Global Protect presents wrong TLS certificate of another portal

Reply
Highlighted
L1 Bithead

Global Protect presents wrong TLS certificate of another portal

I have a GP portal with TLS/SSL profile named "aaa.ssl.pr" which contains the "aaa-cert" which commons name is "aaa.com"

When accessing the portal I see a different certificate in my web browser,

If I put the same SSL profile on another test portal, I see the correct certificate.

 

 


Accepted Solutions
Highlighted
L1 Bithead

Re: Global Protect presents wrong TLS certificate of another portal

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Global Protect presents wrong TLS certificate of another portal

How very odd....

 

the wrong certificate that you are seeing.... Is it one that's on the firewall. or have you no idea where it came from.

Highlighted
L1 Bithead

Re: Global Protect presents wrong TLS certificate of another portal

It is from another test GP portal I have on the same firewall

Highlighted
L7 Applicator

Re: Global Protect presents wrong TLS certificate of another portal

so when you ping aaa.com, is it a different address to bbb.com

Highlighted
L1 Bithead

Re: Global Protect presents wrong TLS certificate of another portal

Yes

Highlighted
L1 Bithead

Re: Global Protect presents wrong TLS certificate of another portal

If you have another GP gateway with no IP configured, it will take precedence and you will see it's certificate when accessing all other gateways which has IP's.

You can change the no IP gateway to a loopback with a dummy IP and the issue will be resolved.

The portal /gateway with no IP address takes priority over the portal configured with an IP address.

Ideally the GP config without an IP is supposed to be done only with DHCP IP and not static IP. So the config using IP as none is incorrect in case of static IP.

I think Palo has to alert when this configuration taking place,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHRCA0

 

TLS Certificate of Global Protect portal /gw with no IP address overrides portal with an IP address
Global Protect presents wrong TLS certificate of another portal.

View solution in original post

Highlighted
L7 Applicator

Re: Global Protect presents wrong TLS certificate of another portal

@emilta , great info... i was not aware of this, probably because all my portals and gateways are static.

 

I have read the link provided but cannot see where it mentions certificate priority, could you forward a link with this info...

 

Many thanks,

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!