7/13/2023 0 Comments Global vpn for macImport the "Root CA" that signed the client/machine cert into Device > Certificate Management > Certificates (optional private key)Ģ. This is used to authenticate a device, not a user.ġ. Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. It is recommended to place both the root and intermediate CAs in this profile, instead of just root CA. When this certificate profile is applied to the config, the portal/gateway will send a client certificate request to the client to request for a client/machine cert signed by the CA/intermediate CA specified in the cert profile. (Location: Device>Certificate Management>Certificate Profile)Ĭertificate profile specifies a list of CAs and Intermediate CAs. Protocol Settings - Select the minimum and maximum versions of ssl/tls for the ssl transaction between client and server.Certificate - Reference the server cert from step 3.if the portal/gateway can be reached at fqdn '' or IP 1.1.1.1 and the certificate references the fqdn '', the users 'must' use '' instead of '1.1.1.1'. Keep this consistent across the configuration and also educate the end users to use this FQDN/IP in the GlobalProtect client's portal field. As a good practice, it is better to use FQDN instead of IP. If SAN exists with atleast one entry, then the IP or FQDN being used for portal/gateway 'must' be present in that SAN list.ĭ. In PAN firewalls, SAN can be created under the optional 'certificate attributes' of type 'hostname', 'IP' or 'email'.ī. This cert's common name 'must' match the portal/gateway's IP or FQDN if subj alt name(SAN) does not exist in this cert. Generate a sever cert signed by the above intermediate cert.Ī. (other than IP or FQDN of portal/gateway)ģ. Specify its common name as any unique value. (optional) Generate a intermediate cert signed by above root cert. (Location: Device>Certificate Management>Certificates click Generate at the bottom of the screen)Ģ. (other than IP or FQDN of portal/gateway) Generate a root cert with common name of any unique value. If the server cert needs to be generated on the Palo Alto Networks firewallġ. Reference this SSL/TLS profile in portal/gateway as needed. Protocol Settings - Select the minimum and maximum versions of ssl/tls for the ssl transaction between client and serverĥ. Certificate - Reference the server cert from step 3 (Location: Device>Certificate Management>SSL/TLS Service Profile) if portal/gateway can be reached at fqdn '' or IP 1.1.1.1 and if the certificate references the fqdn '', then the users 'must' use '' instead of '1.1.1.1'. As a good practice, it is better to use FQDN instead of IP.If the SAN does not have the above entry, the certificate validation will fail on the gateway and will cause the connection to fail.Subject Alternative Name (SAN) should exist with at least one entry and the IP or FQDN being used for portal/gateway 'must' be one of the entries in that SAN list.Import the server cert signed by the above CAs "with" private key. Import intermediate CAs if any (private key is optional)ģ. Import the Root CA (private key is optional)Ģ. If the server cert is signed by a well-known third-party CA or by an internal PKI serverġ. To generate a certificate on the firewall, navigate to Device>Certificate Management>Certificates and click on ' generate' at the bottom.To import a certificate generated externally, navigate to Device>Certificate Management>Certificates and click on ' import' at the bottom.The pre-requisite to create SSL/TLS profile is to either generate/import the portal/gateway "server certificate" and its chain If portal/gateway are served through different interfaces, you can use same SSL/TLS profile as long as the certificate includes both portal/gateway IPs/FQDNs in its Subject Alternate Name(SAN), if not, create different profiles for portals and gateways as needed. If same interface serves as both portal and gateway, you can use the same SSL/TLS profile for both portal/gateway. In the context of GlobalProtect, this profile is used to specify GlobalProtect portal/gateway's "server certificate" and the SSL/TLS "protocol version range". Installing client/machine cert in end client Certificate profile(if any) - Used by portal/gateway to request client/machine certificateĬ. SSL/TLS service profile - Specifies Portal/gateway server cert, every portal/gateway needs one.ī. Please note that there can be other ways to deploy certificates for GlobalProtect which are not covered in this document.Ī. This document describes the basics of configuring certificates in GlobalProtect setup.
0 Comments
Leave a Reply. |