Issues using Elliptic Curve DSA certificates with GlobalProtect agent

cancel
Showing results for 
Search instead for 
Did you mean: 

Issues using Elliptic Curve DSA certificates with GlobalProtect agent

L4 Transporter

Anyone else come across this?  Anyone using ECDSA certs for their GlobalProtect Portal or Gateways?  Have you tried non-Windows/MacOS clients?

 

Configuring GlobalProtect Gateways to use ECDSA certs instead of RSA certs breaks everything except Windows, MacOS, and mobile agents.

 

As the SSL cert industry seems to be heading toward deprecating RSA certs in the 5-ish years, I thought I'd get a jump on things and test it out on our GP setup.  Added ECDSA certs to one Gateway, tested it with Windows and Android clients, and everything was good.  Ran it for a few weeks, and pushed it out to a second Gateway.  Tested that one with Windows, MacOS, and iOS client, and everything was good.  Pushed it out to all our Gateways except one, and no issues reported.  That was in July 2021.

 

One of the clients is a Grandstream VoIP phone running an old version of Android that we use for work-from-home staff.  As it's Android-based, we can use the built-in VPN client to connect to GlobalProtect via X-Auth.  Worked great until school started again in September.  The staff member could not keep the phone online for an hour, let alone a full workday.  Calls were choppy, calls were dropped, phone locked up, all kinds of issues.  Switched the GlobalProtect Gateway back to using RSA certs ... and all the issues went away.  (Didn't fix this one until this week, so there's no support ticket in for this one.)

 

Added a new user to one of the Gateways using ECDSA certs.  That user has an Ubuntu laptop.  Tried GP 5.2.x and 5.3.x (multiple versions of each).  Would not connect to the Gateway (Portal auth worked), would just hang the agent or give error messages about authenticating the server.  And you could not sign out of the agent, that option was missing from the client UI!  Had to force uninstall/install in order to change usernames in the agent, in order to test a connection to a different gateway.  Switched the GlobalProtect Gateway back to using RSA certs ... and all the issues went away.  (We have support tickets in for these two issues.)

 

We've now removed all traces of ECDSA certs from our GlobalProtect infrastructure.

3 REPLIES 3

Cyber Elite
Cyber Elite

What is the PanOS version of the gateways ? Please see:

 

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html

Oh, thought I had included the OS version, but guess that was a different topic.  🙂

 

PanOS 9.1.9 on all firewalls (portal and gateways).

 

The EC certificates work for Windows, MacOS, iOS, and Android GlobalProtect agents.

 

They fail for Linux GlobalProtect agents.  Tried with GP 5.1.x, 5.2.x, and 5.3.x (multiple versions of each, including the latest version of each).

Cyber Elite
Cyber Elite

You may need to provide the PanGPS logs that may show something usefull as you are having interesting issue.

 

 

 

Also please clarify if you mean you changed to ECDSA certficates on the Gateways and not the for ssl certificate client based authentication?

 

 

Also this is interesting as I do not see linux so maybe it is not supported yet but the TAC support should say and add Linux in the below link as this should have been done.

 

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-cryptography/g...

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!