About these ads

David Vassallo's Blog

If at first you don't succeed; call it version 1.0

Connecting to a Palo Alto Network GlobalProtect Gateway from Linux


Please note: this software has only been officially tested on Ubuntu and CentOS distributions. The VPN software uses community based vpnc software, please direct support questions about the actual client to your distribution’s support channels.

The following documentation is based on Ubuntu 12.04 LTS

- Install the following packages on your system:

* network-manager-vpnc
* network-manager-vpnc-gnome
* vpnc

The above mentioned packages are all available via synaptic package manager:

- Right click on the network manager icon on the top right corner of the screen and select the “Networks Settings” option
– Click the + icon to add a new connection.
– Select the VPN interface type and click on create

- Choose the cisco compatible vpn option

- Enter the following details:

An appropriate connection name
Gateway:             public IP of the GlobalProtect Portal
User:                    username
Password:          password

For the following two settings, you need to enable IPSec and XAUTH on the Palo Alto Gateway settings for this to be enabled, as can be seen below (Network > GlobalProtect > Gateways)

Group Name:             group name
Group Password:    password

The VPN will now be available as an option when clicking on the network manager icon. Once the option is selected, the network manager icon will turn into a padlock, indicating a successful connection

Known Issues and troubleshooting tips

  •  By default the VPN client tunnels all traffic through the firewall. This is not under the firewall administrator’s control, and is purely a client issue. We have allowed internet browsing through the VPN tunnel, but you may notice a marked increase in your browsing latency. The client does allow you to “split-tunnel” and send only the required routes through the tunnel. This can be done by editing the properties of the VPN connection, browsing to the IPv4 tab and selecting the routes button. Make sure to select the option Use this connection only for resources on it’s network. You may also need to enter the routes manually in the table.

  • You may notice periodic disconnects or loss of connectivity. This seems to be due to a bug in current VPNC versions that have issues with rekeying. Research on google should turn up some suggestions
  • Generally all errors and debug messages are logged to /var/log/syslog. Check this location if you run into problems.
About these ads

4 responses to “Connecting to a Palo Alto Network GlobalProtect Gateway from Linux

  1. David Pagan January 28, 2013 at 7:17 pm

    Hi. Thanks for the posting! It actually helped me out when I was setting up a vpnc connection to a Palo Alto unit I’m demoing.

    I just want to make one comment. When you mentioned about the “known issues and troubleshooting tips”, you said that “By default the VPN client tunnels all traffic through the firewall. This is not under the firewall administrator’s control, and is purely a client issue. ” I have to disagree, because I don’t get this issue when using the vpnc client against a Cisco 2911 vpn. The spilt-tunnel policy works by default without any manual intervention on the client.

    I only seem to experience this with the Palo Alto (PA-2050). I’m actually going to reach out to the sales engineer to see if he can better explain, but if I find out anything useful I’ll come back and post.

    thanks again!

    David

    • dvas0004 January 28, 2013 at 8:46 pm

      Excellent pls let me know if you find anything!

      Thanks

  2. Pingback: Palo Alto GlobalProtect for Linux with vpnc | blog.webernetz.net

  3. stunderic May 7, 2014 at 6:50 am

    Thanks a million it took me while to get GlobalProtect setup for my users. I thought fixing it for my personal Linux devices were going to be a pain but once it is built following this was way simple.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 162 other followers

%d bloggers like this: