GlobalProtect Gateway Certificate Error When Trying to connect GlobalProtect
Symptom
When trying to connect GlobalProtect to the Palo Alto Networks firewall, it is successfully connecting to the portal, but gives a certificate error when it tries to connect to the gateway. When using older versions of the agent it connects without issue.
Environment
- Pan-Os
- Global Protect
Cause
This issue might be caused by a new check that was introduced in GlobalProtect version 4 and later. The validation check makes sure that the gateway address configured in the GlobalProtect portal matches the CN of the certificate that the gateway is configured to use. This check was not implemented in older versions, so this issue was not encountered.
Note: When the gateway address is a FQDN and this FQDN is in the certificate, GlobalProtect Agent v4 and up produces the certificate error until the PTR record is created in DNS.
Resolution
- Determine which certificate the gateway is configured under the ssl/tls service profile to use and write it down.
2.Go to Device > Certificate Management > Certificates and write down the CN of the certificate that was copied in Step 1.
3. Adjust the address of the gateway in the GlobalProtect portal client configuration to the CN that was copied in Step 2.
- Commit the changes and try to reconnect with the agent.
Additional Information
Note:
If the gateway certificate includes a hostname (dnsname) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate as indicated in the article above.
Important! Before making this change, make sure the DNS servers that are used on the firewall are able to resolve the "GlobalProtect Portal" hostname to a public IP address and that there is also a PTR record to resolve the IP address back to the hostname. If it resolves to an internal IP address, this will make the portal inaccessible from the external interface.