Configuring GlobalProtect with Wildcard Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring GlobalProtect with Wildcard Certificate

L3 Networker

Hi All,

I'm configuring GlobalProtect for the first time and would like to ask a few questions about using a Wildcard certificate to set this up. After going through the below document, I have some questions:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Use-a-Wildcard-SSL-Certificate-with-...

 

1. The first steps says a Root CA should be created.Does this mean setting the 'Common name' as the wildcard domain name, 'Signed by' External Authority CSR and still ticking the 'Certificate Authority' checkbox (e.g image attached)?gp1.png

 

2. I would like the users to access Globalprotect using the address 'vpn.example.com'. If I configure this under the Certificate attributes, will this automatically map it to the Interface IP address I choose for my Gateway IP address?

 

Your contributions are appreciated.

 

 

2.

2 REPLIES 2

L5 Sessionator

1> If you are using a public certificate then yes. "https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signin..."

 

2> You have to have a entry in external dns server for mapping of vpn.example.com to the interface IP address.

L4 Transporter

1. If you are using PA as the Certificate Authority (i.e using self signed certificate), then generate the Root certificate on the firewall (Signed by Field as Blank and Certificate Authority check box ticked). If you are using external CA, then Root CA certificate just needs to be imported on the firewall. In this step, you do NOT need any wildcards.

 

Only when you are generating certificates for portal or gateway, you have to use the wildcard in the common name (Step 2)

 

2. Certificate attributes will not map anything. They are static field in the certificate. If you want users to resolve vpn.example.com to your Interface IP address, that should be recorded on the DNS server.

 

 

  • 11225 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!