L1 Bithead

Problem Global Protect Behind NAT

Hello I have the following scenario:


-PA-3020 Edge Firewall who provide as internet access

-PA-200 LAN Firewall behind PA-3020


We are triying to configure Global Protect access for GP-200.


-I have a fqdn for the portal and gateway access which resolves a public IP for external access and resolves a privete IP for internal access

-Public IP for fqdn name is different than other IPS which have assigned. So, we are not using puebli IP addres of PA-3020, because we are using it for other things and we are not allowed to uset it, so, we are using another public ip on the same range

-We configure a NAT on PA-3020: Translates any source destinated to public IP address of GP on PA-200. The rule translates public GP address to private GP address. Since PA-200 have a different gateway to exit internet (IS not PA-3020) I had to configure a translate from source address also to being translate to the IP address that comunicate PA3020 to PA200

-That works, we are able to reach the portal and the user authentication works

-The problem is the Global Protect client is not connecting. Is showing me that Cn of certificate is not the public IP that i put on the certificate

-Regarding Palo Alto KBs. The problem is you must configure as CN the public IP address that GP use and as external gateway you must configure also the same address you have as CN on the certificate, but we are still seeing the CN error on GP client.


I'm not sure about what is not working well. Any suggestion?

L4 Transporter

Re: Problem Global Protect Behind NAT



If you entered FQDN in the GP client's portal address box, you should have that very FQDN as the CN (or the SAN) field.


Any chance you can show the error along with your attempt and certificate, through screenshots?




ACE 7.0, 8.0, PCNSE 7
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!