10-13-2022 08:59 AM
We have been using self-signed certificates for years with no issues. However, one business partner can't access the Web portal on our firewall to download the global protect software due to the self-signed cert. I have tried to configured the firewall to use a cert issued by a signing authority. I installed the cert in our Global Protect Gateway authentication config. When the client points his web browser to the outside of our firewall, the web page comes up correctly with no certificate error. However, it breaks the Global Protect Client Software authentication to the firewall.
How do I get a public certificate installed so that it works with the firewall web page used to download the software, but not affect the GP client authentication to the firewall?
If that doesn't make sense let me know and I will try to clarify.
10-13-2022 10:25 AM
Yeah, that doesn't make complete sense, but it is probably because there are a whole bunch of different ways, and different nuances in server certificate validation vs. client certificate validation.
For one, you say you added your external SA-signed certificate to the Gateway authentication config. Did you also add it to your Portal authentication config? Be aware, if you run your Portal and Gateway on the same IP your SSL/TLS and authentication profiles overwrite each other... so they must be the same (this becomes a particular problem if you, for instance, run client certificate authentication on the Portal and user/pass authentication on the Gateway).
To start, you should have setup a new SSL/TLS profile pointing to the new certificate signed by the external authority. Then set the Server Authentication, under GlobalProtect->Portals->[config]->Authentication->SSL/TLS Service Profile, to be the new SSL/TLS profile. If you are running the Gateway on the same IP then you also need to set the same SSL/TLS profile under GlobalProtect->Gateway->[config]->Authentication->SSL/TLS Service Profile. (If the Gateway has a different IP then you can maintain your internal certificate profile.) Now the web interface of the Portal should be giving you the publicly signed certificate when connecting.
Next, how are you authenticating clients, do you have server certificate validation enabled on the client, and what is breaking for the client? The connection to the Portal or the connection to the Gateway? If the Gateway, are you using FQDNs for the Gateway names supplied to the clients and are those Gateway names included in the Subject Alternative Name of the publicly signed certificate?
If you are authenticating clients connecting to the Portal/Gateway that is done via the Certificate Profile at the bottom of the Portal/Gateway Authentication tab, not the SSL/TLS Profile at the top.
10-13-2022 01:47 PM
@Adrian_Jensen wrote:
To start, you should have setup a new SSL/TLS profile pointing to the new certificate signed by the external authority. Then set the Server Authentication, under GlobalProtect->Portals->[config]->Authentication->SSL/TLS Service Profile, to be the new SSL/TLS profile. If you are running the Gateway on the same IP then you also need to set the same SSL/TLS profile under GlobalProtect->Gateway->[config]->Authentication->SSL/TLS Service Profile. (If the Gateway has a different IP then you can maintain your internal certificate profile.) Now the web interface of the Portal should be giving you the publicly signed certificate when connecting.
Next, how are you authenticating clients, do you have server certificate validation enabled on the client, and what is breaking for the client? The connection to the Portal or the connection to the Gateway? If the Gateway, are you using FQDNs for the Gateway names supplied to the clients and are those Gateway names included in the Subject Alternative Name of the publicly signed certificate?
Yeah, sorry it's kind of unclear. I can find my way around the firewall but I'm no expert on it. I uploaded the cert to the firewall via Certificate Mangement - Certificates. It shows up as valid. I create the ssl/tls profile using the newly uploaded cert and assigned it to both the Portal and Gateway authentication tabs.
Now the web page comes up with no certificate errors. I can log in and download the clients no problem. HOWEVER, when I try to connect via the global protect client I get the following "The server certificate is invalid. Please contact your system administrator"
When I put the self-signed certificates back, Global Protect is again able to connect.
Not sure what I'm missing. Probably a lot.
10-13-2022 04:35 PM
Is the "server certificate is invalid" error message when you are connecting to the Portal or the Gateway? (The client connects to the Portal first, downloads the client config and a list of Gateways to connect to, then disconnects and connects to a Gateway to actually pass VPN traffic). From the GlobalProtect and System logs you should be able to see which stage it is reaching:
portal-prelogin ->
portal-auth ->
portal-getconfig ->
gateway-prelogin ->
gateway-auth ->
gateway-register ->
gateway-getconfig ->
gateway-setup-IPSec ->
gateway-connected
You can also go the the GP client and view the connection log. Write down the exact system time you start, try to connect to the VPN, then go to the GP client App menu->Settings->Troubleshooting->Collect Logs. Preferably run this just after the failure message. This dumps out a huge zip file of different logs. In the PanGPA.log you will see a detailed file of all the connection steps (it is very large and can be quite confusing if you dont know what you r looking for). You should be able to pick out the connection, the server certificate received, and why the GP client rejected it (unknown CA, failed check, etc.).
You will obviously need the public root/intermediate CAs, used to sing the public certificate on the Portal/Gateways, on the endpoint machines... But since you said this was a public authority sign cert I would assume those are already installed by the OS. There is an option in the GP client config to disable server certificate checking if you want to try that as a temporary workaround:
GlobalProtect->Portals->[config]->Agent->[config]->App->Allow User to Continue with Invalid Portal Server Certificate: Yes/No
I could have sworn there is also an optional configuration under App that allowed you to tell the client to only accept certain server certificates for authentication, but I can't find it at the moment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
