A secure connection to a corporate network requires mutual trust between your device and the network gateway. When using the Palo Alto Networks GlobalProtect client, this trust is established via digital certificates.
Drag and drop the Root CA Certificate into the Keychain.
Once internet access is active, retry your GlobalProtect connection. 3. Clear GlobalProtect App Data
The firewall is presenting the identity certificate but failing to provide the bridge (intermediate CA) to the root certificate. globalprotect vpn failed to verify certificate
Delete files titled PanPortal* from ~/Library/Application Support/PaloAltoNetworks/GlobalProtect/ .
Most verification issues stem from one of these four categories:
The portal/gateway address entered in GlobalProtect does not match the CN (Common Name) or SAN (Subject Alternative Name) listed on the certificate. A secure connection to a corporate network requires
Corporate proxies or certain antivirus "web shield" features can intercept SSL traffic and replace the VPN’s certificate with their own, which GlobalProtect will reject as invalid.
: The address you typed (e.g., ://company.com ) doesn't match the "Common Name" (CN) or "Subject Alternative Name" (SAN) on the actual certificate.
Certificate config for GlobalProtect - (SSL/TLS, Client cert ... - Clear Once internet access is active, retry your GlobalProtect
Locate the certificate assigned to your GlobalProtect Portal and Gateway.
The most prevalent cause of this failure lies in the certificate store of the client machine, specifically regarding the Trusted Root Certification Authorities. In an enterprise environment, organizations often utilize internal Private CAs to sign the certificates used on their VPN gateways. Unlike public websites, which use certificates signed by widely recognized authorities (like DigiCert or Let's Encrypt) that are pre-installed in operating systems, internal certificates require manual intervention. If the root certificate for the organization’s internal CA is not installed in the client’s "Trusted Root Certification Authorities" store, the GlobalProtect agent has no way to trust the gateway. It effectively views the server as an impostor. This scenario is common in Bring Your Own Device (BYOD) environments or when onboarding processes fail to push the necessary root certificates via Group Policy or Mobile Device Management (MDM) tools.