GlobalProtect
Deploy Server Certificates to the GlobalProtect Components
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Deploy Server Certificates to the GlobalProtect Components
Best practices for deploying server certificates to the GlobalProtect components
include importing certificates from a well-known CA, creating a root CA certificate
for self-signed certificates, using SCEP for certificate requests, and assigning
certificates to SSL/TLS service profiles.
The GlobalProtect components must have valid certificates to
establish connection using SSL/TLS. The connection fails if you have
invalid or expired certificates.
The following are the best practice steps for deploying SSL/TLS
certificates to the GlobalProtect components:
Import a Server Certificate from a Well-known, Third-party CA
Use a server certificate from a well-known,
third-party CA for the GlobalProtect portal. This
practice ensures that the end users are able to
establish an HTTPS connection without seeing
warnings about untrusted certificates.
The CN and, if applicable, the SAN fields of the
certificate must match the FQDN or IP address of
the interface where you plan to configure the
portal or the device check-in interface on a
third-party mobile endpoint management system.
Wildcard matches are supported.
Before you import a certificate, make sure the certificate and
key files are accessible from your management system and
that you have the passphrase to decrypt the private key.
- SelectandDeviceCertificate ManagementCertificatesDevice CertificatesImporta new certificate.
- Use theLocalcertificate type (default).
- Enter aCertificate Name.
- Enter the path and name to theCertificate Filereceived from the CA, orBrowseto find the file.
- Set theFile FormattoEncrypted Private Key and Certificate (PKCS12).
- Enter the path and name to the PKCS#12 file in theKey Filefield orBrowseto find it.
- Enter and reenter thePassphrasethat was used to encrypt the private key.
- ClickOKto import the certificate and key.
Create Root CA Certificate for Issuing Self-signed Certificates for
GlobalProtect Components
Create the root CA certificate on the portal and
use it to issue server certificates for the
gateways and, optionally, for clients.
Before deploying self-signed certificates, you must create the
root CA certificate that signs the certificates for the
GlobalProtect components:
- SelectandDeviceCertificate ManagementCertificatesDevice CertificatesGeneratea new certificate.
- Use theLocalcertificate type (default).
- Enter aCertificate Name, such as GlobalProtect_CA. The certificate name can't contain spaces.
- Don't select a value in theSigned Byfield. Without a selection forSigned By, the certificate is self-signed.
- Enable theCertificate Authorityoption.
- ClickOKto generate the certificate.
Use Root CA on the Portal to Generate a Self-signed Server
Certificate
Generate server certificates for each gateway you
plan to deploy and optionally for the management
interface of the third-party mobile endpoint
management system (if this interface is where the
gateways retrieve HIP reports).
In the gateway server certificates, the values in
the CN and SAN fields must be identical. If the
values differ, the GlobalProtect agent detects the
mismatch and does not trust the certificate.
Self-signed certificates contain a SAN field only
if you add a
Host Name
attribute.Alternatively, you can use the Simple Certificate Enrollment
Protocol (SCEP) to request a server certificate from your
enterprise CA.
- SelectandDeviceCertificate ManagementCertificatesDevice CertificatesGeneratea new certificate.
- Use theLocalcertificate type (default).
- Enter aCertificate Name. This name can't contain spaces.
- In theCommon Namefield, enter the FQDN (recommended) or IP address of the interface where you plan to configure the gateway.
- In theSigned Byfield, select the GlobalProtect_CA you created.
- In the Certificate Attributes area,Addand define the attributes that uniquely identify the gateway. Keep in mind that if you add aHost Nameattribute (which populates the SAN field of the certificate), it must be the same as the value you defined for theCommon Name.
- Configure cryptographic settings for the server certificate, including the encryptionAlgorithm, key length (Number of Bits),Digestalgorithm, andExpiration(days).
- ClickOKto generate the certificate.
Use Simple Certificate Enrollment Protocol (SCEP) to Request a Server
Certificate from Your Enterprise CA
Configure separate SCEP profiles for each portal
and gateway you plan to deploy. Then use the
specific SCEP profile to generate the server
certificate for each GlobalProtect component.
In portal and gateway server certificates, the
value of the CN field must include the FQDN
(
recommended
) or IP address of the
interface where you plan to configure the portal
or gateway and must be identical to the SAN
field.To comply with the U.S. Federal Information
Processing Standard (FIPS), you must also enable
mutual SSL authentication between the SCEP server
and the GlobalProtect portal. (FIPS-CC operation
is indicated on the firewall login page and in its
status bar.)
After you commit the configuration, the portal attempts to
request a CA certificate using the settings in the SCEP
profile. If successful, the firewall hosting the portal
saves the CA certificate and displays it in the list of
Device Certificates
.- Configure a SCEP Profile for each GlobalProtect portal or gateway:
- Enter aNamethat identifies the SCEP profile and the component to which you deploy the server certificate. If this profile is for a firewall with multiple virtual systems capability, select a virtual system orSharedas theLocationwhere the profile is available.
- (Optional) Configure aSCEP Challenge, which is a response mechanism between the PKI and portal for each certificate request. Use either aFixedchallenge password that you obtain from the SCEP server or aDynamicpassword where the portal-client submits a username and OTP of your choice to the SCEP Server. For a Dynamic SCEP challenge, this can be the credentials of the PKI administrator.
- Configure theServer URLthat the portal uses to reach the SCEP server in the PKI (for example,http://10.200.101.1/certsrv/mscep/).
- Enter a string (up to 255 characters in length) in theCA-IDENT Namefield to identify the SCEP server.
- Enter theSubjectname to use in the certificates generated by the SCEP server. The subject must include a common name (CN) key in the formatCN=<value>where<value>is the FQDN or IP address of the portal or gateway.
- Select theSubject Alternative Name Type. To enter the email name in a certificate’s subject or Subject Alternative Name extension, selectRFC 822 Name. You can also enter theDNS Nameto use to evaluate certificates, or theUniform Resource Identifierto identify the resource from which the client will obtain the certificate.
- Configure additional cryptographic settings, including the key length (Number of Bits), and theDigestalgorithm for the certificate signing request.
- Configure the permitted uses of the certificate, either for signing (Use as digital signature) or encryption (Use for key encipherment).
- To ensure that the portal is connecting to the correct SCEP server, enter theCA Certificate Fingerprint. Obtain this fingerprint from the SCEP server interface in the Thumbprint field.
- Enable mutual SSL authentication between the SCEP server and the GlobalProtect portal.
- ClickOKand thenCommitthe configuration.
- Selectand then clickDeviceCertificate ManagementCertificatesDevice CertificatesGenerate.
- Enter aCertificate Name. This name can't contain spaces.
- Select theSCEP Profileto use to automate the process of issuing a server certificate that is signed by the enterprise CA to a portal or gateway, and then clickOKto generate the certificate. The GlobalProtect portal uses the settings in the SCEP profile to submit a CSR to your enterprise PKI.
Assign Server Certificate You Imported or Generated to a SSL/TLS Service
Profile
Where
Can I Use This? | What
Do I Need? |
---|---|
GlobalProtect™ Subscription | For TLSv1.3 :
|
GlobalProtect supports SSL/TLS service profiles with a maximum
TLS version as TLSv1.3. You can create SSL/TLS service
profiles on the firewall that is hosting the portal or
gateway by specifying the range of supported SSL/TLS
versions (from minimum supported version to maximum
supported version) for communication between GlobalProtect
components.
Configure SSL/TLS service profiles with TLSv1.3 to provide
enhanced security and faster TLS handshake while
establishing connection between GlobalProtect components.
TLSv1.3 is the maximum version supported and, when used,
delivers increased security by removing the weak ciphers
supported in the earlier TLS versions and adding more secure
cipher suites.
- To enable SSL connection between GlobalProtect components, you need to generate or import a certificate.
- On the firewall that is hosting the GlobalProtect portal and gateway, selectandDeviceCertificate ManagementSSL/TLS Service ProfileAdda new SSL/TLS service profile.
- Specify aNamefor the new profile.
- Select theCertificateyou imported.
- In Protocol Settings, define the range of SSL/TLS versions (Min VersiontoMax Version) for communication between GlobalProtect components. The maximum supported TLS version is TLSv1.3.To provide the strongest security, set both theMin Versionand theMax Versionas TLSv1.3.The Encryption Algorithms and Authentication Algorithms are populated automatically from the available ciphers based on your TLS protocol settings.The TLSv1.3aes-chacha20-poly1305cipher isn't enabled by default on devices running Windows 11. You must manually enable the cipher on GlobalProtect endpoints running Windows 11.
- (Optional)Modify the ciphers in the Encryption Algorithms and Authentication Algorithms section as needed.
- ClickOKandCommityour changes.
Deploy the Self-Signed Server Certificates
- Export the self-signed server certificates issued by the root CA on the portal and import them onto the gateways.
- Be sure to issue a unique server certificate for each gateway.
- If specifying self-signed certificates, you must distribute the root CA certificate to the end clients in the portal client configurations.
- Export the certificate from the portal:
- Select.DeviceCertificate ManagementCertificatesDevice Certificates
- Select the gateway certificate you want to deploy, and then clickExport Certificate.
- Set theFile FormattoEncrypted Private Key and Certificate (PKCS12).
- Enter and confirm aPassphraseto encrypt the private key.
- ClickOKto download the PKCS12 file to a location of your choice.
- Import the certificate on the gateway:
- SelectandDeviceCertificate ManagementCertificatesDevice CertificatesImportthe certificate.
- Enter aCertificate Name.
- Browseto find and select theCertificate Fileyou downloaded in the previous step.
- Set theFile FormattoEncrypted Private Key and Certificate (PKCS12).
- Enter and confirm thePassphraseyou used to encrypt the private key when you exported it from the portal.
- ClickOKto import the certificate and key.
- Committhe changes for the gateway.