Global Protect 3.0.0 Gateway Certificate Error "Server Certificate verification failed" *FIX*

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect 3.0.0 Gateway Certificate Error "Server Certificate verification failed" *FIX*

L3 Networker

Hi All,

 

Recently had a client upgrade their Global Protect Agent to 3.0.0 from 2.2.2. 


When connecting to the Gateway they would encounter the following message - "Server Certificate verification failed".

 

From 2.1.0 you had to ensure the External Gateway address in the Agent/Client configuration of the Portal is the CN of the Certificate you are using, but this was not the case as he upgraded from 2.2.2 and would have already had this implemented.

 

As he's jumped from 2.2 to 3.0 I thought I would look into the release notes and default behaviour changes to the GP agents and found the following document for 2.3.

 

https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-re...

 

From 2.3 and onwards, you would need to ensure the self-signed certificate you have generated is marked as a Trusted Root CA in the certificates options and/or add the CA to the Trusted Root CA in Network > Global Protect Portals > Portal you're using > Agent Configuration > Add self-signed certificate to the Trusted Root CA list.

 

This is an easy thing to miss, as when following Palo's document on how to create a self-signed certificate, it doesn't mention having to create this certificate as a Trusted Root CA, as this wasn't the case before 2.3. 

 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/create-a-self...

 

Also ensure the certificate that has been marked as a Trusted Root is pushed out.

 

This resolved the issue and a connection to the gateway is now successful.

 

Kind regards

Jack

1 REPLY 1

L1 Bithead

Thanks for the info Jack. This also applies to internally signed certs managed by an internal certificate authority. 

  • 3406 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!