GP certificate differences in 2.3 and 3.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP certificate differences in 2.3 and 3.1

L3 Networker

Hi,

 

We have an internal CA, we have a certificate generated and it is used for GP portal/gateway only, clients are authenticating via usual credentials. Nothing fancy overall. So there are external clients who do not have CA cert installed, so they are getting "untrusted certificate" warning when connecting to the GP gateway. But the GP agent behavior differs between versions 2.3 and 3.1 wen connecting to the gateway.

2.3 - click continue, accept the untrusted cert and roll on - login succeeds.

3.1 - click continue, login (because reject happens if invalid credentials are entered), but that is when connection fails with the message: "Gateway 1: Server certificate verification failed". Won't expand on tshoot logs and everything, but is that way it goes? Is there a workaround other than installing CA cert to trust the issuer? Because if there is trusted cert installed for the issuer CA on the client/agent computer, connection happens fine with both versions.

I've found this: https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-re..., but as far as I understand, this should already happen on 2.3 according to this document. Can't seem to find anything related to 3.1 and what specifically changed there.

Any expierence with this?

Cheers!

1 REPLY 1

L2 Linker

Server certificate verification failed usually points to the new check that was added where the Palo Alto will check the CN of the certificate used and the Global Protect Gateway FQDN/IP. These HAVE to match, either both as an IP or both as an FQDN. The gateway IP is where you set an external or internal gateway options.

 

 

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-Whe...

 

 

- Peter

  • 1650 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!