To start, you should have setup a new SSL/TLS profile pointing to the new certificate signed by the external authority. Then set the Server Authentication, under GlobalProtect->Portals->[config]->Authentication->SSL/TLS Service Profile, to be the new SSL/TLS profile. If you are running the Gateway on the same IP then you also need to set the same SSL/TLS profile under GlobalProtect->Gateway->[config]->Authentication->SSL/TLS Service Profile. (If the Gateway has a different IP then you can maintain your internal certificate profile.) Now the web interface of the Portal should be giving you the publicly signed certificate when connecting.
Next, how are you authenticating clients, do you have server certificate validation enabled on the client, and what is breaking for the client? The connection to the Portal or the connection to the Gateway? If the Gateway, are you using FQDNs for the Gateway names supplied to the clients and are those Gateway names included in the Subject Alternative Name of the publicly signed certificate?
Yeah, sorry it's kind of unclear. I can find my way around the firewall but I'm no expert on it. I uploaded the cert to the firewall via Certificate Mangement - Certificates. It shows up as valid. I create the ssl/tls profile using the newly uploaded cert and assigned it to both the Portal and Gateway authentication tabs.
Now the web page comes up with no certificate errors. I can log in and download the clients no problem. HOWEVER, when I try to connect via the global protect client I get the following "The server certificate is invalid. Please contact your system administrator"
When I put the self-signed certificates back, Global Protect is again able to connect.
Not sure what I'm missing. Probably a lot.
... View more
We have been using self-signed certificates for years with no issues. However, one business partner can't access the Web portal on our firewall to download the global protect software due to the self-signed cert. I have tried to configured the firewall to use a cert issued by a signing authority. I installed the cert in our Global Protect Gateway authentication config. When the client points his web browser to the outside of our firewall, the web page comes up correctly with no certificate error. However, it breaks the Global Protect Client Software authentication to the firewall.
How do I get a public certificate installed so that it works with the firewall web page used to download the software, but not affect the GP client authentication to the firewall?
If that doesn't make sense let me know and I will try to clarify.
... View more
I'm setting up a PAN firewall between our company and our business partners who have direct connections to our LAN. My idea was to use v-wire but some of our other network administrators say it would be too difficult to troubleshoot. What are the pros and cons of using v-wire versus just setting up a L3 interface?
... View more