This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP upgrade beyond 2.2.x

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP upgrade beyond 2.2.x

MCmgt
L2 Linker

‎03-29-2017 10:39 AM

Hi,

 

I'm running GlobalProtect 2.2.1 on PANOS 7.0.7. I'm preparing to upgrade to 2.3 (and beyond) to finally support some newer client devices. This caveat in the 2.3 release notes made me pause:

 

 

If your GlobalProtect 2.2 or earlier release configuration uses a gateway server certificate that is
not issued by a CA that is trusted by your endpoints (for example, self-signed certificates), then
you must add the CA for that certificate to the Trusted Root CA list in the portal client configuration
when upgrading to GlobalProtect 2.3 and later releases to ensure that the GlobalProtect agent
can connect to the GlobalProtect gateway.

 

I am using a self-signed cert (SSLVPNCert) produced by the firewall as CA on the Gateway.

 

 gateway.png

 

(As an aside, I'm guessing that the SSL/TLS Service Profile used here was autogenerated during some upgrade that introduced the SSL/TLS Service Profile feature? Note that it does not appear in the list of SSL/TLS Service Profiles. Should this concern me?)

 

 

blankprofile.png

The Portal uses the same cert.

 

portal.png

 

The Portal Agent has the CA (MCVPN_CA) in the Trusted Root CA list.

 

portalagent.png

 

The CA does not have the Trusted Root CA box checked under Usage.

 

Cert.png

 

Am I good-to-go? Or, is the Trusted Root CA checkbox going to bite me? (If so, is it just a matter of clicking it and commiting?)

 

 

 

 

0 Likes Likes
6 REPLIES 6

BPry
Cyber Elite
Cyber Elite

‎03-29-2017 11:43 AM

You'll likely need to install the certificate into the trusted certificates of your end-user devices through GPO to get this to function properly. 

0 Likes Likes

ansharma
L4 Transporter

‎03-29-2017 12:19 PM

Hi MCmgt,

 

The SSL/TLS profile cannot be empty. Please create one and use the certificate that you were using earlier (SSLVPNcert). This profile needs to be used in the portal and gateway. If SSLVPNcert is signed by the MCVPN_CA, then you are fine. Any particular reason, you aren't moving to a 3.1.x version?

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
0 Likes Likes

MCmgt
L2 Linker
In response to ansharma

‎03-29-2017 12:39 PM

But the SSL/TLS Profile can be empty...because it works 🙂

 

The goal is definitely >2.3 ... gotta get those MacOS 10.12 people off my case 🙂

0 Likes Likes

ansharma
L4 Transporter
In response to MCmgt

‎03-29-2017 12:51 PM

Maybe not when you have your configuration upgraded. This is the first time I am seeing it working like this. No commit errors in your case? I have always seen it working with some profile. For the version, I'd say 3.1.4/5/6. They are the most common in my experience.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to MCmgt

‎03-29-2017 01:09 PM

@ansharma is actually right in this case this setup shouldn't be working without a SSL/TLS profile assigned, it would be intereseting to see your XML config and see if it's maybe in the reference but the GUI has stopped picking it up after an update or something? 

You will likely see this stop functing after upgrading the client if the certificate actually isn't being assigned to your portal. 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to ansharma

‎03-29-2017 01:11 PM

Sidenote: MCVPN_CA still needs to be trusted by your client machines. If they do not trust this CA then they will likely still give you an error. 

0 Likes Likes
  • 3171 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks