06-29-2021 05:04 AM
Hello,
I have a situation where I am looking for advice and help.
An existing PA5050 is a portal/gateway and we have several global PAs as gateways also
The gateway authentication on the Portal/Gateway uses external authentication and NO certificate profile
The subordinate gateways globally use external authentication and certificate profiles. The certificate used is an intermediate certificate
The client endpoints have a client certificate installed as machine certificates
The above all works as expected
I have installed a new test portal on the exiting portal PA5050 using the same configuration and certificates as the production above
I have installed a new PA5050 gateway that will act as only a gateway and is configured with a new GP gateway setup, using the same root, intermediate and server certificate as the portal
When clients authenticate with the portal (test profile) they receive the new gateway and during connection with the gateway fail the certificate authentication.
The new test gateway certificate profile calls for the intermediate certificate, the same used in the production setup, to avoid having to install new machine certs on the endpoints.
So essentially a new test portal on a legacy GP device using existing certificates and a new gateway on a new appliance using the legacy certificates
When authentication we receive the "GlobalProtect gateway user authentication failed. Login from: xx.xx.xx.xx, Source region: MY, User name: , Client OS version: Microsoft Windows 10 Enterprise , 64-bit, Reason: client cert invalid, Auth type: profile
Looking for advice on where to check and what. Could it be an issue with how internal CA certs have been imported into the new gateway appliance? Could it be something I have missed in the authentication setup?
I have gone through the config comparison between this test environment and the prod environment and can find no config discrepancy so looking for deep dive on perhaps it being an issue with the certs.
The version is PANOS 8.1.4
Thanks in advance.
07-21-2021 08:22 AM
Hello All,
Firstly thanks to Mick for his previous suggestion. I did test the gateway as a portal and the certificate chain is working fine.
We finally managed to get a PA engineer onto the box and they have just advised there is a known bug (PAN-160744) in the 8.1.18 code that prevents successful certificate checking where the mp clock and dp clock have a -1ms diff.
This is fixed in 8.1.20 and we now have to wait until 5 Aug 2021 to get a hold of that release.
Regards
06-29-2021 06:59 AM
not sure of the exact reason here but to go back a step... on your new gateway try adding a new portal using the same cert profile as the gateway and just https browse to it... see if same error...
07-21-2021 08:22 AM
Hello All,
Firstly thanks to Mick for his previous suggestion. I did test the gateway as a portal and the certificate chain is working fine.
We finally managed to get a PA engineer onto the box and they have just advised there is a known bug (PAN-160744) in the 8.1.18 code that prevents successful certificate checking where the mp clock and dp clock have a -1ms diff.
This is fixed in 8.1.20 and we now have to wait until 5 Aug 2021 to get a hold of that release.
Regards
10-15-2021 07:59 AM
Hello,
An update. Following on from the upgrade to 8.1.20 we still had issues with the use of Certificate Profile and two-factor authentication.
Long story short we discovered our Service Routes in the template pushed from the Panorama for CRL Status and DNS could we bypassed by a local override config. Therefore the CRL revocation checks could not reach the CRL servers to check validity of the client certs due to inability to perform DNS lookup of the CRL servers by the PAs.
As soon as we fixed that the PAs could resolve the DNS names of the CRL servers n the client certs and store them in the webcache logs.
All good now.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
