04-01-2016 08:36 AM
Hi All,
Recently had a client upgrade their Global Protect Agent to 3.0.0 from 2.2.2.
When connecting to the Gateway they would encounter the following message - "Server Certificate verification failed".
From 2.1.0 you had to ensure the External Gateway address in the Agent/Client configuration of the Portal is the CN of the Certificate you are using, but this was not the case as he upgraded from 2.2.2 and would have already had this implemented.
As he's jumped from 2.2 to 3.0 I thought I would look into the release notes and default behaviour changes to the GP agents and found the following document for 2.3.
From 2.3 and onwards, you would need to ensure the self-signed certificate you have generated is marked as a Trusted Root CA in the certificates options and/or add the CA to the Trusted Root CA in Network > Global Protect Portals > Portal you're using > Agent Configuration > Add self-signed certificate to the Trusted Root CA list.
This is an easy thing to miss, as when following Palo's document on how to create a self-signed certificate, it doesn't mention having to create this certificate as a Trusted Root CA, as this wasn't the case before 2.3.
Also ensure the certificate that has been marked as a Trusted Root is pushed out.
This resolved the issue and a connection to the gateway is now successful.
Kind regards
Jack
05-16-2016 08:38 AM
Thanks for the info Jack. This also applies to internally signed certs managed by an internal certificate authority.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
