Error: Certificate CN mismatch while connecting GlobalProtect c... - Knowledge Base - Palo Alto Networks

Error: Certificate CN mismatch while connecting GlobalProtect client

137969

Created On 09/25/18 20:39 PM - Last Modified 08/04/21 21:07 PM

GlobalProtect Portal

8.1

9.0

9.1

10.0

GlobalProtect

Prisma Access

Symptom

When connecting to GlobalProtect from a client, the following Server Certificate Error displays:

Environment

Palo Alto Firewall.
PAN-OS 8.1 and above.
GlobalProtect Configured.

Cause

The issue occurs because the CN (FQDN or IP address) used to generate the certificate under GUI: Device > Certificate Management > Certificates and used as a server certificate is different from the CN or Common Name configured in the Portal under GUI: Network > GlobalProtect > Portals > (Portal profile) > Agent > (Agent Profile) > Internal or External > Internal or External Gateways Address.

Resolution

Ensure the CN is the same in the certificate (GUI: Device > Certificate Management > Certificates) being used as well as in the configuration of the GlobalProtect Portal.(GUI: Network > GlobalProtect > Portals > (Portal profile) > Agent > (Agent Profile) > Internal or External > Internal or External Gateways Address).
If the CN is an FQDN, then ensure it's resolvable to the same IP address as used in the above configuration.
The above solution holds good even if the certificate used for GlobalProtect is signed by a private CA.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)