Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

14 GlobalProtect Administrator’s Guide

Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure

• Generate a self-signed server certificate.

Use the root CA on the portal to generate

server certificates for each gateway you

plan to deploy and optionally for the

Mobile Security Manager management

interface (if this is the interface the

gateways will use to retrieve HIP reports).

In the gateway server certificates, the values

in the Common Name (CN) and Subject

Alternative Name (SAN) fields of the

certificate must be identical or the

GlobalProtect agent will detect the

mismatch when it checks the certificate

chain of trust and will not trust the

certificate. Self-signed certificates will only

contain a SAN field if you add a Host

Name certificate attribute.

1. Select

Device > Certificate Management > Certificates >

Device Certificates

and then click Generate.

2. Enter a

Certificate Name. The Certificate Name cannot contain

any spaces.

3. Enter the FQDN (recommended) or IP address of the interface

where you plan to configure the gateway in the

Common Name

field.

4. In the

Signed By field, select the GlobalProtect_CA you created

previously.

5. In the Certificate Attributes section, click

Add and define the

attributes to uniquely identify the gateway. Keep in mind that if

you add a

Host Name attribute (which populates the SAN field

of the certificate), it must exactly match the value you defined

for the

Common Name.

6. Click

OK to generate the certificate.

Commit your changes.

• Deploy the self-signed server certificates.

Best Practices:

• Export the self-signed server certificates

issued by the root CA on the portal and

import them onto the gateways.

• Be sure to issue a unique server certificate

for each gateway.

• When using self-signed certificates, you

must distribute the Root CA certificate to

the end clients in the portal client

configurations.

1. On the portal, select

Device > Certificate Management >

Certificates > Device Certificates

, select the gateway certificate

you want to deploy, and click

Export.

2. Select

Encrypted Private Key and Certificate (PKCS12) from

the

File Format drop-down.

3. Enter (and re-enter) a

Passphrase to encrypt the private key

and then click

OK to download the PKCS12 file to your

computer.

4. On the gateway, select

Device > Certificate Management >

Certificates > Device Certificates

and click Import.

5. Enter a

Certificate Name.

6. Enter the path and name to the

Certificate File you just

downloaded from the portal, or

Browse to find the file.

7. Select

Encrypted Private Key and Certificate (PKCS12) as the

File Format.

8. Enter the path and name to the PKCS12 file in the

Key File field

Browse to find it.

9. Enter and re-enter the

Passphrase you used to encrypt the

private key when you exported it from the portal and then click

OK to import the certificate and key.

10.

Commit the changes to the gateway.

Deploy SSL Server Certificates to the GlobalProtect Components (Continued)