PAN-OS and Global Protect software

Reply
Highlighted
L2 Linker

PAN-OS and Global Protect software

I plan to update to PAN-OS 6.1.6 and GP 2.3.1.

Currently at 6.1.0, and 2.1.1.

 

Any suggestions or issues?

 

Thanks in advance

//moe

Highlighted
L5 Sessionator

There is a change in the default behaviour in the global protect from 2.3.0

In Global protect 2.2 and previous version if the Trust CA is configured in the Portal then only the agent will validate the gateway certificate.

From agent 2.3 the agent will always check the validity of the gateway server certificate and if the agent cannot validate the certificate, it will not connect to the GlobalProtect gateway.

Validate means whether the certificate is signed by a CA which is trusted by that machine.

Other thing is If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

 

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

Highlighted
L2 Linker

Thank you for that.

 

How doe sthis apply to a wildcard cert?

Highlighted
L5 Sessionator

Hi,

 

If you really need GP, it can be interesting for you to upgrade to V7. In this release, licence had been simplify.

 

According the VY RN: "You can now use GlobalProtect to provide a secure, remote access or virtual private network (VPN) solution via single or multiple external gateways, without any GlobalProtect licenses. The portal license, which was required to enable this functionality, has been deprecated. However, advanced features including Host Information Profile (HIP) checks and support for the GlobalProtect mobile app for iOS and Android still require a gateway subscription. To take advantage of the new license structure, you need to upgrade only the device running the GlobalProtect portal to PAN-OS 7.0 or later."

 

We are in 7.0.2 and everything works well :-)

 

Hope help.

 

V.

Highlighted
L5 Sessionator

If you are using a certifiacte signed by a trusted CA so you don't have to worry about it.

Just take care of the following part

If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

Highlighted
L2 Linker

Thanks, V., but PA tech support didn't sound as convincing as you ;^).

I'll consider... perhaps there are others seeing this who share your experience? (holla!)

Highlighted
L2 Linker

Forgive my limited knowlegde of certs, Pakumar.  Are you saying that the GP config on the remote device should match what is on the cert?

Highlighted
L5 Sessionator

Certificate.pngGateway_Config.png

 

Check the highlihted area the CN  name is a IP  address so in the portal config I have  sepecified IP address for gateway.

 

If thhe CN is vpn.abc.com then I have to specify vpn.abc.com in the portal config for gateway.

 

and the nslookup for vpn.abc.com should map to the IP address that you are using for  portal.

 

Highlighted
L2 Linker

crystal clear! thanks....

Highlighted
L2 Linker

A note to all - the upgrade to 6.1.6 only worked on one of my 2 PA-5020s.  The dataplane kept crashing on my primary (Dataplane is down: too many dataplane processes exited).  has anyone experienced similar?  Rebooting with the interfaces disconnected (all except managment and HA) did not solve.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!