I'm running GlobalProtect 2.2.1 on PANOS 7.0.7. I'm preparing to upgrade to 2.3 (and beyond) to finally support some newer client devices. This caveat in the 2.3 release notes made me pause:
If your GlobalProtect 2.2 or earlier release configuration uses a gateway server certificate that is not issued by a CA that is trusted by your endpoints (for example, self-signed certificates), then you must add the CA for that certificate to the Trusted Root CA list in the portal client configuration when upgrading to GlobalProtect 2.3 and later releases to ensure that the GlobalProtect agent can connect to the GlobalProtect gateway.
I am using a self-signed cert (SSLVPNCert) produced by the firewall as CA on the Gateway.
(As an aside, I'm guessing that the SSL/TLS Service Profile used here was autogenerated during some upgrade that introduced the SSL/TLS Service Profile feature? Note that it does not appear in the list of SSL/TLS Service Profiles. Should this concern me?)
The Portal uses the same cert.
The Portal Agent has the CA (MCVPN_CA) in the Trusted Root CA list.
The CA does not have the Trusted Root CA box checked under Usage.
Am I good-to-go? Or, is the Trusted Root CA checkbox going to bite me? (If so, is it just a matter of clicking it and commiting?)
The SSL/TLS profile cannot be empty. Please create one and use the certificate that you were using earlier (SSLVPNcert). This profile needs to be used in the portal and gateway. If SSLVPNcert is signed by the MCVPN_CA, then you are fine. Any particular reason, you aren't moving to a 3.1.x version?
Maybe not when you have your configuration upgraded. This is the first time I am seeing it working like this. No commit errors in your case? I have always seen it working with some profile. For the version, I'd say 3.1.4/5/6. They are the most common in my experience.
@ansharma is actually right in this case this setup shouldn't be working without a SSL/TLS profile assigned, it would be intereseting to see your XML config and see if it's maybe in the reference but the GUI has stopped picking it up after an update or something?
You will likely see this stop functing after upgrading the client if the certificate actually isn't being assigned to your portal.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!