- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-06-2014 02:59 AM
Hi,
I have been setting up the GlobalProtect VPN infrastructure for our new PA 3020. Until recently, the GlobalProtect Portal was just fine, but now, with the latest Firefox update 27.0.1, I can't access the client download page with Firefox anymore. I get the error message below. I have verified with serveral different systems that with older (e.g. 26.0) versions of Firefox it works just fine. Anyone else noticed this? Can this be fixed in any way in PA configuration, or do I just need to wait for a fix for Firefox?
-Petteri
03-08-2014 07:28 AM
can you verify what the Max TLS version is in browser config and try lowering the version. If it is 3 , try changing it to 2 and see if that fix the issue To verify and change version: In firefox url address bar type about:config and then search for security.tls.version.max,modify the value . Close all browser windows and reopen. See if that fix the issue
03-06-2014 12:46 PM
See if clearing the site cookies works for this issue.
SSL Decryption Stops Working on Firefox Browser After Changing SSL Decryption Certificate
03-07-2014 02:00 AM
Clering cookies did not help with the issue.
03-08-2014 12:51 AM
if you can;
Could you please generate a new certificate for GP and see if it is fixed
03-08-2014 07:28 AM
can you verify what the Max TLS version is in browser config and try lowering the version. If it is 3 , try changing it to 2 and see if that fix the issue To verify and change version: In firefox url address bar type about:config and then search for security.tls.version.max,modify the value . Close all browser windows and reopen. See if that fix the issue
03-08-2014 08:14 AM
I'm using polish version of FF 27.0.1 and I logged into GP portal without any issues.
I'm using StartSSL SSL certyfiacte for GP portal.
Regards
Slawek
03-09-2014 12:39 AM
Hi, this is solved now. Few important pieces of imformation were missing from my original post that I think somehow affect to this. First, I have both the portal and the gateway running in the same public IP address. Second, I also use client certificate profiles for both the portal and the gateway.
What I did now was that I disabled the client cert profiles for both the client and gateway, and committed the change. After that I was able to login to portal with the latest firefox. Then I enabled the client certificate profile only for the portal, and tried to login. At this point, I got the "Valid client certificate is required", which is kind of weird as I do have the correct client certificate available in the Firefox's certificate store. But, then I enabled the same client certificate profile also for the gateway, and now I'm able to login.
So, the configuration is now identical to the original one - I merely disabled the client certificate profiles for the portal and gateway, and then enabled them back.
I guess one teaching is that if the portal and gateway are running on the same IP address, the same client certificate profiles have to used for both. In the guide it's mentioned that if the IP address is shared between the portal and gateway, the same server SSL sertificate has to be used for both. But I didn't find any notes about a need to use also the same client certificate profiles.
-Petteri
03-09-2014 12:51 AM
Well, it seems that I was too quick in my conclusions. After restarting Firefox, the same problem resurfaced. But anyway, now I know it's definitely about client certificates, becuase disabling makes it possible to use the portal page with the latest Firefox as well. I'll continue by checking the proposals above.
03-09-2014 01:01 AM
Lowering the TLS version in Firefox seems to have done the trick. Now Firefox prompts for client certificate, as expected:
Is there anything I can do find out if this is a:
a) bug in Firefox
b) bug in PanOS 6.0.0
c) something being wrong with my setup or certificates
-Petteri
03-27-2014 05:46 AM
This seems to be fixed in Firefox 28.0.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!