GlobalProtect getting "Connection failed" message (sectigo certificate)

Reply
Highlighted
L1 Bithead

GlobalProtect getting "Connection failed" message (sectigo certificate)

Hi,

 

suddenly we are getting a "connection failed" message from the GlobalProtect Client while using the sectigo wildcard certificate in the TLS Profile of the NGFW.

 

The traffic logs show a 'decrypt-error'.

There is no decryption policy being used.

 

We are on PanOS 9.0.7.

 

It's a bit strange because everything worked just fine until now and there weren't any changes made. 

Could that refer to the known sectigo certificate problem?

 

Is there maybe a fix for this?

 

 

Best regards,

Marc

 

 


Accepted Solutions
Highlighted
Cyber Elite

Re: GlobalProtect getting "Connection failed" message (sectigo ce

@Marc.Luecke,

Generate a new certificate for use with GlobalProtect would really be my answer to this question. You should be able to get your wildcard certificate re-issued without the cross-signing between AddTrust and USERTrust and just have USERTrust in the chain, which would a fully valid certificate. 

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: GlobalProtect getting "Connection failed" message (sectigo ce

@Marc.Luecke,

The firewall decrypts parts of GlobalProtect traffic regardless of what you have configured in your decryption rule base, and if you are using a Sectigo certificate which is cross-signed with AddTrust and UserTrust then your certificate would have been invalidated as far as the firewall is concerned on the 30th. 

Highlighted
L1 Bithead

Re: GlobalProtect getting "Connection failed" message (sectigo ce

Hi,

 

I see. Thank you very much for your fast answer.

Is there any way around this?

 

I assume there are several users with the same problem at this time.

 

Best regards,

Marc Lücke

Highlighted
Cyber Elite

Re: GlobalProtect getting "Connection failed" message (sectigo ce

@Marc.Luecke,

Generate a new certificate for use with GlobalProtect would really be my answer to this question. You should be able to get your wildcard certificate re-issued without the cross-signing between AddTrust and USERTrust and just have USERTrust in the chain, which would a fully valid certificate. 

View solution in original post

Highlighted
L1 Bithead

Re: GlobalProtect getting "Connection failed" message (sectigo ce

I will try that.

 

Thank you very much!!

 

Best regards,

Marc Lücke

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!