05-21-2020 08:12 PM
Hi Team,
I have question, currently, on firewall PA-500, we do 2 gateway VPN. Its mean have 2 WAN(ISP). So few users will use VPN via WAN1, and few users will use VPN via WAN2. Existing VPN using WAN1. So certificate CN name(IP address) point to Gateway WAN1. after added WAN2 and new gateway from WAN2. We notice have certificate mismatch when users try to connect GP VPN IP gateway WAN2.
So if I rename CN name of certificate from IP ADDRESS TO FQDN, have any charge from Palo Alto.? Or free to rename. not need to pay.?
Thanks.
05-21-2020 10:49 PM
It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.
If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.
There shouldn't be any cost or charges involved in this.
Hope it helps!
Mayur
05-21-2020 10:49 PM
It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.
If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.
There shouldn't be any cost or charges involved in this.
Hope it helps!
Mayur
05-26-2020 12:13 AM
Hi @SutareMayur
Thanks For Answer,
Yes, I can't rename the CN existing. I will generate new certificate and CN name will be FQDN not IP Address.
It will work if i have using two gateway(VPN1 and VPN2) using CN name FQDN.?
Thanks
05-26-2020 12:53 AM - edited 05-26-2020 12:55 AM
Yes it will work using certificate which is generated for FQDN as well. If you are using FQDN to connect GP then that certificate will get accepted and trust will be build. If you are using IP address to connect GP and certificate used is generated for CN as FQDN then there will be mismatch. So you need to check in this regard also.
Mayur
06-08-2020 01:21 AM
Hi @SutareMayur ,
"Best way is to generate new cert and use it for VPN2."
U mean generate new cert and setup same like existing cert. I mean setup From A to Z..
like this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK
06-08-2020 09:47 PM
Yes, you can generate new certificate on Palo Alto. Then create new SSL/TLS profile and map that certificate in it. You can use this SSL/TLS profile for VPN2.
Mayur
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
