GP Certificate CN Mismatch issue when adding on more new Global Protect Gateway/Portal

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GP Certificate CN Mismatch issue when adding on more new Global Protect Gateway/Portal

L1 Bithead

I have two PA-820 operating in Active/Passive HA mode. The WAN set up is a dual ISP connection to a single ISP which are configured using BGP. I was adding a new Global Protect Gateway and portal that is segregated from the existing one to connect separate group of users. Separate domain name and public IP with standalone SSL Certificate created for each on LetsEncrypt. The Palo Alto model is PA820 in HA Active-Passive mode. Its is connected through two leased-lines to a single ISP. So previously the working GP was  with public IP of, and the new domain name is  with an public IP configured as Totally segregated. Although everything is set up by the book, we are having a certificate error whenever someone tries to connect to the new GP . The certificate error is happening with certificate of the old GP  being applied on to . This is delaying the clients who are waiting to connect through the new portal/GW. 
The things I have checked before coming to this forum,
1. I have used a FQDN when configuring the Agent>External Gateway and the correct GP certificate is applied on their respective GP Portal/Gateway

2. The Interface IP is static so I have not used loopback IP, correct me if I am wrong here that I need to use a dummy loopback IP instead of the interface IP while the interface IPs are statically set.
3. The configuration for the GP portal/GW is correct and there is no configuration mix up/overlap between the two GW/Portals set up.

4. Separate public IP is used for each and different FQDN as well.

5. Separate Cert is created using letsencrypt and uploaded on the CertMgmt>Certificate.

6. Separate tunnel is created and each tunnel is used for each GW/Portal(the new and the old one).
Brief recap of the issue:
Here is a quick recap of our session:
- The issue is with a newly configured Global Protect
- The issue which you are facing is that the newly configured gp configuration is taking an old certificate.
- The portal URL for Old is , and the New one is 
- The error that I am getting on client's pc is that The certificate CN name mismatch. The certificate is not issued to 
- The certificate profile and GP configuration has been verified with PA Support Engineer too.


You kind support is appreciated, please.

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!