Friday 3 March 2023

install wildcard cert on palo alto firewall

Global protect portal and gateway should be setup

Get customer to get DNS record created eg globalprotect.domain.com

Point the record at the global portect portal IP (Network -> Global Protect -> Portals)

Download the wildcard cert and root/chain cert from the cert vendor (.crt format). The windows .p7b format is no good. The chain bundle cert usually publicly available. The wildcard will need to be downloaded via a login may need to get it from the customer.


Install wildcard cert on palo alto firewall

Global protect portal and gateway should be setup
Get customer to get DNS record created eg globalprotect.domain.com
Point the record at the global portect portal IP (Network -> Global Protect -> Portals)
Download the wildcard cert and root/chain cert from the cert vendor (.crt format). The windows .p7b format is no good. The chain bundle cert usually publicly available. The wildcard will need to be downloaded via a login may need to get it from the customer. Example vendor chain location:
https://certs.godaddy.com/repository


Import vendor root/chain cert bundle

Device -> certificate management -> certificates 

Click import 

Give name eg "vendor-ca-root-chain-bundle"

Select the bundle file "bundle-g2.crt"

Leave everything else and click ok



Import wildcard cert

This can be imported in a few methods (.crt) (.pfx) if its PFX you will need to include the password

Certs should look like this
 


Create SSL/TLS profile

Device -> Certificate Management -> SSL/TLS Service Profile

Name "SSL-TLS-PROFILE"

Min version: TLSv1.2

Max version: Max



Attach SSL/TLS profile to global protect portal and GW

Network -> GlobalProtect -> Portals 

Click the GP_Portal

Authentication tab 

Under server authenticaiton / SSL/TLS service profile

Select your "SSL-TLS-PROFILE" from the drop down

Configure the URL used for portal/gateway in the portal
Network -> GlobalProtect -> Portals
Click the GP_Portal
Agent 
Add the CA root and chain cert (optional to tick install in root cert store)

 
Now click on GP_Agent_Config -> External

You will need a DNS -> pub IP record setup with the external DNS vendor
Fill in the DNS name for the Gateway
 


Add the SSL-TLS profile to the gateway as well

Network -> GlobalProtect -> Gateways

Click the GP_Gateway

Authentication tab

Under server authenticaiton / SSL/TLS service profile

Select your "SSL-TLS-PROFILE" from the drop down

Change IP to URL
Go Portal - GP settings - Agent - Agent config - External
Change external gateway IP to URL


Testing
Do not forget to commit your changes
You may need to restart the GP client
Test web browse to https://globalprotect.domain.com
Test connecting the GP client to globalprotect.domain.com




Posted by at
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)