This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect Certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Certificate

myasin
L2 Linker

‎09-19-2017 02:14 AM

Hi

 

I configured global protect, but when clients try to connect through the agent, they got "Gateway "name":The server certificate is invalid, please contact your IT administrator".

 

For the configured certificates, I configured self-signed certificate as a certificate authority, and then configured Global-protect certificate signed by the created self-signed certificate, but the common name for the self-signed cert was the firewall private IP and the common name for the global-protect certicate was the firewall public IP

 

Is there any wrong certificate settings?

 

 

 

Thanks

3 people had this problem.
0 Likes Likes
3 REPLIES 3

Mick_Ball
L7 Applicator

‎09-19-2017 03:32 AM

i have never used self signed for portal address but i'm sure you need to copy the self signed root cert to the devices, it will be placed with all your other trusted cert authorities.

 

from PA

 

Self-Signed Certificates —You can generate a self-signed CA certificate on the portal and use it to issue certificates for all of the GlobalProtect components. However, this solution is less secure than the other options and is therefore not recommended. If you do choose this option, end users will see a certificate error the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate to all end user systems manually or using some sort of centralized deployment, such as an Active Directory Group Policy Object (GPO).

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎09-19-2017 09:27 AM

@Mick_Ball is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert. 

 

Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect. 

0 Likes Likes

PiankaMariusz
L1 Bithead

‎10-31-2018 11:06 AM

Hi There,

I'm having the same issue but not on self signed certificate and on linux ( Fedora 29) 

Global Protect is configured with the certificate signed by the Authorized CA.

The Chain is:

DigiCert Global Root CA
DigiCert SHA2 Secure Server CA

Server certificate.

 

It works perfect on Windows.

 

On Linux, Fedora.

I get the error 

Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.

 

I checked if certificate is trusted 

 

xxx\Downloads]$ trust list | grep Digi
label: DigiCert Global Root CA
label: DigiCert SHA2 Secure Server CA

The first two are the exactly the ones that are trusted.


I am puzzled. Did anybody have issues with Global Protect on linux ? 

0 Likes Likes
  • 4867 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks