Global Protect Gateway certificates when using SAML

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted

Global Protect Gateway certificates when using SAML

We recently switched to using SAML (ADFS) authentication for connecting to our Global Protect Gateways.  These GP Gateways have a SSL/TLS Service Profile with a certificate signed by a CA created within the PaloAlto firewall that serves as the portal.

 

This all still seems to still be the recommended setup at https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/get-started/enable-ssl-betwe...

 

Since we switched to SAML authentication, our Windows users will get certificate error popups.  The errors occur after authentication has happened.  Errors are for "Revocation information for the security certificate for this site is nto available" and then "The security certificate was issued by a company you have not chosen to trust...".  Viewing the certificate shows it is the GP Gateway certificate.  It seems the Global Protect client is doing a POST with the SAML authentication data to the firewall, but does not like the firewall's certificate.  This is somewhat understandable given that the certificate is just signed by a CA on the firewall.

 

Is the best practice when using SAML to use a trusted third party certificate for all Global Protect Gateways? 

Or Is there a way for Global Protect to trust the PaloAlto CA when doing the POST?

Highlighted
Cyber Elite

@alowther_chatham 

Is the best practice when using SAML to use a trusted third party certificate for all Global Protect Gateways?

You would want to have your certificate trusted by either a third party or your own enterprise CA trusted by your endpoints. Either one works.

Or Is there a way for Global Protect to trust the PaloAlto CA when doing the POST?

You can import the certificate onto the endpoints through Active Directory, as GlobalProtect utilizes the built in certificate store the certicate would then be trusted by the endpoint.

Highlighted
L3 Networker

I could easily be way off base with this answer:

 

Portal > GlobalProtect > Portals > Agent. At the bottom Add > Trusted Root CA > Install in Local Root Cert Store

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalp...

 

Highlighted

Thank you.  I think this should work for my situation.  We allow Global Protect to be installed on personal machines, so we don't have the capability to push a trusted cert using group policy or such.

 

However, when I tried checking this option the cert does not get installed.  I found in the PanGP Service debug logs
Saved root CA(...) into file C:\Program Files\Palo Alto Networks\GlobalProtect.tca.cer.

Skip importing trusted root CA to store because portal's server certificate is not verified

 

This is strange since the portal uses a certificate from a trusted 3rd party CA.

Highlighted
L0 Member

Hi @alowther_chatham

Was your issue resolved? If yes could you please let me know how did you resolve it?

 

Thanks,

Khushal

Do you mean the issue where the Install in Local Root Cert Store setting was not working?  I believe this turned out to be some obscure bug in GlobalProtect. 

 

What I eventually figured out was that if the file
C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
does not exist then the cert is installed correctly

 

(T5916) 09/20/19 22:32:07:450 Debug(9370): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T5916) 09/20/19 22:32:07:762 Debug( 82): Saved root CA(1094 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer.
(T5916) 09/20/19 22:32:07:762 Info (2573): Imported root ca.

 


If that file does exist then the import is skipped incorrectly

 

(T5916) 09/20/19 22:34:06:117 Debug(7733): Delete the previous trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T5916) 09/20/19 22:34:06:117 Debug( 82): Saved root CA(1094 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer.
(T5916) 09/20/19 22:34:06:117 Debug(7765): Skip importing trusted root CA to store because portal's server certificate is not verified

 

 

There were two ways I found to fix the issue

- delete the file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer and then re-download the portal config

- reinstall GlobalProtect

 

I was not able to duplicate the issue in a lab, so I'm not sure what triggers the faulty behavior.

Highlighted
L0 Member

@alowther_chatham 

 

Thanks so much for the explanation, I am facing the same issue you described and getting similar debug logs as you listed. Will try the solution which you did and see if it works in my case as well

 

Thanks,

Khushal

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!