KB Article
As outlined in the KB article, the GlobalProtect client does not automatically retrieve certificates directly from the portal. As an IT administrator, managing this issue across 500 PCs by manually uninstalling and reinstalling the GlobalProtect client is highly impractical.
What is the most efficient way to distribute the newly self-renewed certificate to all user machines? We are currently overwhelmed with tickets from multiple users reporting connectivity issues with the GlobalProtect client. Any detailed explanations or guidance would be greatly appreciated.
I would leverage my MDM (Intune) to perform this or AD if these are on-prem devices though if you’re utilizing the VPN on that many devices I imagine they are remote
MDM, GPO, or Windows PKI Auto enrollment depending on your capabilities.
The article you linked is quite old. We’ve been using this feature without any issues.
I checked the 11.1 admin guide and it says , “This option is supported with Windows and Mac client OS versions, and requires GlobalProtect agent 3.0.0 or later to be installed on the client systems.”
Are you seeing that error in the logs?
I am using 6.1.4 and 6.2.5 and cert I have in portal profile is installed on GP clients successfully.
^This - GPO is how we deploy it.
Yes, I need to uninstall GlobalProtect from the PC and reinstall it via the portal to resolve the issue. However, doing this for 500 PCs is not feasible, so I need an alternative solution.
do you have a better KBA for this ?
Yes, the new certificates will be included when you download GlobalProtect from the portal. However, I cannot apply this to all the PCs that already have the GlobalProtect client installed.
I would roll it out using whatever you currently use for systems management (Intune, KACE, SCCM, etc).
Which version of Global Protect do you have deployed? I think its important to note that in the KBA you have referenced it says it only applies when the portal server certificate cannot be verified by a Root CA certificate installed on the endpoint’s certificate store.
Have you confirmed via the logs that you are actually running into this issue or are you just assuming it won’t work because you found this article?
The clients should get any new certs whenever they connect to the portal for auth. They will download the associate agent profile and certs.