Global Protect config problem: The server certificate is invalid.

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect config problem: The server certificate is invalid.

L2 Linker

Hi,

In lab i am trying to setup a simple global protect configuration where the gateway and portal are on the same IP and just using local user authentication.  I have a certificate for my my public IP from let's ecnrypt and  have imported this into palo alto.

I am able to connect to the portal without any certificate issues.  But when connecting through the gateway i am getting the server certficate is invalid.

 

My config looks like this:

 

Portal config:

 

GPP-Portal {
portal-config {
client-auth {
GPP-AUTH {
os Any;
authentication-profile "Local-Database Authentication";
authentication-message "Enter login credentials";
}
}
local-address {
interface loopback;
ip {
ipv4 10.1.1.1;
}
}
custom-login-page factory-default;
custom-home-page factory-default;
custom-help-page factory-default;
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
}
client-config {
configs {
AUTH-PORTAL {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
fw.relianet.be {
fqdn fw.relianet.be;
priority-rule {
Any {
priority 1;
}
}
manual yes;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os Windows;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
gp-app-config {
config {
connect-method {
value on-demand;
}
refresh-config-interval {
value 24;
}
agent-user-override {
value allowed;
}
client-upgrade {
value prompt;
}
use-sso {
value no;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
value 5;
}
enforce-globalprotect {
value no;
}
captive-portal-exception-timeout {
value 0;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-heigh
t: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value no;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size
: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0
; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>';
}
certificate-store-lookup {
value user-and-machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value yes;
}
can-continue-if-portal-cert-invalid {
value yes;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value yes;
}
}
}
save-user-credentials 2;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
}
}
satellite-config {
client-certificate {
local;
}
}
}

 

GATEWAY:

 

GP-GATEWAY {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
GPG-CLIENT-AUTH {
authentication-profile "Local-Database Authentication";
os Any;
authentication-message "Enter login credentials";
}
}
remote-user-tunnel-configs {
GPG-Agent {
authentication-override {
generate-cookie no;
}
split-tunneling {
access-route 192.168.1.0/24;
exclude-access-route;
}
source-user any;
authentication-server-ip-pool;
ip-pool 192.168.250.0/24;
os any;
retrieve-framed-ip-address no;
no-direct-access-to-local-network no;
}
}
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
tunnel-mode yes;
remote-user-tunnel tunnel.3;
}

 

Anybody that can help me out with this.

 

 

10 REPLIES 10

L1 Bithead

hey @GOMEZZZ 

 

I know it's been a while since you'v made this post, but I hope this message finds you well.

 

Based on the PanGPS logs you've previously posted, the Agent is unable to verify the server certificate used for the Gateway SSL/TLS profile. 

 

Common issues for this would include CN mismatch, as mentioned before by other community members, and incorrect certificate deployment: eg the Agent is unable to follow the full chain. A quick way to test this is using your local browser to connect and reviewing the output messages.

 

Could you please confirm the following:

 

1. The root (and intermediate if applicable) CA(s) used to sign the imported Portal/Gateway certificate are deployed in the correct directories on the endpoint

2. The server certificate used for the Portal/Gateway has the correct CN (and SAN if applicable) attribute

 

I've included documentation discussing the certificate deployment options for GlobalProtect below for your reference also.

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/get-started/enable-ssl-betwe...

 

 

-Cheers

-Cheers
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!