This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP certificate differences in 2.3 and 3.1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP certificate differences in 2.3 and 3.1

nikoo
L3 Networker

‎02-01-2017 01:34 PM

Hi,

 

We have an internal CA, we have a certificate generated and it is used for GP portal/gateway only, clients are authenticating via usual credentials. Nothing fancy overall. So there are external clients who do not have CA cert installed, so they are getting "untrusted certificate" warning when connecting to the GP gateway. But the GP agent behavior differs between versions 2.3 and 3.1 wen connecting to the gateway.

2.3 - click continue, accept the untrusted cert and roll on - login succeeds.

3.1 - click continue, login (because reject happens if invalid credentials are entered), but that is when connection fails with the message: "Gateway 1: Server certificate verification failed". Won't expand on tshoot logs and everything, but is that way it goes? Is there a workaround other than installing CA cert to trust the issuer? Because if there is trusted cert installed for the issuer CA on the client/agent computer, connection happens fine with both versions.

I've found this: https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-re..., but as far as I understand, this should already happen on 2.3 according to this document. Can't seem to find anything related to 3.1 and what specifically changed there.

Any expierence with this?

Cheers!

0 Likes Likes
1 REPLY 1

sullivanpj2
L2 Linker

‎02-02-2017 08:15 AM

Server certificate verification failed usually points to the new check that was added where the Palo Alto will check the CN of the certificate used and the Global Protect Gateway FQDN/IP. These HAVE to match, either both as an IP or both as an FQDN. The gateway IP is where you set an external or internal gateway options.

 

 

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-Whe...

 

 

- Peter

0 Likes Likes
  • 1648 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks