Global Protect Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Certificate

L2 Linker

Hi

 

I configured global protect, but when clients try to connect through the agent, they got "Gateway "name":The server certificate is invalid, please contact your IT administrator".

 

For the configured certificates, I configured self-signed certificate as a certificate authority, and then configured Global-protect certificate signed by the created self-signed certificate, but the common name for the self-signed cert was the firewall private IP and the common name for the global-protect certicate was the firewall public IP

 

Is there any wrong certificate settings?

 

 

 

Thanks

3 REPLIES 3

L7 Applicator

i have never used self signed for portal address but i'm sure you need to copy the self signed root cert to the devices, it will be placed with all your other trusted cert authorities.

 

from PA

 

Self-Signed Certificates —You can generate a self-signed CA certificate on the portal and use it to issue certificates for all of the GlobalProtect components. However, this solution is less secure than the other options and is therefore not recommended. If you do choose this option, end users will see a certificate error the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate to all end user systems manually or using some sort of centralized deployment, such as an Active Directory Group Policy Object (GPO).

Cyber Elite
Cyber Elite

@Mick_Ball is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert. 

 

Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect. 

L1 Bithead

Hi There,

I'm having the same issue but not on self signed certificate and on linux ( Fedora 29) 

Global Protect is configured with the certificate signed by the Authorized CA.

The Chain is:

DigiCert Global Root CA
DigiCert SHA2 Secure Server CA

Server certificate.

 

It works perfect on Windows.

 

On Linux, Fedora.

I get the error 

Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.

 

I checked if certificate is trusted 

 

xxx\Downloads]$ trust list | grep Digi
label: DigiCert Global Root CA
label: DigiCert SHA2 Secure Server CA

The first two are the exactly the ones that are trusted.


I am puzzled. Did anybody have issues with Global Protect on linux ? 

  • 4165 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!