I'm configuring GlobalProtect for the first time and would like to ask a few questions about using a Wildcard certificate to set this up. After going through the below document, I have some questions:
1. The first steps says a Root CA should be created.Does this mean setting the 'Common name' as the wildcard domain name, 'Signed by' External Authority CSR and still ticking the 'Certificate Authority' checkbox (e.g image attached)?
2. I would like the users to access Globalprotect using the address 'vpn.example.com'. If I configure this under the Certificate attributes, will this automatically map it to the Interface IP address I choose for my Gateway IP address?
Your contributions are appreciated.
1> If you are using a public certificate then yes. "https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signin..."
2> You have to have a entry in external dns server for mapping of vpn.example.com to the interface IP address.
1. If you are using PA as the Certificate Authority (i.e using self signed certificate), then generate the Root certificate on the firewall (Signed by Field as Blank and Certificate Authority check box ticked). If you are using external CA, then Root CA certificate just needs to be imported on the firewall. In this step, you do NOT need any wildcards.
Only when you are generating certificates for portal or gateway, you have to use the wildcard in the common name (Step 2)
2. Certificate attributes will not map anything. They are static field in the certificate. If you want users to resolve vpn.example.com to your Interface IP address, that should be recorded on the DNS server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!