This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About svanarts
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About svanarts
10-28-2022
3Posts
0Likes
0Solutions
Oct 28, 2022Last Visited
User
Activity
User
Profile
Latest posts by svanarts
| Subject | Views | Posted |
|---|---|---|
| 426 | 10-13-2022 01:47 PM | |
| 461 | 10-13-2022 08:59 AM | |
| 1816 | 02-10-2017 01:39 PM |
User Badges
Community Statistics
| Member Since | 02-10-2017 01:33 PM |
| Date Last Visited | 10-28-2022 12:47 PM |
| Posts | 3 |
10-13-2022
01:47 PM
@Adrian_Jensen wrote:
To start, you should have setup a new SSL/TLS profile pointing to the new certificate signed by the external authority. Then set the Server Authentication, under GlobalProtect->Portals->[config]->Authentication->SSL/TLS Service Profile, to be the new SSL/TLS profile. If you are running the Gateway on the same IP then you also need to set the same SSL/TLS profile under GlobalProtect->Gateway->[config]->Authentication->SSL/TLS Service Profile. (If the Gateway has a different IP then you can maintain your internal certificate profile.) Now the web interface of the Portal should be giving you the publicly signed certificate when connecting.
Next, how are you authenticating clients, do you have server certificate validation enabled on the client, and what is breaking for the client? The connection to the Portal or the connection to the Gateway? If the Gateway, are you using FQDNs for the Gateway names supplied to the clients and are those Gateway names included in the Subject Alternative Name of the publicly signed certificate?
Yeah, sorry it's kind of unclear. I can find my way around the firewall but I'm no expert on it. I uploaded the cert to the firewall via Certificate Mangement - Certificates. It shows up as valid. I create the ssl/tls profile using the newly uploaded cert and assigned it to both the Portal and Gateway authentication tabs.
Now the web page comes up with no certificate errors. I can log in and download the clients no problem. HOWEVER, when I try to connect via the global protect client I get the following "The server certificate is invalid. Please contact your system administrator"
When I put the self-signed certificates back, Global Protect is again able to connect.
Not sure what I'm missing. Probably a lot.
... View more
10-13-2022
08:59 AM
We have been using self-signed certificates for years with no issues. However, one business partner can't access the Web portal on our firewall to download the global protect software due to the self-signed cert. I have tried to configured the firewall to use a cert issued by a signing authority. I installed the cert in our Global Protect Gateway authentication config. When the client points his web browser to the outside of our firewall, the web page comes up correctly with no certificate error. However, it breaks the Global Protect Client Software authentication to the firewall.
How do I get a public certificate installed so that it works with the firewall web page used to download the software, but not affect the GP client authentication to the firewall?
If that doesn't make sense let me know and I will try to clarify.
... View more
02-10-2017
01:39 PM
I'm setting up a PAN firewall between our company and our business partners who have direct connections to our LAN. My idea was to use v-wire but some of our other network administrators say it would be too difficult to troubleshoot. What are the pros and cons of using v-wire versus just setting up a L3 interface?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-28-2022
12:47 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks