Importing External Third-Party Certificates into Palo Alto Firewall

1. Prerequisites

Before starting, ensure you have the following certificates from your vendor:

•  Root Certificate
•  Server Certificate (wildcard certificate)
•  Private Key

Note: You may receive the server certificate in multiple formats (e.g., .pem, .pfx etc). Both are the same certificate in different formats.

Reference:

2. Import Certificates into Palo Alto Firewall

Step 1: Import the Root Certificate

1. Navigate to: Device > Certificate Management > Certificates > Import
2. Select the Root CA certificate file.
3. Enable the option Trusted Root CA.
4. Click OK.

Step 2: Import the Server Certificate with Private Key

1. Go to: Device > Certificate Management > Certificates > Import
2. Select the Server Certificate file.
3. Attach the Private Key file (if provided separately).
4. Enter the passphrase.
5. Click OK.

Reference:

3. Apply the Certificate to Global Protect VPN

1. Navigate to: Network > Global Protect > Portals.
2. Edit the portal configuration and replace the self-signed certificate with the imported Root certificate.
3. Navigate to: Network > Global Protect > Gateways.
4. Edit the gateway configuration and replace the self-signed certificate with the imported Root certificate.
5. Update the SSL/TLS Service Profile to use the new server certificate.

4. Configure Client-Side Trust

1. Export the Server Certificate from Palo Alto firewall (with private key).
2. Install it under Trusted Root Certification Authorities on the client machine.
3. Validate access to the GlobalProtect Web Portal via browser to ensure no SSL warnings.

5. Test GlobalProtect Connectivity

1. Launch the GlobalProtect client and connect.
2. Verify successful authentication and VPN connection.
3. Ensure no certificate validation errors are displayed.

This ensures GlobalProtect uses the vendor-provided trusted certificate instead of the firewall’s self-signed certificate.