GlobalProtect Certificate Best Practices

This certificate is identified in an SSL/TLS Service Profile. You assign the portal server certificate by selecting its associated service profile in a portal configuration.

Use a certificate from a well-known, third-party CA. This is the most secure option and ensures that the user endpoints can establish a trust relationship with the portal and without requiring you to deploy the root CA certificate.

If you don't use a well-known, public CA, you should export the root CA certificate used to generate the portal server certificate to all endpoints that run the GlobalProtect app. Exporting this certificate prevents the end users from seeing certificate warnings during the initial portal login.

The Common Name (CN) and Subject Alternative Name (SAN) fields of the certificate must match the IP address or FQDN of the interface that hosts the portal.

In general, a portal must have its own server certificate. However, if you're deploying a single gateway and portal on the same interface, you must use the same certificate for both the gateway and the portal.

If you configure a gateway and portal on the same interface, we recommend that you use the same certificate profile and SSL/TLS Service Profile for both the gateway and portal. If they don't use the same certificate profile and SSL/TLS Service Profile, the gateway configuration takes precedence over the portal configuration during the SSL handshake.

This certificate is identified in an SSL/TLS Service Profile. You assign the gateway server certificate by selecting its associated service profile in a gateway configuration.

Generate a CA certificate on the firewall or CA server and use that CA certificate to generate all gateway certificates.

The CN and the SAN fields of the certificate must match the FQDN or IP address of the interface where you plan to configure the gateway.

The portal can distribute the gateway root CA certificate to the GlobalProtect app based on the configuration (Trusted Root CA list in the Portal configuration Agent tab). However, it's not mandatory for the gateway root CA certificate to be preinstalled in the user's trusted certificate store or for the gateway certificate to be issued by a public CA.

In general, each gateway must have its own server certificate. However, if you're deploying a single gateway and portal on the same interface for basic VPN access, you must use a single server certificate for both components. As a best practice, use a certificate signed by a public CA.

If you configure a gateway and portal on the same interface, we recommend that you use the same certificate profile and SSL/TLS Service Profile for both the gateway and portal. If they don't use the same certificate profile and SSL/TLS Service Profile, the gateway configuration takes precedence over the portal configuration during the SSL handshake.

For simplified deployment of client certificates, configure the portal to deploy the client certificate to the apps upon successful login using either of the following methods:

Use one of the following digest algorithms when you generate client certificates for GlobalProtect endpoints: sha1, sha256, sha384, or sha512.

You can use other mechanisms to deploy unique client certificates to each endpoint when authenticating the end user.

Consider testing your configuration without the client certificate first, and then add the client certificate after you're sure that all other configuration settings are correct.