184.108.40.206.220.127.116.11.2), and IP security end system (18.104.22.168.22.214.171.124.5).
My internal-CA-signed certificate has the following Key Usage attributes: Digital Signature, Key Encipherment (a0). It has the following Enhanced Key Usage attributes: Server Authentication (126.96.36.199.188.8.131.52.1).
Clearly, my internal-CA-signed certificate is configured to be allowed for a more limited set of uses and capabilities that the self-signed certificate generated by the PAN NGFW itself. I'm not against configuring a special certificate template on our internal CA in order to add additional capabilities to a cert for use by the PAN NGFW for the purpose of GP Portal/Gateway server configuration, but I want to know what capabilities are required.
Or, if there is something else I should check, please let me know.
BTW, I came across the following document about Deploy Server Certificates to the GlobalProtect Components. It seems to indicate in the "Use Simple Certificate Enrollment Protocol (SCEP) to request a server certificate from your enterprise CA" section that the only attributes required are Key Encipherment and Digital Signature, both of which my internal-CA-signed certificate have.
By the way, the certificate has an RSA 2048-bit key and a SHA256 hash.
We have the same problem.
But only with 4.0.5 Windows GlobalProtect client.
With 4.0.4 it works fine, on the same machine. Mac client 4.0.5 works also fine.
It's only the windows 4.0.5 globalprotect client. I think this is a bug in the GlobalProtect client.
Firewall software is 8.0.5.
For me, downgrading to GlobalProtect 8.0.4 didn't solve the issue. This is still an open issue. For now I'm just using a self-signed certificate.
Make sure you have SANs on your cert that match the gateway hostname and IP that might help. I have seen this exact issue also happen when the user goes to the VPN portal by IP and the cert does not have a SAN for the IP or they go to the portal using the hostname and the cert uses the IP etc...
worth a look!
Sounds silly, but you were testing the connection on a internet access without any sort of captive portal, right? So when the gp client showed this error, was it showing exactly the cert that you configured?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!