Management Articles

Featured Article
Issue After configuring GlobalProtect Gateway and Portal, the following errors occur when connecting to Portal from a browser: On Mozilla Firefox: Error code: sec_error_bad_signature On Google Chrome: You attempted to reach <portal Address>, but the server presented an invalid certificate   Cause This issue can occur if the 'Common Name' (subject) of the root certificate used to sign the GlobalProtect server certificate is the same as the GlobalProtect certificate. The example below shows a certificate, GlobalProtectServerCert, that is signed by GlobalProtectRoot. However, both certificates show up on the same level. Note that the 'Common Name' is the same for both.   Resolution To resolve the issue, create a new root and server certificate pair for the GlobalProtect Gateway and Portal ,and make sure to assign a unique Common Name (Subject) to the root certificate. For example:   The display should correctly show the GlobalProtectServerCert nested within the root certificate. Assign the GlobalProtectServerCert to your GlobalProtect Gateway\Portal to complete the configuration.   owner: jteetsel
View full article
jteetsel ‎09-07-2015 06:45 PM
12,471 Views
0 Replies
Details One certificate can be used for multiple purposes using Subject Alternate Names. If using a certificate for VPN there can be a DNS host entry for vpn.yourcompany.com If using a certificate for Palo Alto Networks firewall GUI access there may be a DNS host entry for the name of the firewall "pan-fw01.yourcompany.com"   Instead of generating multiple certificates, one certificate can be generated and it given multiple "Common Names" In Public Certificate Authorities, "Subject Alternate Names" can be used and this can also be done with self signed certificates.   Steps Follow the steps below: When generating the certificate, give the certificate a "Common Name" that will be used to resolve to a DNS host entry. In the example below, this certificate was made a private CA, but this technique can be used for generating CSR's as well: To generate the certificate go to Devices > Certificates and click "Generate". Add the "Subject Alternate Names" by going to "Certificate Attributes" and selecting "Host Name" or "IP Address: Verify that the Subject Alternate Names have been added by exporting the certificate and "Double clicking" it to open. Notice the "Subject" is still the host entry that was applied for the Common Name but now has a "Subject Alternate Names. This will now allow safe access to different URL's using the newly generated certificate.   owner: jperry
View full article
jperry1 ‎09-07-2015 06:16 AM
5,661 Views
0 Replies
Overview This document describes the steps to configure an OCSP Responder.   Steps Go to Device > Certificate Management > OCSP Responder, and create a new responder. Give the IP address of the interface to be used for the OCSP queries. Under Device > Certificate Management > Certificates, create a new certificate and choose the OCSP Responder created in Step 1. It will need to be signed by a CA present on the firewall already (or be a self-signed certificate itself). Under Network > Network Profiles > Interface Mgmt, create a new profile or modify an existing one to include the HTTP OCSP option. Under Network > Interfaces, click on the interface that matches the IP used in Step 1. Under the Advanced tab, select the Management Profile from Step 3. (Optional, depending on configuration) If your firewall has a blanket 'deny all' rule, you'll need to add a policy to allow same-zone traffic in the zone where your interface in Step 4 falls. You can restrict it to the 'ocsp' application.   This configuration can be tested with OpenSSL. You'll need 2-3 certificates to do so. The root CA certificate The signing certificate (may be the same as the root, or it may be an intermediate) The server certificate you want to check   The following OpenSSL command can be used. This example assumes that the root is signed the server certificate, and not an intermediate CA: openssl ocsp -issuer root.cer -CAfile root.cer -cert server.cer -url http://192.0.2.1/CA/ocsp   root.cer represents the Root CA and signer of the server certificate. server.cer represents the server certificate. http://192.0.2.1/CA/ocsp is the full URI needed to access the OCSP responder on the Palo Alto Networks Firewall. If the path (/CA/ocsp) is excluded, the test will fail.   owner: gwesson
View full article
gwesson ‎09-03-2015 08:05 PM
9,395 Views
0 Replies
1 Like
Microsoft provides a tool, certreq.exe, with its certificate server, to create and submit certificate signing requests (CSR) to a Microsoft certificate server. These tools can be used in place of openssl for environments that use a Microsoft CA. The commands can be used from any domain member system. Certreq requires an .inf file to provide certificate information. Use Notepad to modify the following sample INF file according to your needs. Save the file as ssl.inf, for example: [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=your.server.name" ; For a wildcard use "CN=*.DOMAIN.COM" for example ; For an empty subject use the following line instead or remove the Subject line entierely ; Subject = Exportable = TRUE     ; Private key is exportable! KeyLength = 2048      ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 KeySpec = 1           ; AT_KEYEXCHANGE KeyUsage = 0xA0       ; Digital Signature, Key Encipherment MachineKeySet = True  ; The key belongs to the local computer account ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 SMIME = FALSE RequestType = CMC   ; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below   [Strings] szOID_SUBJECT_ALT_NAME2 = "2.5.29.17" szOID_ENHANCED_KEY_USAGE = "2.5.29.37" szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1" szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"   [Extensions] %szOID_SUBJECT_ALT_NAME2% = "{text}dns=your.computer.name " %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"   [RequestAttributes] CertificateTemplate= WebServer ; or =SubCA for SSL-D or CA certificates Notes: You can click “OK” for the template not found UI from certreq if the client has no access to templates. You can ignore the unreferenced “[Strings]” section dialog when it appears. Compile the INF file into a REQ file. The following command‐line command generates key material and turns the INF file into a certificate request. certreq –new ssl.inf ssl.req After the certificate request is created, you can verify the request with the following command: certutil ssl.req Submit the REQ file to the CA. If the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA: certreq –submit ssl.req You'lll get a selection dialog from which to select the CA. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately. You'll be prompted to download the file and name it. In this example, we'll name it ssl.cer If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA. Install the certificate in the local browser. After the certificate is issued and available as a file, use the following command to install it. certreq –accept ssl.cer The installation actually puts the certificate into the computer’s personal store, links it with the key material created in Step 1 and builds the certificate property. The certificate property stores information, such as the friendly name, which is not part of a certificate.   After performing Steps 1 to 4, the certificate shows up in the IE certificates interface and can be exported in PKCS 12 format for import into the firewall.   owner: npiagentini
View full article
nrice ‎09-03-2015 06:45 PM
7,128 Views
1 Reply
Yes. Follow the steps below to configure on-demand and pre-login:   Steps Go to Network > GlobalProtect > Portals and select desired portal. Go to Client Configuration and select the 'on demand' Correct Method for the User/User Group that need on-demand access. For pre-logon, click on Add under Client Configuration and select 'pre logon' for select users that need pre-logon access.   owner: ashaikh
View full article
ashaikh ‎09-03-2015 02:50 PM
2,906 Views
0 Replies
Symptom Use of an SSL Certificate with HTTPS for the CRL results in the SSL Certificate not being used.   Cause The CRL checking process does not have the facility to support HTTPS calls, and thus will return an error: [OCSP] Certificate status is unknown: depth:0 Resolution CRL's that use HTTP are supported. Use SSL Certificates that utilize http for their CRL.   owner: jdelio
View full article
‎09-03-2015 04:39 AM
5,479 Views
1 Reply
  Issue After configuring Global Protect, installing the client and trying to connect, the following error occurs on the GP Client: GP Client Error: Gateway xx.xx.xx.xx : Protocol Error, Check server Certificate.   Resolution To fix this issue, check for the following: Incorrect time settings on the firewall. Check the certificate's validation dates (valid from and valid until) to make sure the date range is correct. Check the Time Setting on the firewall. Use NTP if the time stamp isn't accurate.   owner: vvasilasco
View full article
vvasilasco ‎09-02-2015 01:15 AM
11,497 Views
1 Reply
Issue While using Internet Explorer an error can appear, "Valid client certificate required".   Cause   This issue is not a browser issue.  It is due to not having the client certificate in the correct store.  The configuration is requesting a client cert.   Resolution To resolve this issue, obtain a client certificate from the GlobalProtect Gateway and install it into Internet Explorer.   See Also: https://live.paloaltonetworks.com/t5/Articles/How-to-Issue-Certificates-to-GlobalProtect-Devices/ta-p/53642 https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-GlobalProtect-for-Authentication-Using-Only/ta-p/54910   owner: ssastera  
View full article
ssastera ‎09-01-2015 12:08 PM
5,801 Views
2 Replies
Issue When using the Google Drive client software with decryption enabled on the Palo Alto Networks firewall, the connection breaks and the Google Drive software does not synchronize files to the cloud.   Cause The Palo Alto Networks firewall does not identify Google Drive client software as "Google Drive" through the application database. Instead, this traffic is identified as "SSL." If decryption is enabled on the Palo Alto Networks firewall for SSL traffic, the traffic generated by the Google Drive Client application fails decryption. This is because when SSL Decryption is enabled, the Palo Alto Networks device receives the external site's certificate and sends its own self-signed certificate to the end client. When the client encrypts the traffic using this certificate, the Palo Alto Networks device can decrypt, inspect, then encrypt the traffic using the real certificate of the website.   When the Google Drive client software, installed on a desktop, attempts to connect to the Google server, it expects to receive a valid certificate from the Google server. With SSL decryption enabled, the Google Drive client receives an untrusted certificate from the Palo Alto Networks device and the connection ultimately fails.   Resolution There are two options as a workaround to resolve this issue: Configure a no-decrypt policy with a custom url category for the Google Drive website. Now the firewall is configured so that any traffic going to Google Drive site bypasses decryption. Run the Google Drive client software with the unsafe_network flag enabled, so that it accepts untrusted certificates. Open the Google Drive menu on the desktop and select Quit Google Drive. Start the command line by running cmd.exe. On the command line, navigate into the Google Drive folder. On a 32-bit system, the folder is at <C:\Program Files\Google\Drive>. On a 64-bit system, the folder is at C:\Program Files (x86)\Google\Drive. C:\Program Files (x86)\Google\Drive>googledrivesync.exe --unsafe_network The Google Drive software client synchronizes after a few minutes. Note: For this option, each time the Google Drive client is opened, it must be started in this mode from the command prompt. If there are many users in the network, running Google Drive client in this mode for everyone can become a complex task. For this reason, consider running a script on the system.   Note: This issue exists for other client-based applications like Twitter or Dropbox, when trying to verify the certificate.   See Also Controlling SSL Decryption   owner: ssunku
View full article
Phoenix ‎09-01-2015 03:21 AM
28,298 Views
13 Replies
1 Like
Issue When accessing the GUI via HTTPS, the browser will verify the certificate presented by the firewall. Because the firewall uses a self-signed certificate by default, this causes the browser to warn about the certificate's validity.   Resolution To prevent this from happening: Create a Root certificate and later a server certificate which is signed by the root certificate. Root certificate should be used as Trusted Root CA and Server certificate should be used as Certificate for secure Web GUI.   Server certificate host name is the firewall management IP address or DNS name, which is used as the URL in the browser. This is verified by the browser in the certificate. Leave the host name blank if the Common Name field has the firewall management IP address.   Import the root certificate in the browser in the trusted root certificate folder and the server certificate in the Personal certificates folder. Access the firewall WebGUI--there should be no certificate warning. The certificate details show it was signed by a now trusted certificate authority.   owner: ssunku
View full article
Phoenix ‎08-28-2015 04:54 PM
10,190 Views
8 Replies
1 Like
Issue When attempting to import a certificate, the import fails and the error “Malformed Request” or "Passphrase Invalid input" is displayed.   Cause The passphrase on the certificate contains special character(s) like & < " $ ' |' ;    Resolution Change the passphrase on the certificate to be at least 6 characters and exclude any special characters. OR Upgrade PAN-OS to 5.0.x or later.   owner: jcabarrus  
View full article
npare ‎08-28-2015 11:44 AM
3,012 Views
0 Replies
Symptom A Palo Alto Networks firewall has a list of trusted root Certificate Authorities (CAs), which the firewall uses to check the validity of an SSL site when doing decryption. When CAs change their root certificate, or begin signing server certificates using a new root certificate, the list must be updated.   Workaround Manually install a new root CA, including the newer root CA from GoDaddy and other CA certificates: For GoDaddy, copy the following GoDaddy root CA (including the BEGIN and END lines) into a plain text editor such as Notepad, (do not use Wordpad, Word, or similar rich-text editors). -----BEGIN CERTIFICATE----- MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI 4uJEvlz36hz1 -----END CERTIFICATE----- Save the file with a .txt, .cer, or .crt extension. Go to Device > Certificates and click Import: Select the file saved from Step 2 and click OK. Click the name of the new certificate, select Trusted Root CA, and click OK. Commit the changes.   Note: Currently, there is no code-level resolution to this issue. Palo Alto Networks is evaluating the best course of action for updating the list of trusted root CAs.   owner: gwesson
View full article
gwesson ‎08-26-2015 11:47 AM
24,353 Views
21 Replies
Issue When attempting to delete a certificate that is used for SSL Decryption, even if not in use anywhere in the configuration, the following error appears: Error deleting Certificate Number of failed record(s): 1     1- Failed to delete Certificate - tester3.   ° tester3 cannot be deleted because of references from:   ° ssl-decrypt -> trusted-root-CA   Cause The certificate that is to be deleted has been designated as a Trusted Root CA. With the "Trusted Root CA" option selected, the Palo Alto Networks device will not allow you to delete the certificate, even if it is not used in the configuration. When a certificate is marked as "Trusted root CA", the device will attempt to use it in conjunction with the SSL Decrypt configuration, even though SSL Decryption is not being used.   Resolution Uncheck "Trusted Root CA" from the certificate in question. This should allow you to delete the certificate, as long as it is not in use anywhere in the configuration.   owner: jdelio
View full article
‎08-26-2015 06:07 AM
10,277 Views
8 Replies
Issue When the Palo Alto Networks device is configured to decrypt outbound traffic, iOS devices are unable to connect to the iTunes and App Store directly from their applications, even if the certificate used for decryption has been imported into the device and works for regular browsing.   The error returned on the iPhone or iPad is "Cannot connect to the iTunes Store."   Cause The App Store and iTunes application expect the server certificate to be signed by Apple and close the connection if signed by a different CA.   Resolution Configure a custom URL Category that contains all known FQDNs related to the iTunes and App Store (wildcards can be used). Note: For iOS 8 and later, also add "*.mzstatic.com" to the above list.   Add a Decryption policy to bypass decryption based on the customer URL category just created. Note: While "itunes.apple.com" and "*.itunes.apple.com" should be enough to catch all iTunes and App Store related sites others have been reported.  The list might be incomplete and/or change over time.   owner: sberti
View full article
sberti ‎08-25-2015 02:59 PM
13,801 Views
7 Replies
2 Likes
Overview This document describes how to export the SSL Certificate from a Microsoft IIS server. If the Palo Alto Networks device will be inspecting incoming traffic to a Microsoft IIS server (including the front end servers for Exchange 2003 OWA or Exchange 2007 CAS) using SSL, the server's certificate and key can be loaded for inbound SSL inspection. The following steps outline what needs to be done to export the existing IIS SSL server certificate and key.   Steps Exporting the SSL Server Certificates and Key Using the Internet Information Server (IIS) Manager MMC (Microsoft Management Console) plug in, connect to the desired server.  The default location for the plug in is Start > Programs > Administrative tools > Internet Information (IIS) Manager. Select the Properties of the Default Web Site instance. Note: If a different website other than the default for the SSL service is used, select that instance instead. Launch the Web Server Certificate Wizard by selecting the Directory Security tab from the Properties window and pressing the Server Certificate button under the Secure communications section. Select Next from the Welcome page. Then, select "Export the current certificate to a .pfx file" and click Next. After the export occurs, the .pfx file can be directly imported into the Device > Certificate page on the web GUI.   For more information on configuring SSL Decryption review the following document: SSL Decryption Quick Reference - Resources   owner: jdelio
View full article
nrice ‎08-21-2015 07:14 AM
12,436 Views
4 Replies
Issue A user has two instances of Panorama in the production network and is preparing to turn on Panorama HA.  The Panorama VM at the primary site has been cloned and brought up on the secondary site,  The MAC address, serial number, and management IP address have been changed. However, the two VMs have the same HA key and get an error when attempting the HA key exchange.  Is there a way to regenerate the HA key in one of these instances of Panorama?   Resolution To regenerate the HA encryption key: Reset the SSH keys on one of the Panorama boxes by using the following CLI command: admin@Panorama97> debug system ssh-key-reset high-availability Resync the keys between the two Panoramas by using the SCP export/import commands: admin@Panorama97> SCP export high-availability-key + remote-port SSH port number on remote host * from from * to Destination (username@host:path) admin@Panorama97> scp import high-availability-key + remote-port SSH port number on remote host * from Source ( username@host:path )   owner: gutierrez
View full article
panagent ‎08-20-2015 01:23 PM
2,928 Views
0 Replies
Symptom Traffic is blocked during SSL decryption when a certificate is expired and when the option to use CRL/OCSP to check certificate status is enabled (Device > Setup > Session > Decryption Certificate Revocation Settings). This can be observed even if "Block sessions with expired certificate" is not enabled in a Decryption Profile.   Cause An expired certifica te cannot become a valid certificate. Thus, as a part of the CRL/OCSP check, the Palo Alto Networks firewall rejects all expired certificates and displays the SSL block page when one is encountered.    Resolution Please create or import a valid (non expired) certificate to resolve the issue   owner: ymiyashita
View full article
ymiyashita ‎08-20-2015 09:00 AM
3,189 Views
0 Replies
Overview Palo Alto Networks firewalls are enabled with multi-vsys capabilities. Issue Sometimes the option does not appear to enable multi-vsys on Palo Alto Networks firewalls, even though the certificate has been created/imported correctly and the status appears "valid." There is no option on the PAN-OS WebGUI certificate to select newly created or imported SSL certificates. Cause Certificate for PAN-OS secure WebGUI management has to be in the "Shared" repository. Certificates are in the "vsys" private repository, which are not usable for other vsys. Resolution To enable PAN-OS secure WebGUI management use a different certificate, rather than a default factory certificate. Create or import the desired certificate. Open the certificate from Device > Certificate Management > Certificates. Note: There should be an option to select the certificate as "Certificate for Secure WebGUI." In a multi-vsys configuration when either generating a new certificate using a PAN-OS internal self-signed CA or importing an external-signed certificate select the "Shared" option, which will allow the certificate to select as certificate for secure WebGUI. After the certificate is created or imported it cannot be moved from vsys to the shared repository. The certificate will have to either be re-created if it is a self-signed certificate or re-imported if it is an external-CA-signed certificate. When using the factory-default certificate for Web GUI management, or creating/importing the certificate on the Palo Alto Networks firewall without the multi-vsys capability enabled, this setup is not applicable. See Also Unable to Access Web Console via HTTP or HTTPS How to Change the VSYS from the CLI owner: spiromruen
View full article
spiromruen ‎12-24-2014 12:26 AM
3,578 Views
0 Replies
1 Like
Symptom When attempting to delete a certificate that is used for web server certificate, the following error appears: Error deleting Certificate Number of failed record(s): 1     1- Failed to delete Certificate - tester3.   ° tester3 cannot be deleted because of references from:   ° deviceconfig -> system -> web-server-certificate Cause The certificate that is to be deleted has been designated as a Web Server Certificate. With the "Web Server Certificate" option selected, the Palo Alto Networks device will not allow the certificate to be deleted. When a certificate is marked as "Web Server Certificate", the device will attempt to use it in conjunction with the Web Server configuration. Resolution If the above error occurs, navigate to Device > Certificates and uncheck the Certificate for the Secure Web GUI option. Delete the web-server certificate. After the above steps, firewall will revert to using the inbuilt certificate for SSL connections to the WebUI. owner: jdelio
View full article
‎11-17-2014 02:23 PM
5,881 Views
2 Replies
Issue Unable to delete the forward trust certificate and cannot disable the forward trust option because it is grayed out in WebGUI, as shown below: Receiving the following error message: Workaround Delete the certificate through the CLI in configure mode: > configure # delete shared ssl-decrypt forward-trust-certificate # commit owner: skumarasam
View full article
skumarasam ‎11-09-2014 05:40 AM
2,749 Views
0 Replies
Details Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall. The firewall is configured to block SSL sites with untrusted certificates. For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format. Login to the firewall through the WebGUI Go to Device > Certificates > Import > Import "Intermediate Cert"  "DigiCert SHA2 High Assurance Server CA" Click on the certificate and check "Trusted Root CA". owner: hshah
View full article
hshah ‎10-17-2014 06:14 PM
19,280 Views
2 Replies
2 Likes
Issue The GlobalProtect agent prelogon fails even after the customer manually imports private PKI certificates on the local certificate store. Attempting to connect the GlobalProtect agent prelogon will fail to connect because of the following error: (T2796) 06/19/14 10:52:15:442 Debug(3233): Failed to pre-login to the portal <GATEWAY-IP-ADDRESS>. Error 12186 Cause The issue may be caused by manually importing the private PKI certificates in a drag and drop fashion. For example, on the Microsoft Management Console (MMC): Drag and drop machine-certificate to LOCAL-COMPUTER > Personal > Certificates Drag and drop root-CA-certificate to CURRENT-USER > Trusted Root Certification Authorities > Certificates Copy and paste root-CA-certificate to LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates When manually dragging and dropping certificates, some certificate attributes/fields may be missing. Therefore, this is not a recommended procedure of installing certificates. Resolution The correct way of importing certificates is either by a GPO install certificate or a manual install certificate. The example below is from a Windows7 machine: Delete previous incorrect machine-certificate and root-CA-certificate on MMC. Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate. Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate. Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate. Uninstall GlobalProtect Agent. Re-Install GlobalProtect Agent, reconfigure GlobalProtect and connect. owner: jlunario
View full article
pagmitian ‎09-06-2014 09:26 PM
6,925 Views
0 Replies
Overview When performing a SSL Decryption on the Palo Alto Networks firewall (while trying to access a HTTPS site through a browser) it shows as a untrusted certificate warning. After manually adding an exception to the certificate, the connection becomes successful. This becomes difficult when using different browsers and trying to add an exception for all. Also, when clicking on any tab of the site the URL gets redirected to another site, and the user receives a certificate warning prompt again. By adding the Forward Trust Root certificate in the Windows certificate authority store, it can bypass the untrusted certificate warning while using any browser in the local machine. Steps Export the Forward Trust certificate in PKCS12 and PEM format from the Palo Alto Network firewall. Issue a passphrase of 6 characters to ensure authenticity while importing the certificate in the store: Install the exported certificate into the Windows certificate store using the Microsoft Management Console (MMC). To launch the MMC, go to Start, click Search, type "mmc", and press Enter. Use the Certificates snap-in to import the Forward Trust Root certificate. For more information about the MMC, see the TechNet library on the Microsoft website. Note:  This is applicable only for Internet Explore and Google Chrome, which uses the default Windows certificate store. For Firefox, the certificate will still need to be imported into the Firefox certificate store. If an "Error :  (Error code: sec_error_untrusted_issuer)" is encountered on Firefox, see After Configuring SSL Decryption Mozilla Firefox Presents Certificate Error See Also How to Implement Certificates Issued from Microsoft Certificate Services owner: dantony
View full article
dantony ‎07-28-2014 07:42 PM
4,456 Views
0 Replies
Overview The LSVPN implementation allows administrators to quickly connect VPN sites to the main site. The implementation relies on the usage of certificates to authenticate the satellites to the portal, which allows the administrators control who will be allowed access to the VPN network, and who can be denied if emergency action is needed. Details To accomplish full control, there needs to be a Certificate Authority(CA) on the Palo Alto Networks firewall, and OCSP responder for the certificates that we will generate with that CA. The process is very similar to controlling GlobalProtect Remote access VPN connections and similar principles are valid and similar steps should be followed. Note: For more information reference the following link: Controlling GlobalProtect VPN Access with OCSP Create a CA at the firewall Create a local OCSP responder Create a Certificate Profile that will be used to check the status of the certifications with the given OCSP Create a certificate signed by the CA and include the OCSP responder to be checked for the revocation status of these certificates Verify if the certificates are generated with the correct information when a satellite connects to GlobalProtect (this should include the correct Issuer) Verify that the satellites can connect to the VPN network If needed, revoke the satellite certificate to immediately remove the satellite from the devices that can connect to the VPN network Steps After the CA and the OSCP responder are in place on the firewall, create a Certificate Profile. Note: Reference the following link for more information on: How to Configure an OCSP Responder To create a Certificate Profile for the LSVPN satellites, which will be verifying the revocation status with the created OCSP, go to Device > Certificate Management > Certificate Profile. Go to Device > Certificate Management > Certificates and click Generate to create the certificate that will be used to sign the satellite certificates. While creating the certificate, be sure to use the OCSP responder previously created. If this is an intermediated certificate, make sure to select the root CA that is trusted on the satellite. If the root is not trusted on the satellite, or this is a root certificate that is being creating now, be sure to export the certificate from this firewall and import it on the satellite firewall. At this time, the configuration of the LSVPN needs to be completed. Please reference the Large Scale VPN (LSPV) Deployment Guide to complete the configuration. While configuring the setup, make sure to use the appropriate certificates and certificate profiles previously created. Include the trusted root CA and the OCSP responder in the Satellite Configuration under the GlobalProtect Portal, so the certificates are checked for the revocation status. Use the Server Certificate and the Certificate Profile for the GlobalProtect Gateway, as shown below: After the full LSVPN configuration is complete, verify if connections are establishing from the satellites to GlobalProtect. Check the connection under the Network tab > GlobalProtect > Portals > Under Info > click on Satellite Information: Go to Network > GlobalProtect > Gateways > Under Info > click on Satellite Information to access details about the connection to the needed gateway: The certificate that is used for this process is actually created for the satellite, from the CA that has been specified in the previous steps. By default, the validity of these certificates is 7 days. As shown below, see the issued certificate under Device > Certificate Management > Certificates: When opening the certificate, there is an option to revoke the certificate. Once the Revoke button is clicked, the certificate is no longer valid and should not be accepted by the portal to establish connections to the VPN network: The status immediately changes to revoked: From this point on, the connections from that satellite will be dropped, because of authentication with an invalid certificate. This can bee viewed in the system logs, as shown below: In the sslmgr.log of the portal, see that a certificate check is performed and the used certificate is revoked. Run the following operational command to achieve this: > less mp-log sslmgr.log Jun 16 00:51:58 pan_store_portal_cfg_assigned(pan_store_satellite_info.c:1854): find assigned serialno 0006C107270 Jun 16 00:51:58 pan_store_satellite_info_response_print(pan_store_satellite_info.c:106): {satellite info success; vsys id(1); vsys name(vsys1); portal name(GP-Portal); serialno(0006C107270); hostname(IDEA-PA-01); config(LSVPN_Satelites); pin(static); derived from(); last seen ip(10.193.16.27); } Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:964): certificate(539DAE57002715) is revoked, don't cleanup Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:973): certificate expiration date(Jun 22 22:51:01 2014 GMT) Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:979): current date (Jun 15 22:51:58 2014 GMT) Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:981): expdate(140622225101Z) curdate(140615225158Z) Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:984): exp date(3183271629) curwarmingdate(3176271686) Jun 16 00:51:58 pan_store_is_cert_expired(pan_store_certificate_info.c:70): certificate expiration date(Jun 22 22:51:01 2014 GMT)(140622225101Z) Jun 16 00:51:58 pan_store_is_cert_expired(pan_store_certificate_info.c:77): current date plus warming days (Jun 18 22:51:58 2014 GMT)(140618225158Z) Jun 16 00:51:58 sslmgr_sysd_store_cert_gen(sslmgr_sysd.c:469): certificate is still valid Jun 16 00:51:58 pan_store_satellite_info_request_print(pan_store_satellite_info.c:75): {satellite info find; vsys id(1); vsys name(vsys1); portal name(GP-Portal); seria lno(0006C107270); hostname(); config(); pin(); derived from(); last seen ip(); } Jun 16 00:51:58 pan_store_portal_cfg_assigned(pan_store_satellite_info.c:1854): find assigned serialno 0006C107270 Jun 16 00:51:58 pan_store_satellite_info_response_print(pan_store_satellite_info.c:106): {satellite info success; vsys id(1); vsys name(vsys1); portal name(GP-Portal); serialno(0006C107270); hostname(IDEA-PA-01); config(LSVPN_Satelites); pin(static); derived from(); last seen ip(10.193.16.27); } Jun 16 00:52:14 [OCSP] URL (null)       serialno: 539E235500032C Jun 16 00:52:14 Send cookie:4 session:0 status:2 to DP After revocation, a connection can not be established any more: > show global-protect-gateway current-satellite GlobalProtect Gateway: GP-GW-1 (0 satellites) Tunnel Name          : GP-GW-1-S GlobalProtect Gateway: GP-GW-1-Backup (0 satellites) Tunnel Name          : GP-GW-1-Backup-S > show global-protect-gateway previous-satellite GlobalProtect Gateway: GP-GW-1 (0 satellites) Tunnel Name          : GP-GW-1-S GlobalProtect Gateway: GP-GW-1-Backup (0 satellites) Tunnel Name          : GP-GW-1-Backup-S         Satellite                 : 0006C107270         Satellite Hostname        : IDEA-PA-01         Private IP                : 10.200.2.1         Public IP                 : 10.193.16.27         Satellite Tunnel IPs      :         Login Time                : Jun.15 23:51:33         Logout Time               : Jun.16 00:51:34         Reason                    : Tunnel Lifetime expired         Satellite Published Routes: 172.18.1.0/24         Satellite Denied Routes   :         Satellite Duplicate Routes:         Tunnel Monitor Enabled    : Yes         Tunnel Monitor Interval   : 3 seconds         Tunnel Monitor Action     : fail-over         Tunnel Monitor Threshold  : 5 attempts         Tunnel Monitor Source     : 10.193.21.98         Tunnel Monitor Destination: 10.200.2.1         Tunnel Monitor Status     : No data available The satellite can be permanently removed from the GlobalProtect Portal Satellite configuration. This means the portal does not have to try to validate the certificate. To configure, go to Network > GlobalProtect > Portals > Satellite Configuration, select the satellite, and delete it from the list: owner: ialeksov
View full article
ialeksov ‎06-28-2014 05:51 AM
25,364 Views
0 Replies
PAN-OS 6.0 Issue A problem occurs when there are multiple web services behind the same IP, as is the case with Google, which hosts all its services (such as Drive, Translate, Search engine, Google+, Maps, Play, Gmail, Calendar and so on) behind the same group of IP addresses. In cases where DNS resolves both www.google.com and www.drive.google.com in the same IP address (for example, 173.194.78.189), hosts use the same IP for both google.com and drive.google.com. So, if the first session traffic is to www.google.com, the local cache maps 173.194.78.189 to “search-engines." Then, if the next host goes to www.drive.google.com using the same destination IP, the URL category will be resolved in “search-engines” instead of “online-personal-storage." A decryption policy set to decrypt only the “online-personal-storage” category misses this combination of traffic and real drive.google.com data will not be decrypted. Details When troubleshooting issues related to SSL decryption, a good starting point is to understand how a decryption mechanism works with URL categorization. To establish a secure SSL tunnel, the client and server perform a method of authentication. The client usually authenticates the server’s identity based on its certificate. HTTPS connection is always initiated by the client that first resolves the server’s URL, then sends a Client Hello to the resolved IP address. The client then waits for a response from the server side, which should include its certificate. To resolve the proper URL category and determine whether to decrypt certain SSL traffic, the Palo Alto Networks firewall relies on the Common Name (CN) field of the certificate received from the server. So, URL categorization is based on what is found in the CN field. The resolved URL category is then mapped to the destination IP of the intercepted packet sent from client side. To speed up the process of resolving the URL category, the firewall stores each URL to the destination IP mapping in its local cache memory. So, the next instance of SSL traffic to the same destination is resolved in the URL category already stored in local cache file.  The mechanism of URL categorization for purposes of decryption looks like: Client Hello message is intercepted by the firewall Firewall determines packet’s destination IP Firewall compares that destination IP with the list of IP-to-URL category mapping from its local cache memory If the same IP is in the list, the URL category is then taken from local cache memory If no match is within local cache, the firewall waits for a response from the server to take a look in the server certificate's CN field URL resolution is based on the CN field, and that category is mapped to the server’s IP and added to the list in local cache memory for future use Resolution PAN-OS 6.0 introduces a new method of resolving the URL category for purposes of decryption. This new method is not based on the server's certificate CN field, but on the SNI (Server Name Indication) value of the SSL ClientHello message. Using this method ensures that under each circumstance, the Palo Alto Networks firewall can properly resolve the URL category of upstream traffic and, with that information, engage the correct decryption policy. Note: The SNI field is not supported by older versions of browsers, such as IE 8.0, which is the latest version in Win XP. So, the solution with SNI does not work for WinXP end hosts or other clients using an old browser version. In this case, or for firewalls running PAN-OS earlier than 6.0, the workaround is to create a broader decryption profile to comprise the URL category of each service located behind the same IP address. owner: djoksimovic
View full article
djoksimovic ‎06-19-2014 08:34 AM
18,903 Views
0 Replies
6 Likes
Issue When using Windows Certificate Authority 2008R2 or later the following may be encountered: SSL client certificate authentication fails on Captive Portal or Global Protect LDAP over SSL connection are failing without a reason Server certificates signed by Windows CA for the use Management or Captive are failing to commit with error message saying there is a use of unsupported algorithms. Decryption Certificate CA signed by Windows CA fails to commit with error message saying there is a use of unsupported algorithms. At the time of committing to a firewall, you will usually see the following error message which is not exclusive to this problem: Error: Certificate failed to load: parse tbs certificate not supported algorithm. Cause By default Windows CA 2008R2 and later will use RSASSA-PSS algorithm to sign its certificates. This algorithm has poor support from many SSL stack vendors and with earlier version of Windows (pre Server2008 and WindowsVista), and is not currently supported by PAN-OS. Resolution Apply one of the following workarounds : [Preferred Solution] Use another Certificate Authority that doesn't make use of RSASSA-PSS algorithm Edit Windows CA server Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm and set its value to 0. Then delete/re-issue failing certificate with this CA. Warning: This operation is not officially supported by Microsoft and should be operated by a competent Windows administrator. owner: cpainchaud
View full article
cpainchaud ‎02-24-2014 07:32 AM
15,103 Views
4 Replies
1 Like
Issue Pre-logon fails when the machine certificate is issued by customer's PKI. The following errors appear in the PanGPS.log: Opened machine store Skipped cert issued by <Isssuer Name> Finished searching machine store. Failed to find the cert issued by <Isssuer Name> in machine store Resolution The most likely cause of this issue is an empty subject field in the machine certificate. Make sure that the machine certificate used for pre-logon authentication has a non-empty subject. See also GlobalProtect Configuration Tech Note owner: ncackov
View full article
nik ‎07-01-2013 12:50 AM
7,256 Views
0 Replies
Overview SSL Certificates are used to provide trust, authentication, and secure communications between clients and servers. A signed certificate is trusted only if it is signed by a trusted root Certificate Authority (CA). A trusted certificate provides authentication when there is a match between the name within the certificate and the intended destination. This document covers troubleshooting tips for general SSL certificates and the most common issues with certificates. The usage of SSL Certificates for the following Palo Alto Networks PAN-OS features are also described: GlobalProtect – For GlobalProtect Portal and GlobalProtect Gateway SSL Decryption – For interception and pass-through of SSL traffic Captive Portal – For server authentication Links to useful articles in the Palo Alto Networks Support Knowledge Base are provided at the end of the document. owner: gwesson
View full article
‎05-06-2013 05:56 PM
14,135 Views
1 Reply
Issue Machine Certificate authentication is used on MAC OS X clients. During the GlobalProtect connection process, the user needs to enter the Local Administrator account credentials to allow access to the System keychain twice. Cause When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" keychain in MAC OS X.  This will cause a Keychain Access prompt to appear twice when the client attempts to access the certificate for verification against both portal and gateway. Workaround Open the Keychain Access application and locate the Machine Certificate issued to Mac OS X Client in the System keychain. Right-click on the private key associated with Certificate and click Get Info, then go to the Access Control tab Click '+' to select an Application to allow Press key combination <Command> + <Shift> + G to open Go to Folder Enter '/Applications/GlobalProtect.app/Contents/Resources' and click Go Find PanGPS and click it, and then press Add Save Changes to private key The steps above allows GlobalProtect access to only THIS certificate and private key.  It will no longer prompt for keychain access, giving users a seamless, no-touch experience with Palo Alto Networks GlobalProtect. Note: The procedure has to be done again every time client is updated. owner: panagent
View full article
ManillaTechOps ‎05-02-2013 10:20 AM
13,637 Views
4 Replies
Symptom After a factory reset, a commit from Panorama can result in the following error: Error reads: Commit failed Shared -> certificate unexpected here Cause Shared data is preventing the commit from completing. On Panorama in configure mode run the following command: # show shared shared {   certificate;   response-page;   profiles {     decryption;   } } [edit] You will see there is certificate information present. Resolution Delete the shared data by running the following command in configure mode: # delete shared [edit] Commit the changes bu running the following command: # commit ..99%..........100% Configuration committed successfully owner: jdelio
View full article
‎02-26-2013 12:54 PM
5,554 Views
0 Replies
Ask Questions Get Answers Join the Live Community