Management Articles

Featured Article
Overview When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:   Captive Portal ("CP") pages Response Pages GlobalProtect ("GP") Portal Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.   Steps 1. Requesting the certificate Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL. If using PAN-OS 5.0, refer to How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate   2. Creating the combination certificate When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.   To get each of these certificates: Open the "Server Cert" file sent by the CA. In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path. Click the Certification Path and click the certificate one step above the bottom. Open that certificate and click the Details tab, then Copy To File. Save the file as a Base-64 encoded X.509 (.CER) formatted certificate. Do the same for all certificates in the chain except the top (Root). Open each certificate .CER file in a plain-text editor (such as Notepad). Paste each certificate end-to-end, with the Server Cert on top and each signer below that. Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail. 3. Importing the Certificate Take the combined certificate and import it on the firewall. In PAN-OS 5.0 and above, the private key is on the firewall already. Follow these steps to import the certificate: How to Generate a CSR and Import the Signed CA Certificate   Workaround In the event that you can not generate a new CSR , but still need to export a certificate, please try these Steps: Export the current Certificate on the Firewall , PEM format and with Private key exported. Open the cert in a Text editor. Separate the public key from the private key in two separate text files (being careful not to add any spaces). Save the private key text file and keep it aside. Edit the file where the public key is and have the public key at the top and add the intermediate CA below it as in the url shared, and save the file. Delete the certificate already on the firewall. Import the private key with the edited certificate.   owner: gwesson
View full article
gwesson ‎08-30-2018 07:00 AM
84,211 Views
6 Replies
3 Likes
Issue: SSL inbound policies worked ok when configured on 7.1 but after upgrading to 8.0, the sessions would fail and the logs show decrypt errors. This is seen when the server uses a certificate with an intermediate certificate in the chain.   Cause: Prior to PAN-OS 8.0, inbound inspection was completely passive. In 8.0, with ECC and DHE support it takes a more active role.   Confirmation: A packet capture on the firewall will confirm if the firewall is sending the full certificate chain or only the server certificate to the client. Check the Server hello packet which includes the certificates and if only the server certificate is sent, this may be the cause.   Fix: Re-import of the certificate from your web server to the firewall, make sure you're combining the server cert with the intermediate CA (not the root CA though).   Here are the steps to do so: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523   Additional information: https://live.paloaltonetworks.com/t5/General-Topics/Panos-8-inbound-ssl-inspection/m-p/183289
View full article
jarena ‎02-08-2018 05:18 AM
8,729 Views
0 Replies
Symptoms During certificate/CSR creation, one can change the number of bits used in the RSA and SHA algorithms to something higher than the default. One should also be able to change the algorithms to Elliptic Curve DSA and MD5 for hashing. The available values for RSA and SHA (as of 8.0) are:   RSA: 512 1024 2048 (default) 3072 4096   SHA: SHA1 SHA256 (default) SHA384 SHA512   However, in some cases an admin might not be seeing any options in the drop-down for either algorithm.   Diagnosis The PHP debugs will show the following errors:   [2017/12/29 17:43:04] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php [2017/12/29 17:43:04] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateNbits ========= [2017/12/29 17:43:05] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/algorithm/RSA/rsa-nbits" cookie="1282626187103044"/> [2017/12/29 17:43:05] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:05] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php took 0.179s [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php [2017/12/29 17:43:06] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateDigest ========= [2017/12/29 17:43:06] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/digest" cookie="1282626187103044"> <algorithm>rsa</algorithm> </request> [2017/12/29 17:43:06] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php took 0.167s   Solution Log in with any 'superuser' account and you should be able to change the bits and algorithms to any of the available options.
View full article
ansharma ‎01-03-2018 08:25 AM
2,005 Views
0 Replies
Symptom After changing the SSL decryption certificate on the Palo Alto Networks firewall, SSL Decryption does not work for the Firefox browser. The Firefox browser shows a certificate error, while SSL decryption for other web browsers continue to work.   Cause The Firefox browser saves cookies in its cache.   Resolution Removing the cookies for the particular websites that produce the certificate errors will resolve the issue. On Firefox, cookies can be removed from the Privacy settings. Note: Please refer to the Mozilla Firefox support site  https://support.mozilla.org for more information about the removing cookies. Here is one article from their site that might help: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored     owner: jlunario
View full article
pagmitian ‎01-02-2018 02:05 PM
9,387 Views
1 Reply
Details A Certificate Signing Request (CSR) with a multi-level organizational unit can be generated from the CLI using the following command:   > request certificate generate   Here are the options: * are required. + ca                   Make this a signing certificate + country-code         Country code + days-till-expiry     Number of days till expiry + digest               Digest Algorithm + email                Email address of the contact person + filename             file name for the certificate + locality             Locality + ocsp-responder-url   ocsp-responder-url + organization         Organization + signed-by            signed-by + state                State/province * algorithm            algorithm * certificate-name     Name of the certificate object * name                 IP or FQDN to appear on the certificate > alt-email            Subject alternate Email type > hostname             Subject alternate name DNS type > ip                   Subject alternate name IP type > organization-unit    Department   Note: in PAN-OS 8.0, the algorithm option is required to generate a CSR.   For example: > request certificate generate organization-unit [OU1,OU2] signed-by external filename csr-site123 certificate-name site123 name site123.paloaltonetworks.com algorithm RSA rsa-nbits 1024   Successfully generated certificate and key pair : site123   The above command will generate a CSR with the following attributes: Certificate Name: site123 Organizational Units: OU1 and OU2 Common Name: site123.paloaltonetworks.com   Inside of the WebGUI: Device > Certificate Management > Certificates > Device Certificates tab You will see the pending certificate. In order to save the CSR request, click the certificate, then Export:     owner: jteetsel
View full article
jteetsel ‎12-27-2017 01:31 PM
7,993 Views
3 Replies
3 Likes
Issue   In the picture below (click to enlarge), the gateway and portal are using the same IP address but different certificates (Server1 and Server2). Because the IP is the same the firewall will continue to use Server2 as the certificate.   Resolution If the portal's certificate needs to be changed, make sure the gateway is also changed and configured to use the same certificate as the portal.   owner: dburns
View full article
npare ‎12-19-2017 04:55 AM
4,314 Views
0 Replies
Overview If you do not want to load your own certificate into the device or use the default self-signed certificate, a new self-signed certificate can be generated through the web interface or CLI. This new self-signed certificate can be used for SSL Decryption or for a GlobalProtect portal or Gateway Certificates.   Steps 1. From the WebGUI, navigate to Device > Certificates. 2. Click Generate at the bottom of the screen. 3. Enter the desired details for the certificate. The details entered here are what users see if they view the CA certificate for an encrypted session using the browser.  Note: If you would like the certificate to be valid for longer than 365 days (1 year), then please change the "Expiration (days) from 365 to a larger value before creating the certificate. Generate a SelfSigned Certificate   4. On the Generate Certificate window, click Generate: Certificate successfully generated   5. To verify that the certificate was created properly, click on the newly generated certificate. Note:  If using this certificate for SSL Decryption, please check "Forward Trust Certificate" and "Forward Untrust Certificate". To delete or remove the certificate, uncheck both options, otherwise an error is generated. Enable Forward Trust and Untrust   6. Commit the changes. When the commit operation completes, the Self-Signed CA certificate isinstalled.   CLI From the CLI, to create a new self-signed certificate, run the following command, <all on one line>(PAN-OS 6.1 only)   > request certificate self-signed country-code US email support @ paloaltonetworks.com locality Alviso state CA organization “Palo Alto Networks” organization-unit “Session inspected by policy” nbits 1024 name “SSL Inspection” passphrase bubba for-use-by ssl-decryption   For PAN-OS 7.0 and after, a very simple self signed certificate can be created with this command:   > request certificate generate name "Firewall-a" certificate-name "ssl test"   You can always use the <tab> or "?" when in the CLI to see what the next commands can be.     For additional info on CLI commands please see this article: Get Started with the CLI     owner: jebel
View full article
PANW1337 ‎11-15-2017 07:14 AM
54,643 Views
8 Replies
Issue After configuring SSL decryption, the commit fails after generating a certificate with the following error:  "Error:vys1 decryption: forward decrypt trust cert is not configured".   Cause The commit fails because the SSL decryption requires a certificate for forward proxy.   Resolution Create a self generated certificate with 'Certificate Authority' checked, as shown below: Once generated, open the certificate (Device tab > Certificate Management > Certificates) and check two options: Forward Trust Certificate Forward Untrust Certificate After clicking OK, the certificate store should look like the following: The commit should now be successful.   owner: kadak
View full article
kadak ‎11-14-2017 06:16 AM
9,699 Views
2 Replies
2 Likes
Issue Inbound SSL decryption fails even if a valid certificate and supported cipher suite are used. This may occur when Apache is used as a web server and curl (or old version of Chrome/FireFox) is used as a client.   Cause The issue occurs when SSL Compression is enabled on both client and server. To verify, take a packet capture and look for "Compression Method" in "Client Hello" and "Server Hello".   Resolution SSL Compression is disabled by default in most of the latest clients and web servers due to a security issue called "CRIME attack". The resolution is to use newer versions of server and client software. Update Apache to 2.4.3 or later which has an option to disable SSL Compression ("SSLCompression"). Update Curl to 7.28.1 or later. Use the latest version of Chrome or FireFox.   (IE, Safari and Opera have never supported SSL Compression.)   owner: ymiyashita
View full article
ymiyashita ‎11-10-2017 05:47 AM
5,987 Views
0 Replies
1 Like
The Article is in reference to another customer-facing article which talks about the Panorama Certificate Expiration. https://live.paloaltonetworks.com/t5/General-Topics/Panorama-Certificate-Expiration-on-June-16-2017/m-p/150948/highlight/true#M50050    The two options to mitigate this issue is following:   Option 1: Upgrade software on Panorama and all log collectors to the maintenance releases listed below:   Panorama / log collector version 7.1.9 Panorama / log collector version 7.0.15 Panorama / log collector version 6.1.17   Option 2: Update the content on Panorama and all log collectors to content version 700 or later:   However, once you have used any one of the option to upgrade the certificate, please follow the following steps to verify that the certificate validity is extended.     Chrome Browser:   1. Open Chrome Browser and type "https://<mgmt ip of Panorama>:3978" and Click Enter. 2. At this point the Panorama will ask for mutual authentication and the web browser will present all the certificates present in its Personal Store, so click Cancel. 3. The connection will show "Not Secure" so press F12 in order to inspect the certificate. (cmd+opt+i on a Mac) 4. Navigate from Elements to Security tab. 5. Click "View Certificate" 6. Once the certificate opens, please navigate to "Certification Path" 7. The Panorama server certificate is signed by the Root CA "localhost" - This is the certificate that was expiring on June 16th. We need top verify if the validity of this certificate is extended or not. 8. Click "localhost" certificate and then click "view Certificate" 9. Notice the validity of Root Certifiacte is extended.      
View full article
zimtiaz ‎06-22-2017 04:11 PM
2,903 Views
0 Replies
1 Like
Issue Unable to access web console via HTTP or HTTPS. Access via SSH is possible.   Resolution This could be due to the absence of the Web GUI certificate. Since SSH access is possible, a new certificate can be created from the CLI. The following command will generate a certificate named webuicertdemo with a FQDN of panlab.com: > request certificate generate certificate-name webuicertdemo name panlab.com   To make use of this certificate for Web-UI purpose, enter the following command: > configure # set deviceconfig system web-server-certificate webuicertdemo # commit # exit   Starting from PAN-OS 7.0 the procedure is slightly different:   > request certificate generate ca yes certificate-name <cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048 > configure # set shared ssl-tls-service-profile <profile name> certificate <cert name> protocol-settings min-version tls1-0 max-version tls1-2 # set deviceconfig system ssl-tls-service-profile <profile name> # commit # exit   owner: bpappas
View full article
panagent ‎03-09-2017 04:52 AM
16,748 Views
6 Replies
Symptoms GlobalProtect app running on Android 6.0 or later cannot establish the VPN connection when:    The root CA certificate for GlobalProtect Portal/Gateway  is in Trusted Credentials on the Android device. And the GlobalProtect Portal/Gateway Certificate Common Name (CN) is IP address.   In this case, the following error message will be displayed : Cannot connect to GlobalProtect portal     Gp.log from GlobalProtect app shows the following errors: (6227)01/05 17:55:33:120201 - javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified: certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ= DN: CN=192.168.206.1,ST=Tokyo,C=JP subjectAltNames: [192.168.206.1] (6227)01/05 17:55:33:120352 - exception GetHttpResponse, response code is 0 (6227)01/05 17:55:33:120521 - response from server is: null, exception Message: Hostname 192.168.206.1 not verified: certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ= DN: CN=192.168.206.1,ST=Tokyo,C=JP subjectAltNames: [192.168.206.1] eType:javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified: certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ= DN: CN=192.168.206.1,ST=Tokyo,C=JP subjectAltNames: [192.168.206.1] (6227)01/05 17:55:33:120557 - (l5)JNI,6243,508,not handled, ret=error, javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified: certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ= DN: CN=192.168.206.1,ST=Tokyo,C=JP subjectAltNames: [192.168.206.1], return NULL now   Diagnosis This is due to a new behavior of Android 6.0+.   Starting from Android 6.0, if the CN is an IP address in a certificate, the IP address should also be in Subject Alternative Name(SAN) as iPAddress subAltName. If the IP address is missing from iPAddress subAltName, certification verification will fail.   For older Android versions, the certification verification will pass as long as the CN matches.       Solution Generate a certificate for GlobalProtect Portal/Gateway that have iPAddress subAltName field, and replace the existing certificates.   The following screen shot shows how to set iPAddress Subject Alternative Name on the Palo Alto Netrwork Next-Generation Firewall.   In generating a certificate, add "IP" Type and input the IP address as the Value in Certificate Attributes field:     The generated certificate shows IP Address value in  Subject Alternative Name Field :   Set this certificate for  GlobalProtect Portal/Gateway certificates.  After that, the VPN connection can be established.   Please see the following guide for deploying GlobalProtect Server Certificate:  Deploy Server Certificates to the GlobalProtect Components      Another available workaround is removing the CA certificate from the Android phone (Generally from "Setting > Security > Trusted credentials").   In this case, GlobalProtect app shows "Untrsuted Certificate" warning message once (as shown below), then the connection will be established.     This is not recommended generally because users should check destination Portal/Gateway validity manually.
View full article
dyamada ‎02-08-2017 09:20 AM
5,149 Views
0 Replies
1 Like
Overview This document describes how to use a wildcard (multi-domain) certificate with one common name and Subject Alternative Names (SAN) for other protected domains. The DNS names for GlobalProtect Portal and each GlobalProtect Gateway are assumed to be listed as SANs.   Steps Create a CA root certificate. Create a new certificate and have it signed by the above generated CA root certificate. This will be the wildcard certificate that will be used for the GlobalProtect Portal and Gateway. For example:    Name: GP-Cert    Common Name: *.example.com    Subject Alternative Name:  DNS Name=vpn1.example.com,  DNS Name=vpn2.example.com Associate the hostnames for the GlobalProtect Portal and Gateway IP addresses. For example:   GlobalProtect Portal IP address: vpn2.example.com   GlobalProtect Gateway IP address: vpn1.example.com Note: If GlobalProtect Portal and Gateway share the same IP address (i.e. Palo Alto Networks firewall interface is configured as both portal and gateway), a single hostname can be used for the shared IP address. For this example, the portal and gateway hostname would be: vpn2.example.com. Import the certificates under the certificate cache of the GlobalProtect Portal firewall and each GlobalProtect Gateway firewalls (in a multi-gateway setup) In PAN-OS 4.0 and 4.1, the certificates are located at Device > Certificates In PAN-OS 5.0, the certificates are located at Device > Certificate Management > Certificates Single firewall deployment - Follow the portal configuration steps in GlobalProtect Configuration Tech Note, along with the steps below: Use the GP-CERT (from step 2) as the server certificate under the portal configuration Use the CA root certificate (from step 1) under the "trusted root CA" section of the "Client configuration" Specify the external gateway address. For this example, the gateway is "vpn1.example.com" For multi-gateway deployment, follow the gateway configuration steps in GlobalProtect Configuration Tech Note, and use the GP-CERT certificate (from step 2) under the server certificate section.
View full article
kprakash ‎11-09-2016 11:53 AM
20,570 Views
3 Replies
Issue The passive unit in an HA pair cannot sync to the active device because it does not have a certificate. When trying to sync the certificate to the passive unit it fails. When trying to add the certificate to the passive unit and perform the sync-to- peer from the active unit, the sync fails and the passive unit deletes the newly installed certificate.   Resolution Import the missing certificate into the passive unit. If the same certificate is used for options like "Forward Trust, Forward Untrust and etc" on the active firewall, make sure that the same Certificate on the passive device must be selected with same options as shown below. Shown below is the Active Device:   Shown below is the Passive Device:   Commit Perform a commit sync from passive to primary by using the following CLI command: > request high-availability sync-to-remote running-config   See Also High Availability Synchronization   owner: nayubi
View full article
panagent ‎11-09-2016 11:05 AM
11,871 Views
2 Replies
Symptom   When browsing to Google or Yahoo sites with SSL decryption and FIPS mode enabled, the firewall presents the Forward Untrust Certificate to the client.     Explanation   Both Google and Yahoo present root certificates with 1024 bit keys in their certificate chains. Since 2010, certificates with 1024 bit keys are not FIPS-compliant, and therefore, a firewall in FIPS mode will not trust the certificates.   Google's certificate chain   $ openssl s_client -connect google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority   Equifax Secure Certificate Authority   $ openssl x509 -in Equifax_Secure_Certificate_Authority.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 903804111 (0x35def4cf) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity Not Before: Aug 22 16:41:51 1998 GMT Not After : Aug 22 16:41:51 2018 GMT Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)   Yahoo's certificate chain   $ openssl s_client -connect yahoo.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority   Class 3 Public Primary Certification Authority   $ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Jan 29 00:00:00 1996 GMT Not After : Aug 2 23:59:59 2028 GMT Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)   Workaround   There is no way to force the firewall to trust certificates with 1024 bit keys when FIPS mode is enabled.   You can exempt Google and Yahoo sites from SSL decryption using the following steps:   1. Create a custom URL Category on the Objects > Custom Objects page that contains the following URLs:   *.google.com *.yahoo.com       2. Create a new decyption policy on the Policies > Decryption page.   a. Set the source and destination to match the existing decryption policy. b. Set the URL Category to the custom category created in Step 1. c. Under the Options tab, select "No Decrypt". d. Place the "No Decrypt" policy above the existing decryption policy and commit.  
View full article
nanderson ‎05-06-2016 03:26 PM
14,817 Views
0 Replies
1 Like
Issue With SSL Decryption configured on the Palo Alto Networks device, the following error appears when accessing a Google service from the Chrome web browser:   This is probably not the site you are looking for!     Cause Google Chrome has a built-in mechanism for Google services (such as Gmail, Google Calendar, Google Drive, and even YouTube), where services are denied if the appropriate certificate is not explicitly installed. Other web sites work without any issues.   Resolution When the root certificate is imported into "Trusted Root Certification Authorities" on the end user's machine, it turns off a flag in the Chrome web browser. Google services (Gmail, Google Calendar, Google Drive, and YouTube) are then accessible.     owner: hshah
View full article
hshah ‎05-03-2016 02:08 PM
22,421 Views
5 Replies
Issue When connecting to GlobalProtect from a client, the following Server Certificate Error displays:   Cause The issue occurs because the CN (FQDN or IP address) used to generate the certificate (Device > Certificate Management > Certificates) used as a server certificate is different from the CN or Common Name configured in the Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address.   Resolution Ensure the CN is the same in the certificate (Device > Certificate Management > Certificates) being used as well as in the configuration of the  GlobalProtect Portal here: Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address. If the CN is a FQDN, then ensure it's resolvable to the same IP address as used in the above configuration. If the certificate you use for GlobalProtect is not a CA certificate and is signed by a private CA, you will see the error even if you have installed the private CA as a trusted CA on the client machine and steps 1 and 2 are okay. Use a private CA for GlobalProtect and make sure steps 1 and 2 are fulfilled.  
View full article
rchougale ‎04-12-2016 06:24 PM
18,088 Views
2 Replies
1 Like
The portal has IP address of 192.168.16.18 Following are the additional step that has to be done for configuring DUAL factor authentication. Client will provide password and Certificate to authenticate himself with portal and/or gateway. In this example firewall is used to create root CA certificate, Client Certificate.   1) Create a Root CA certificate on Firewall   2. Create one certificate on PA one for GP   3. Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user. The CN of the certificate must match the FQDN or IP that you are using for GP. The client must present a unique client certificate that identifies the end user in order to connect to GlobalProtect. All client can use share same certificate or can have their own individual certificate.       3. Create a Certification profile for Client authentication and call the root CA.   If the certificate profile does not specify a username field (that is, the Username Field it is set to None), the client certificate does not need to have a username. In this case, the client must provide the username when authenticating against the authentication profile.   If the certificate profile specifies a username field, the certificate that the client presents must contain a username in the corresponding field. For example, if the certificate profile specifies that the username field is subject, the certificate presented by the client must contain a value in the common-name field or authentication will fail. In addition, when the username field is required, the value from the username field of the certificate will automatically be populated as the username when the user attempts to enter credentials   4. Call that certificate profile under portal and gateway configuration     5. Install the certificate on the client machine. If the certificate is not installed following error message will be seen:  
View full article
pankaku ‎03-08-2016 03:03 PM
4,887 Views
2 Replies
  Issue You have configured your portal and gateway to use the authentication profile and certificate profile 2 factor authentication, but you see the below error message in the status page of the GlobalProtect client when try to connect the GlobalProtect on the client computer: "Required Client Certificate is not found"   You also see this error message in the PanGP Service Log: Debug(3624): Failed to pre-login to the portal XX.XX.XX.XX. Error 0 Debug(1594): close WinHttp close handle. Debug(3588): prelogin status is Error Error(3591): pre-login error message: Valid client certificate is required Debug(1594): close WinHttp close handle. Debug(4213): portal status is Client Cert Required. Debug(3697): Portal required client certificate is not found.   Solution These errors occured because there is no correct/valid certificate in the client computer. The certificate imported to the client machine must match with the 'Server Certificate' in the portal and gateway setting. In cases of self-signed certificates, the certificate will need to be imported to both personal and trusted root CA. For instructions of how to import the certificate to the client computer, please click here and refer to step #2.   Follow these instructions to import the certificate in P12 format to the client computer (Windows Machine):   Click Start > Run mmc. Click File > Add/Remove Snap-In. Select Certificate and click Add, and select Computer Account. Click OK. Now you can import the Certificate to 'Personal' and 'Trusted Root CA.'
View full article
hsanada ‎01-22-2016 07:26 AM
32,329 Views
2 Replies
Overview The NCP Secure Entry Client is an IPsec-compliant third-party application that can be used to establish a connection to a GlobalProtect Gateway using either a PSK or certificates with XAUTH. Versions are currently available for Windows, Mac OS X, and Android operating systems. The instructions below pertain to the Windows client and assume that the GlobalProtect Gateway has already been configured on the Palo Alto Networks firewall. Otherwise, refer to How to Configure GlobalProtect.   Steps Open the NCP Secure Entry Client and go to Configuration > Profiles. Click the Add / Import button. Choose the Connection Type. Select Link to Corporate Network Using IPsec. Choose the Profile Name. Enter an alphanumeric name for the connection profile. Choose the Communication Medium. Select the proper Communication Media depending on how the client connects to the internet. The two most common options are LAN (over IP) for Ethernet and Wi-Fi for wireless connections. The NCP client will automatically select the connection media if automatic media detection is selected. Set the VPN Gateway Parameters. Gateway (Tunnel Endpoint): the DNS name or IP address of the GlobalProtect Gateway configured on the Palo Alto Networks firewall. Check the Extended Authentication (XAUTH) box. Enter a User ID and Password that can be authenticated by the Palo Alto Networks firewall. Note: The gateway address 1.1.1.1 is not active and used only as an example. IPsec Configuration. Exchange Mode. For PSK authentication, select aggressive mode (IKEv1). For certificate authentication, select main mode (IKEv1). PFS Group: none PSK configuration is shown above. For certificate authentication, select main mode (IKEv1). Pre-shared Key Local Identity (IKE): For PSK authentication: Type: select Free string used to identify groups. ID: enter the Group Name configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall. For certificate authentication: Type: select ASN1 Distinguished Name. ID: leave this field blank. Pre-shared Key (required for PSK authentication only): Shared Secret: enter the Group Password configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall. The configuration for PSK authentication is shown below. GlobalProtect Gateway Client Configuration (7.0.1 firmware). Settings for PSK authentication are highlighted. When using certificates, the highlighted fields should be left blank. here is the The configuration for certificate authentication. Configure the IP Addresses IP Address Assignment: select IKE Config Mode. Don't modify the DNS Server or WINS Server fields. Set up the Firewall. Select the desired Stateful Inspection setting and click the Finish button. If using PSK authentication, the configuration is complete and you should be able to connect to GlobalProtect Gateway. If you are using certificate authentication, continue with the instructions below. Export the root and client certificate from Device > Certificate Management > Certificates on the Palo Alto Networks firewall. Note: This step is not necessary if an external CA is used, but the root certificate must be DER encoded and the client certificate must be in the PKCS#12 format. Export the root certificate in the Binary Encoded Certificate (DER) format. . Export the client certificate in the Encrypted Private Key and Certificate (PKCS12) format. The NCP client will prompt for the Passphrase before connecting to the VPN. In the NCP client, go to Configuration > Certificates. Click the Add button. User Certificate Name : enter a name for the certificate configuration. Certificate: select from PKCS#12 file. PCKS#12 Filename: browse to the client certificate exported from the Palo Alto Networks firewall. (optional) Check the PIN Request at each Connection box if you want the user to enter the client certificate Passphrase before every connection attempt. Click the OK button. 15. In the NCP client, go to Configuration > Profiles, select the previously configured profile, and click the Edit button. 16. Profile Settings In the left menu, select Identities. Certificate Configuration: select the certificate configuration you created earlier. Click the OK button. 17. Move the exported root certificate into the NCP > SecureClient > CaCerts directory. The default installation path is C:\Program Files (x86)\NCP\SecureClient\CaCerts. You should now be able to use the NCP client to connect to the GlobalProtect Gateway using certificates and XAUTH.        
View full article
nanderson ‎01-18-2016 07:28 AM
30,367 Views
0 Replies
Overview SSL is an acronym for Secure Sockets Layer, an encryption technology that was created by Netscape. SSL certificates create an encrypted connection between a web server and a web browser, allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.   Types of SSL certificates and where they are used on Palo Alto Networks:   Self-Signed (PAN) Public CA issued Wildcard Subject alt name Sub ordinate CA (internal source) WebUI X X X X   Captive portal - transparent X         Captive portal - redirect X X X X   SSL forward proxy (decryption out) X       X SSL inbound proxy (decryption in)   X X X X GlobalProtect - gateway, portal and client authentication X X X X X URL filtering override page X X X X     The following table provides a list of valuable resources on understanding and configuring SSL certificates: Title Description Type Basic     How to generate a CSR (certificate signing request) and import the signed certificate How to generate a CSR (Certificate Signing Request) and Import the Signed Certificate Document How to generate a new self-signed SSL certificate How to generate a new self-signed certificate Document Troubleshooting SSL certificates in PAN-OS Troubleshooting tips for general SSL certificates Document Pushing SSL decryption certificates using GPO Pushing SSL decryption certificates using GPO Document How to perform a client certificate install for SSL decryption How to install a client certificate install for SSL decryption Document How to install a chained certificate signed by a Public CA How to install a chained certificate signed by a public CA Document Intermediate     SSL certificates with HTTPS CRL Information about SSL certificate with HTTPS for the CRL Document Exporting IIS SSL certificate How to export the SSL certificate from a Microsoft IIS server Document How to implement certificates issued from Microsoft certificate services How to implement certificates issued from Microsoft certificate services Document How to delete certificates on a Palo Alto Networks firewall How to delete certificates on a Palo Alto Networks firewall Document Advanced     Commit error received after configuring SSL decryption for certificate generation Configuring SSL decryption - commit fails after generating a certificate error Document SSL decryption stops working on Firefox after changing SSL decryption certificate After changing the SSL Decryption certificate, SSL decryption does not work with Firefox  Document Wrong certificate used when SSL decryption is enabled. Untrusted certificate presented when performing SSL decryption Document Commit error received after configuring SSL decryption for certificate generation Configuring SSL decryption - commit fails after generating a certificate error Document Error deleting certificate - Web-server-certificate When attempting to delete a certificate that is used for web server certificate, error is received Document URL admin override not working with new SSL certificate URL admin override not working with new SSL certificate Document How to use a Wildcard SSL certificate with Subject Alternative Names (SAN) for GlobalProtect portal and gateway How to use a wildcard (multi-domain) certificate with one common name and Subject Alternative Names (SAN) for other protected domains. Document Error deleting certificate on PAN-OS - ssl-decrypt; trusted-root-CA Error deleting certificate on PAN-OS - SSL-decrypt > trusted-root-CA Document Captive portal using transparent mode with LDAP auth or redirect mode with client certificate auth in Vwire deployment Guide in configuring captive portal in a Vwire deployment Document Windows certificate authority delivers certificates that cannot be read by PAN-OS Windows certificate authority delivers certificates that cannot be read by PAN-OS Document Note: If you have a suggestion for an article, video or discussion not included in this list, please post a recommendation in the comments below and it will be added to the master list.   Browser certificate errors: Remember with SSL certificates, there are three things that are always checked inside of an SSL certificate: Certificate name matching the FQDN or IP address Is this from a Trusted CA? Is the certificate expired? If these items are OK, then the certificate should be fine.   owner: jdelio
View full article
‎01-06-2016 02:57 PM
77,673 Views
3 Replies
7 Likes
Symptom HA-Sync job on HA peer fails, details on the job id reveal an error similar to the one below:   Inside of the CLI: admin@firewall(passive)> show jobs id <job id>   Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2015/06/06 19:09:47 9 HA-Sync FIN FAIL 19:09:52   Warnings: Details:ssl vpn cert file (GlobalProtect) processing failed (Module: rasmgr) global-protect-gateway tunnel interface (tunnel.1) in vsys (vsys1) parsing failed (Module: rasmgr) Commit failed   Cause In this example, the GlobalProtect certificate is selected to also be the WebGUI certificate.   To verify this, go inside of the WebGUI, Device > Certificate Management > Certificates and click on the certificate name (GlobalProtect in this example), and you will see that "Certificate for Secure Web GUI" is selected.   Solution To resolve this error, remove the check for "Certificate for Secure Web GUI"  from the GlobalProtect Certificate, then Commit the changes. The HA will now Sync properly.     If you need to use a SSL certificate for the WebGUI(Secure Web GUI), you will need to create and use a separate certificate for the WebGUI.   owner: mivaldi  
View full article
mivaldi ‎12-31-2015 07:28 AM
3,891 Views
1 Reply
  Issue When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.   Packets are dropped for a particular website. When checking 'show session all filter source <src-ip>' and associated 'show session <id> ' shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:     Running global counters shows an 'unsupported SSL protocol' message:     If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.   Click to learn more about supported cipher suites .   Workaround Create a no-decrypt rule for that destination  (or) Choose a cipher suite that is supported on the firewall.
View full article
rrajendran ‎12-10-2015 11:11 AM
3,610 Views
0 Replies
1 Like
Overview:   This article provides the steps to configure certificate-based authentication to the Palo Alto Networks web interface. Note: After enabling this authentication , all username/password logins are disabled for all administrators.  Administrators must  be issued certificates in order to log in.     Links to Latest Procedures:  For the latest procedures , see the following topics in the user guides: Firewall: Configure Certificate-Based Administrator Authentication to the Web Interface Panorama: Configure an Administrator with Certificate-Based Authentication for the Web Interface     Steps:   1.      Generate a CA. Go to Device > Certificates > click Generate > ensure CA is checked.             2.      Create the Client Certificate Profile. Go to Device > Client Certificate Profile > click Add > change Username to Subject, and the next field will be common-name. Also, add the CA created in Step 1.             3.      Set Client Certificate Profile for Authentication Settings. Go to the Device > Setup > Click to edit the Authentication Settings Window > assign the Client Certificate Profile created in Step 2.             4     Create an Admin with client certificate authentication setting checked.      Go to Device > Administrators > Click Add. Ensure the option to use only client certificate authentication (Web) is checked.     5.      Create the client certificate for the newly created Administrator. Go to Device > Certificates > Generate Ensure that the certificate is signed by the CA created in Step 1. Verify that the common name field has the Administrators’s name created in Step 4.             6.          Export the  Administrators Client Cert.                        Go to the Device > Setup.                        In the Certificates section, check the client Cert’s checkbox.                        Click Export.                         Verify that  the  File  Format is PKCS12 -> Enter a passphrase.                       7.       Commit. The following message is displayed:              8.       Import the Administrator's  Client Certificate into the browser (Firefox for demo). Go to the Firefox options menu. Click View Certificates. Click Import Point  to the Admin’s Client Cert previously exported. Enter passphrase.     9.       Go to the Palo Alto’s WebGUI (ensure HTTPS is enabled on the interface). Choose the Client Certificate.     10.       This warning will display because the Cert isn't trusted. Add the exception.   11.      Click Login.  
View full article
panagent ‎12-07-2015 02:50 PM
22,761 Views
6 Replies
1 Like
Issue While using Certificate Authentication with Internet Explorer (up to IE10), logging into the Palo Alto Networks device WebGUI causes the login page to be displayed instead of showing the Web UI page. Checking the device system logs show that the user login succeeded. Logging in with Mozilla Firefox and Google Chrome web browsers work as expected.   Cause Internet Explorer is ignoring/dropping cookies for site names that contain an underscore character.   Example: The URI and certificate common name for the Web UI is: adm_stage.example.com   Resolution To resolve this issue, change the DNS from adm_stage.example.com to adm-stage.example.com and recreate the user certificate with the new DNS name. Additionally, configure the site under Internet Explorer "Compatibility View".   owner: dmaynard  
View full article
dmaynard ‎09-09-2015 12:52 PM
3,676 Views
2 Replies
Symptoms When trying to use a certificate for SSL decryption, the following error might appear during a commit: Certificate 'cert_name' failed to load: parse tbs certificate not supported algorithm   Issue This error will occur when either the encryption for that certificate is stronger than RSA 3072 or the hash is stronger than SHA 256   Resolution Create a certificate that uses RSA 3072 and SHA 256 or lower   owner: nbilly  
View full article
npare ‎09-09-2015 12:29 PM
4,623 Views
1 Reply
Issue The following error appears after a commit or a high severity system log event: Key generation operation failed - RSA. Detail of system event: domain: 1 receive_time: 2014/11/11 09:13:53 serial: 012345678 seqno: 11128 actionflags: 0x0 type: SYSTEM subtype: general config_ver: 0 time_generated: 2014/11/11 09:13:53 vsys: vsys1 eventid: general object: fmt: 0 id: 0 module: general severity: high opaque: Key generation operation failed - RSA   Cause This error only appears when FIPS (Federal Information Processing Standards 140-2) mode is enabled and: Any certificates included inside of that config are 1024 bits or less SSH key-based authentication is set to 1024 bits or less for Admin logins   This error is only a notification that the certificates are not FIPS compliant, but they are not service impacting.   Per the Admin Guide, requirements when enabling FIPS mode: Self-generated and imported certificates must contain public keys that are 2048 bits or higher. SSH key-based authentication must use RSA public keys that are 2048 bits or higher.   Resolution Any certificates that are inside of the configuration, used or not, need to match the FIPS  requirements. Any certificates or SSH Key based authentication need to be 2048 bit or higher.   Contact Palo Alto Networks Support if any assistance is needed to resolve this issue.   owner: jdelio
View full article
‎09-09-2015 08:07 AM
3,671 Views
0 Replies
Issue The Nessus vulnerability scan reported weak and untrusted certificate on the User-ID Agent.   Cause All User-ID Agent installations use the same certificate, "ca-cert.pem". This is by design to balance the Palo Alto Networks firewall management plane performance when communicating to the User-ID Agent.   The MD5 hash on the certificate is under C:\Program Files \Palo Alto Networks\User-ID Agent\ca-cert.pem and yields a value of 1c4b5646d3fb8814c9944d3908396316.   The current User-ID Agent default install will have the following characteristics: The default certificate key is only 1048 The default certificate cipher is weak using RC4 cipher The default certificate is only self signed no level of authority The default certificate is not trusted from perspective of vulnerability scanners   owner: jlunario
View full article
pagmitian ‎09-09-2015 01:42 AM
2,675 Views
0 Replies
Details When a customer creates a Client Certificate Profile and enables "Use CRL", the CRL files should be in Distinguished Encoding Rules (DER) format:   Use the following CLI command to verify the use of CRL is enabled: > show system setting ssl-decrypt setting vsys                          : vsys1 Forward Proxy Ready           : yes Inbound Proxy Ready           : yes Disable ssl                   : no Disable ssl-decrypt           : no Notify user                   : no Proxy for URL                 : no Wait for URL                  : no Block revoked Cert            : yes Block timeout Cert            : no Block unknown Cert            : no Cert Status Query Timeout     : 5 URL Category Query Timeout    : 5 Use Cert Cache                : yes Verify CRL                    : yes   Verify OCSP                   : no CRL Status receive Timeout    : 5 OCSP Status receive Timeout   : 5   If Verify CRL is shown as "no", it can be enabled with the following CLI commands: > configure # set deviceconfig setting ssl-decrypt crl yes # commit   Additional Information on Debug Commands Enable debug: > debug sslmgr on debug Note: Run the debug mode for 3 to 4 hours to cover at least a couple of "Next Update" time periods for the CRL in question, and collect the Tech Support file.   Collect the file every half of "Next Update" time period: > show clock > debug sslmgr statistics > debug sslmgr tar-all-crl > debug sslmgr view crl <value>   Disable debug: > debug sslmgr on info   Clear the CRL cache on the CP and DP: > debug sslmgr delete crl all > debug dataplane reset ssl-decrypt certificate-cache   For more information review the OpenSSL online manual:  http://www.openssl.org/docs/apps/crl.html   owner: kkondo
View full article
kkondo ‎09-08-2015 04:45 PM
5,968 Views
0 Replies
Issue An imported certificate for Secure Syslog service cannot be deleted and errors out with: Failed to delete Certificate - SyslogCert. SyslogCert cannot be deleted because of references from: deviceconfig > system > syslog-certificate   Resolution Make sure that the certificate is unchecked for Secure Syslog Delete the certificate from the CLI configuration mode with the following command: > configure # delete deviceconfig system syslog-certificate   owner: kadak
View full article
kadak ‎09-08-2015 03:00 AM
2,612 Views
0 Replies
Ask Questions Get Answers Join the Live Community