Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?

L6 Presenter

Hello to All,

 

 

We have intermitant issues with the HIP report not being send every hour but I also see that there are some intermitant errors about the gateway certificate not being verified, I also see that there are messages in the PanGPS log "Check server certificate revocation returns" as also the portal and gateway certificates are publicly signed by the DigiCert CA. What I think we have other security systems maybe something is blocking the CRL from time to time and because of this the SSL cert of the gateway is not trusted and the HIP report fails if 3 HIP reports fail to be send by the globalprotect app (as the timeout is 3 hours and every hour a HIP report is send) and because of this sometimes we hit the Inactivity Logout (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxFCAS).

 

 

.

 

 

Does this mean that the globalprotect agent uses CRL before trying to send the HIP report to the gateway if the gateway certficate is from a public CA and the certficate has a CRL distribution point SSL extention?

 

 

 

 

Also some of the gateways share a certficate with the same CA but if this was the issue maybe then the issue was not going to be intermitant, so for now I focus on the CRL as the certficate has SAN with each gateway FQDN but we may also check if it is a bug with the globalprotect app not liking the SSL SAN names from time to time.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

1 accepted solution

Accepted Solutions

L6 Presenter

After doing a tcpdump and not seeing any CRL requests to the distribution points I don't think this is the issue and after upgrading the portals, gateways and the app the issue seems to have been gone.

 

Now with 9.1 we can monitor the latency if this is causing the timeout


https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-rele...

 


Or with Globalprotect agent app 5.2 we can set the MTU from the portal "Configurable Maximum Transmission Unit for GlobalProtect Connections":


https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/gp-app-release-i...

 


Also because of certificate change we seemed to have issues on some gateways but maybe because we were older version the Globalprotect app did not drop the VPN to those gateways (I have read for such a bug with older versions) with missing root CA but the option "Install in Local Root Certificate store" helped as it was suggested by a colleague of mine.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG

View solution in original post

1 REPLY 1

L6 Presenter

After doing a tcpdump and not seeing any CRL requests to the distribution points I don't think this is the issue and after upgrading the portals, gateways and the app the issue seems to have been gone.

 

Now with 9.1 we can monitor the latency if this is causing the timeout


https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-rele...

 


Or with Globalprotect agent app 5.2 we can set the MTU from the portal "Configurable Maximum Transmission Unit for GlobalProtect Connections":


https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/gp-app-release-i...

 


Also because of certificate change we seemed to have issues on some gateways but maybe because we were older version the Globalprotect app did not drop the VPN to those gateways (I have read for such a bug with older versions) with missing root CA but the option "Install in Local Root Certificate store" helped as it was suggested by a colleague of mine.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG

  • 1 accepted solution
  • 3512 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!