GlobalProtect behind NAT/PAT Cetificate Issue.

L1 Bithead

GlobalProtect behind NAT/PAT Cetificate Issue.



I'm configuring my GlobalProtect VPN and Agent keep saying "CN name mismatch".


Here's my infrastructure : Drawing1.png

The PA220 is behind the NAT of the ISP and all connexions on WAN_IP (that is the public IP) are translated to the address As port 443 is already used, we're using WAN_IP:10443 that translates to for the GlobalProtect.


Here's situated the problem. For the GP gateway certificate I must specify the CN that has to be WAN_IP:10443.

The Agent keeps prompting "The certificate CN name mismatch. The certificate is not issued to WAN_IP:10443". But when I open the certificate, it is issued to WAN_IP:10443...


I can continue ignoring this warning but it can't connect and prompts "my gateway : server certificate verification failed"


Any help please ?





L7 Applicator

Re: GlobalProtect behind NAT/PAT Cetificate Issue.

Hi @Naelwan


From your post I assume you created a self signed CA and certificate on your PA220. Is that correct?

If yes: did you import the root CA cert into your clients certificate trust store? And in addition you also need to specify the Root CA cert as trusted root CA in your global protect portal configuration.


And: How exactly did you create the certificate? Did you also add the wan IP as "IP" attribute in the certificate?

L1 Bithead

Re: GlobalProtect behind NAT/PAT Cetificate Issue.

Hi @vsys_remo


Self signed CA on the PA220, yes.

Root CA cert is imported and specified in the portal conf.


I created the certificate with only the Wan IP in the Subject, just tried with the IP attribute with the WAN IP, It now works.


Thanks for your very reactive answers and your knowledge. Really appreciate it.





L1 Bithead

Re: GlobalProtect behind NAT/PAT Cetificate Issue.

Well, @vsys_remo, it worked only one time. from second try to now on : no more warning prompt but after network and config detection, i have the same error "gateway : server certificate verification failed" 


There has been no modification made to the PA220 config between 1st and 2nd tries.



All I can see in the logs are :

Failed to connect to on 443 (error: 0)

So obviously, agent-side gateway was misconfigured as it was pointing the PA220 interface and not the Public IP Address.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!