Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
05-31-2021 10:08 AM
Hello Everyone,
I had global-protect working perfectly. Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore. I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!
I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message! I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!
Any help you can provide would be much appreciated! Thanks!!
06-02-2021 04:44 AM
And if you don't mind, one more question. (see screenshot below)
Is it best practice to check all of these boxes on the cert profile for the GP and GP Client certs? Or are there any that could break the system if left checked?
Thanks!
06-02-2021 05:29 AM
Hi @pomologist
Do you use a local CA on the firewall which signed your clientcertificate? Actually it doesn't even matter if an internal corporate or firewall CA is used. Depending on the configuration all of these four checkboxes on the right side of the screenshot could break/prevent a successful connection. In your case (one gp user and also one firewall admin) I wouldn't check these four. But if you'd like to activate these too, go for it 😉 but as I mentionned maybe you need to adjust some settings with the existing CA certificate used.
06-02-2021 05:31 AM
OK Thanks! Yes I use a local firewall CA. I'll just experiment then. Again, thank you very much!
06-02-2021 05:32 AM
In this case you don't need to install these certificates on the client - specially with only one user. This option is intended to be used in cases where you use a public cert for the portal and a selfsigned cert for the gateway. In this situation the selfsigned CA is required that the clients trust the gatewaycert. Another usecase is, if you configured tls decryption, where also a CA cert is required on the client in order to avoid certificate warnings in the browsers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
