We are going thru some global protect VPN deployment, and the same issues always come up about the server certificate.
1: Ideally, you want the certificate signed by a public CA or your internalCA that is already trusted
2: On Android to install the certificate, you need a file. extension that ends in <name>.crt. the extension.Cert or .cert will not work
3: On unbuntu , download the latest client and dpkg install it.
e.g
sudo dpkg -i ./GlobalProtect_deb-6.0.4.1-28.deb
4: On Android it's sometimes best to use an altName and ip.address value since it's harder to trust private certificates or the DNS name check will mess you up.
5: If you have a rooted phone you cand adb get /etc/systems/hosts and modify the file and push it back into the device
6: Always check logs and cli for successful connections
7: If you need multiple gateways best practice is to use a loop back interface and set up multiple addresses with different gateways
e.g
loop0 IP 1.1.1.1 = gateway1
loop0 IP 1.1.1.2 = gateway2
loop0 IP 1.1.1.3 = gateway3
Doing this will let you craft different auth-profile, different gateways, pools, different rules, etc...
8: Lastly, if remote authentication is required, do not forget any service routes if you are not using the mgmt-interface for the auth access
NSE ( network security expert) and Route/Switching Engineer
