This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PAN-OS and Global Protect software

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS and Global Protect software

VSU_ITSEC
L2 Linker

‎10-07-2015 11:50 AM

I plan to update to PAN-OS 6.1.6 and GP 2.3.1.

Currently at 6.1.0, and 2.1.1.

 

Any suggestions or issues?

 

Thanks in advance

//moe

0 Likes Likes
12 REPLIES 12

pankaku
L5 Sessionator

‎10-07-2015 12:44 PM

There is a change in the default behaviour in the global protect from 2.3.0

In Global protect 2.2 and previous version if the Trust CA is configured in the Portal then only the agent will validate the gateway certificate.

From agent 2.3 the agent will always check the validity of the gateway server certificate and if the agent cannot validate the certificate, it will not connect to the GlobalProtect gateway.

Validate means whether the certificate is signed by a CA which is trusted by that machine.

Other thing is If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

 

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

0 Likes Likes

VSU_ITSEC
L2 Linker
In response to pankaku

‎10-07-2015 02:27 PM

Thank you for that.

 

How doe sthis apply to a wildcard cert?

0 Likes Likes

VinceM
L5 Sessionator
In response to VSU_ITSEC

‎10-08-2015 12:46 AM

Hi,

 

If you really need GP, it can be interesting for you to upgrade to V7. In this release, licence had been simplify.

 

According the VY RN: "You can now use GlobalProtect to provide a secure, remote access or virtual private network (VPN) solution via single or multiple external gateways, without any GlobalProtect licenses. The portal license, which was required to enable this functionality, has been deprecated. However, advanced features including Host Information Profile (HIP) checks and support for the GlobalProtect mobile app for iOS and Android still require a gateway subscription. To take advantage of the new license structure, you need to upgrade only the device running the GlobalProtect portal to PAN-OS 7.0 or later."

 

We are in 7.0.2 and everything works well 🙂

 

Hope help.

 

V.

pankaku
L5 Sessionator
In response to VSU_ITSEC

‎10-08-2015 02:11 AM

If you are using a certifiacte signed by a trusted CA so you don't have to worry about it.

Just take care of the following part

If the CN of certificate have IP address then it should match to the IP address of the interface used in the portal. If the CN is domain name then the IP it resolves to should match to the IP address of the interface used in portal.

When defining the gateways (External/Internal) under the portal configuraiton. If CN have FQDN  then specify the FQDN, If CN have IP address then specify IP address.

0 Likes Likes

VSU_ITSEC
L2 Linker
In response to VinceM

‎10-08-2015 12:05 PM

Thanks, V., but PA tech support didn't sound as convincing as you ;^).

I'll consider... perhaps there are others seeing this who share your experience? (holla!)

0 Likes Likes

VSU_ITSEC
L2 Linker
In response to pankaku

‎10-08-2015 12:10 PM

Forgive my limited knowlegde of certs, Pakumar.  Are you saying that the GP config on the remote device should match what is on the cert?

0 Likes Likes

pankaku
L5 Sessionator
In response to VSU_ITSEC

‎10-08-2015 12:19 PM

Certificate.pngGateway_Config.png

 

Check the highlihted area the CN  name is a IP  address so in the portal config I have  sepecified IP address for gateway.

 

If thhe CN is vpn.abc.com then I have to specify vpn.abc.com in the portal config for gateway.

 

and the nslookup for vpn.abc.com should map to the IP address that you are using for  portal.

 

0 Likes Likes

VSU_ITSEC
L2 Linker
In response to pankaku

‎10-08-2015 01:48 PM

crystal clear! thanks....

0 Likes Likes

VSU_ITSEC
L2 Linker

‎10-12-2015 01:08 PM

A note to all - the upgrade to 6.1.6 only worked on one of my 2 PA-5020s.  The dataplane kept crashing on my primary (Dataplane is down: too many dataplane processes exited).  has anyone experienced similar?  Rebooting with the interfaces disconnected (all except managment and HA) did not solve.

0 Likes Likes

glastra1
L4 Transporter
In response to VSU_ITSEC

‎10-13-2015 01:17 PM

Try to upgrade to 6.1.7 where multiple dataplane restart issues were solved

Check the release notes for the following IDs and try to match them with your enviroment,

80720

82370

80251

79719

76875

66681

 

If that doesn't solve your issue, opean a TAC case,

 

Regards,

Gerardo.

0 Likes Likes

CHANDRASHEKHAR.BRAMAPRAKASH
L0 Member

‎12-14-2021 10:01 PM

Hi Team,

 

I am facing the same issue, I have global protect installed, the version is 5.2.8-23, on the gateway i am using FQDN. 

 

when i try to connect GP i am getting the error "the certificate is not signed by a trusted certificate authority". if i install the root certificate on the local machine, it works fine. but I am not doing any certificate based authentication. Could you please tell me is it mandatory to install the root certificate on all the end machines to connect global protect.?

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to CHANDRASHEKHAR.BRAMAPRAKASH

‎12-15-2021 08:22 AM

Hi @CHANDRASHEKHAR.BRAMAPRAKASH ,

 

When you configure GlobalProtect Portal and Gateway, you need to assign SSL certificate that firewall will provide as server certificate when connecting to GP. It looks like you are using certificate that is self-signed or signed by internal PKI, that is not trusted by default. You have few options:

- Request SSL server certificate from public Certificate Authority.

- If you are using self-signed server certificate you must install the root CA (that was used to generate the server cert) to each machined that will connect to GP

- Strongly against this option, but if you still want to use self-signed certificate, without installing the root CA - there is an option to ignore the invalid SSL certificate and continue with vpn connection. This is under GP portal -> Agent Config -> App

Astardzhiev_0-1639585190416.png

I would recommend to use this option only in test/PoC environment, because it will completely  bypass certificate validation, which is only protection agains man-in-the-middle attack

 

 

  • 12295 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks