Posted on 10-13-2021 07:16 AM
Hey Jamf people!
We are having a weird issue with our GlobalProtect certificate deployments. We have deployed the certificate to our endpoints 10 days prior to expiration to make sure we don't have any expirations (leads to p0 outages). This time is weird though, as we can see successful config profile (containing the new cert) deployments to endpoints, but on their machines, they retain the cert that is expiring soon. Whats even weirder, is that it does not happen to all people we deployed the certificate to. Has anyone ever seen this issue?
Lukas
Posted on 10-13-2021 08:22 AM
I seem to have cleared up the issue. We deploy the same config profile every time we renew, just containin the new cert in the payload. I did a cert swap with affected users, and that seems to have cleared up the authn issues for now
Posted on 02-04-2023 01:56 AM
It sounds like you are encountering a strange issue with GlobalProtect certificate deployments. While I cannot guarantee that anyone else has experienced this issue, here are some suggestions that might help resolve it:
Check certificate distribution: Make sure that the correct certificate is being deployed to the endpoints and that it is being installed properly. You can check the certificate distribution by reviewing the GlobalProtect configuration in your management console, or by checking the certificate store on the endpoint.
Verify endpoint connectivity: Make sure that the endpoints are able to connect to the GlobalProtect gateway and that the new certificate is being properly retrieved. You can verify endpoint connectivity by checking the GlobalProtect logs on the endpoint or by reviewing network traffic.
Review GlobalProtect configuration: Make sure that the GlobalProtect configuration is correct and that it is configured to use the new certificate. You can review the GlobalProtect configuration by reviewing the configuration files, the management console, or by checking the GlobalProtect logs on the endpoint.
Check for conflicts: Make sure that there are no other configurations or certificates on the endpoint that are conflicting with the new GlobalProtect certificate. You can check for conflicts by reviewing the certificate store on the endpoint, or by reviewing the GlobalProtect logs on the endpoint.