This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect presents wrong TLS certificate of another portal

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect presents wrong TLS certificate of another portal

Go to solution
Trustnet-ET
L1 Bithead

‎12-09-2019 04:59 AM

I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"

When accessing the portal I see a different certificate in my web browser,

If I put the same SSL profile on another test portal, I see the correct certificate.

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
emilta
L1 Bithead

‎12-09-2019 07:36 AM

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

View solution in original post

6 REPLIES 6

Go to solution
Mick_Ball
L7 Applicator

‎12-09-2019 06:14 AM

How very odd....

 

the wrong certificate that you are seeing.... Is it one that's on the firewall. or have you no idea where it came from.

0 Likes Likes

Go to solution
Trustnet-ET
L1 Bithead
In response to Mick_Ball

‎12-09-2019 06:46 AM

It is from another test GP portal I have on the same firewall

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Trustnet-ET

‎12-09-2019 06:54 AM

so when you ping aaa.com, is it a different address to bbb.com

0 Likes Likes

Go to solution
Trustnet-ET
L1 Bithead
In response to Mick_Ball

‎12-09-2019 07:26 AM

Yes

0 Likes Likes

Go to solution
emilta
L1 Bithead

‎12-09-2019 07:36 AM

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

Go to solution
Mick_Ball
L7 Applicator
In response to emilta

‎12-09-2019 07:40 AM

@emilta , great info... i was not aware of this, probably because all my portals and gateways are static.

 

I have read the link provided but cannot see where it mentions certificate priority, could you forward a link with this info...

 

Many thanks,

 

0 Likes Likes
  • 1 accepted solution
  • 6320 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks