Enhanced split tunnel configuration tips

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enhanced split tunnel configuration tips

L0 Member

Guys,

I was finally able to confirm that split tunnel config file on a web server works, so I would like to share some tips with you.

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host...

This is an explanation for the link above.


Mutual TLS is under the same CA.

Initially, I used let's encrypt for the server certificate, but it doesn't provide a client certificate, so I used a client certificate that I created on local linux. This resulted in an error in PanGPS.log.(AdvancetST: downloaded content is not authenticated)


The engineers at paloalto helped me by giving me some useful links to understand mtls.

https://medium.com/@nisanth.m.s/guide-setting-up-mtls-authentication-with-openssl-for-client-server-...

Just to add a little bit, this link does not include the SAN, and when you check the operation with the client's browser, you will get a server certificate error.
When creating a CSR and issuing a certificate, it was necessary to add a few commands to include the SAN. Like this.

 

openssl req -new -key server.key.pem -out server.csr -addext "subjectAltName = DNS:example.com"

 

openssl ca -config /root/mtls/openssl.cnf -extfile san.txt -days 1650 -notext -batch -in server.csr -out serve
r.cert.pem

san.txt contains subjectAltName = DNS:example.com

 

Any private key can be used to sign the file. It has nothing to do with mtls. Register the corresponding public key in Prisma Access.


Even after looking at the setup guide, I'm still confused as to which private key to use.
However, the palo engineer told me that ``anything is fine,'' and the problem became clear.

 

I'm looking forward to this, as it allows for more flexible route control than internal host detection.

2 REPLIES 2

L6 Presenter

If the CA name matches and it still needs SAN it is strange.

L0 Member

Hi Nikoolayy1,

Thank you for your reply.
Starting with Chrome 58, a certificate error will occur if you do not use SAN instead of common name.
I didn't like this error because I first tested it in a browser, but the GP agent may not care.

Please let me know if you can get the split tunnel config using only Common Name.

 

  • 432 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!