Connecting to a Palo Alto Network GlobalProtect Gateway from Linux
Please note: this software has only been officially tested on Ubuntu and CentOS distributions. The VPN software uses community based vpnc software, please direct support questions about the actual client to your distribution’s support channels.
The following documentation is based on Ubuntu 12.04 LTS
- Install the following packages on your system:
The above mentioned packages are all available via synaptic package manager:
- Right click on the network manager icon on the top right corner of the screen and select the “Networks Settings” option
- Click the + icon to add a new connection.
- Select the VPN interface type and click on create
- Choose the cisco compatible vpn option
- Enter the following details:
An appropriate connection name
Gateway: public IP of the GlobalProtect Portal
For the following two settings, you need to enable IPSec and XAUTH on the Palo Alto Gateway settings for this to be enabled, as can be seen below (Network > GlobalProtect > Gateways)
Group Name: group name
Group Password: password
The VPN will now be available as an option when clicking on the network manager icon. Once the option is selected, the network manager icon will turn into a padlock, indicating a successful connection
Known Issues and troubleshooting tips
- By default the VPN client tunnels all traffic through the firewall. This is not under the firewall administrator’s control, and is purely a client issue. We have allowed internet browsing through the VPN tunnel, but you may notice a marked increase in your browsing latency. The client does allow you to “split-tunnel” and send only the required routes through the tunnel. This can be done by editing the properties of the VPN connection, browsing to the IPv4 tab and selecting the routes button. Make sure to select the option Use this connection only for resources on it’s network. You may also need to enter the routes manually in the table.
- You may notice periodic disconnects or loss of connectivity. This seems to be due to a bug in current VPNC versions that have issues with rekeying. Research on google should turn up some suggestions
- Generally all errors and debug messages are logged to /var/log/syslog. Check this location if you run into problems.