Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-19-2018 04:15 AM
Hey!
My firewall is a PA-3020 with 8.0.7. There is a Global Protect gateway and portal, users can connect via Global Protect.
As portal address in the global protect app, we are using an address that is availabe in public dns.
Additionally, there is a public signed certificate. When I do https://portal-address in a browser, I can see that the certificate expires tomorrow.
Can someone tell me what to do now?
Do I have to make a CSR? And where do I have to replace the certificate?
Thank you!
07-19-2018 04:34 AM
Under Network -> GlobalProtect -> Portals -> (Your portal) -> Authentication, take note of the SSL/TLS Service Profile
You should probably do the same for your Gateway, in case it is different
Under Device -> Certificate Management -> SSL/TLS Service Profile -> (Profile from above), take note of the certificate
This is the certificate used by your Portal or Gateway
Under Device -> Certificate Management -> Certificates, locate this certificate, and click "renew" at the bottom of the screen to generate a new CSR, export the CSR, submit it to your CA, Import the new certificate (and signing chain, if it changes)
Update the SSL/TLS Service Profile(s) with the new certificate(s)
you can see the expiration dates of any certificates you have on teh Certificates page, in case any more are expiring soon. It often takes a few days to renew a certificate so it pays to be pro-active here
07-19-2018 05:07 AM
Thank you, how much days am I supposed to extend the certificate?
07-19-2018 06:32 AM
Typical would be one or two years, sometimes three. That is really a policy question for the business - in theory having a certificate out there longer is a risk, but it is more convenient, and usually less expensive per year. The number of days in your CSR is typically ignored by the CA and replaced with whatever you pay them for.
07-19-2018 06:36 AM
Thank you!
I did the whole procedure and vpn still works.
When I imported the signed certficate, I imported the server certificate itself, not with the complete ca chain.
Under Device -> Certificates, the certificate appears as single certificate, without the ca chain.
Is that a problem?
07-19-2018 07:24 AM - edited 07-19-2018 07:24 AM
it can be. your CA should have a package you can download with the root and intermediate certificates you can import to complete the chain.
07-19-2018 07:30 AM
Yes, there is such a package.
Does the firewall automatically link this package with the new server certificate?
07-19-2018 09:13 AM
Unzip the package and import the certificates just as you did the server (your GP certificate) certificate, it will show a "tree" with the root and intermediate automatically, based on the information in the server cert.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
