Global protect certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect certificate

L4 Transporter


What are the steps to apply a 3rd party certificate to a global protect client instead of using a self signed cert?

35 REPLIES 35

Sorry I am not being clear.  This is what I am trying to say.

  • Companies running official services on SSL should get legitimate 3rd party verified certificates from on of the approved Certificate Authorities that appear in all web browsers.
  • If the service will ONLY be used by employees AND ONLY on company computers you can use certificates issued by your Active Directory CA.
  • This prevents ANY of the three red error messages a user would get going to your global protect site.
  • Users on company computers should be trained to never click OK to bypass certificate errors.  When you get a certificate error one of the three areas in certificate validation is wrong.  Major companies and web sites will NOT have these errors.  A large proportion of fake websites will exhibit these errors. 
  • This basic three point check is the first line of defense to protect users from malicious websites.  This is not our only defense but I would say it is a mistake to cede this first check and teach your users to ignore certificate errors.
Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Again its not a web page its global protect used only by employees, maybe 6 at most, to remote into the network to do work. I don't understand how global protect could be spoofed like a web page and our home web site is hosted by a 3rd party. I get the feeling people have been programmed to assume that a self signed cert is bad when really its not. 3rd party providers get hijacked as much or more than anyone else.

So does the 3rd party cert with a FQDN that I create with generating the CSR end up being the external DNS name out in cyber space? I don't see that is would be something I would create and put on the internal dns server.

Janelle wrote:

Again its not a web page its global protect used only by employees, maybe 6 at most, to remote into the network to do work. I don't understand how global protect could be spoofed like a web page and our home web site is hosted by a 3rd party. I get the feeling people have been programmed to assume that a self signed cert is bad when really its not. 3rd party providers get hijacked as much or more than anyone else.

Sorry, I am not being clear.

Here is what I am trying to say:

Don't teach your users to ignore certificate errors.  Issue a certificate from an authority trusted by your users computers on all official employee sites.

When we teach users to ignore errors on our own deploys they just get used to clicking through those errors as a matter of course.  This makes them more vulnerable to bad actors.

This is why I believe using untrusted self generated certificates is a bad practice.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

infotech wrote:

So does the 3rd party cert with a FQDN that I create with generating the CSR end up being the external DNS name out in cyber space? I don't see that is would be something I would create and put on the internal dns server.

Whether or not you need the DNS entry on your internet facing DNS depends on where your users access the service from.  With global protect remote access you will likely need that record setup.

If the users are purely employees, you could deploy that record as a hosts file on the company computers via group policy if you don't want a DNS record out there.

I've never done so, but I suppose you could submit the ip address as the FQDN for the certificate.  If so, that would pass the first of the three tests run for validity.  The name entered into the connection must match the FQDN on the certificate otherwise a certificate error will be triggered.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Well to be honest I have a max of 5-6 users of which I am the one that uses this access the most so that is why I am asking so many questions because of the number of user who are mostly the IT staff

  • 9820 Views
  • 35 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!