Rename CN name certificate GlobalProtect .

Reply
Highlighted
L2 Linker

Rename CN name certificate GlobalProtect .

Hi Team,

 

I have question, currently, on firewall PA-500, we do 2 gateway VPN. Its mean have 2 WAN(ISP).  So few users will use VPN via WAN1, and few users will use VPN via WAN2.  Existing VPN using WAN1. So certificate CN name(IP address) point to Gateway WAN1.  after added WAN2 and new gateway from WAN2. We notice have certificate mismatch when users try to connect GP VPN IP gateway WAN2.

So if I rename CN name of certificate from IP ADDRESS TO FQDN, have any charge from Palo Alto.? Or free to rename. not need to pay.?

 

Thanks.

Tags (1)

Accepted Solutions
Highlighted
L6 Presenter

@abdulhakam ,

 

It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.

 

If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.

 

There shouldn't be any cost or charges involved in this.

 

Hope it helps!

Mayur



Mayur

View solution in original post


All Replies
Highlighted
L6 Presenter

@abdulhakam ,

 

It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.

 

If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.

 

There shouldn't be any cost or charges involved in this.

 

Hope it helps!

Mayur



Mayur

View solution in original post

Highlighted
L2 Linker

Hi @SutareMayur 

Thanks For Answer,

 

Yes, I can't rename the CN existing. I will generate new certificate and CN name will be FQDN not IP Address.

 

It will work if i have using two gateway(VPN1 and VPN2) using CN name FQDN.?

 

Thanks

Highlighted
L6 Presenter

@abdulhakam ,

 

Yes it will work using certificate which is generated for FQDN as well. If you are using FQDN to connect GP then that certificate will get accepted and trust will be build. If you are using IP address to connect GP and certificate used is generated for CN as FQDN then there will be mismatch. So you need to check in this regard also.

 

Mayur



Mayur
Highlighted
L2 Linker

Hi @SutareMayur  ,

 

"Best way is to generate new cert and use it for VPN2."

 

U mean generate new cert and setup same like existing cert. I mean setup From A to Z.. 

like this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK


Highlighted
L6 Presenter

@abdulhakam,

 

Yes, you can generate new certificate on Palo Alto. Then create new SSL/TLS profile and map that certificate in it. You can use this SSL/TLS profile for VPN2.

 

Mayur



Mayur
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!