Palo Alto Networks firewalls VPN add-on

Seconded GlobalProtect.

Hi
Do you have more information for me?

What info you you need?
http://www.paloaltonetworks.com/products/technologies/globalprotect.html

Currently I have to initiate the VPN manually before starting the RDP connection, it would be great if you guys could support this VPN technology in the same integrated way you do many other VPN techs.

If I can offer more info or test any effort you guys put in I'd be a very willing guinea pig.

Could you verify if they have a command line that we could call?

Hello David,

I realy would like that to. I don't know if they have a command line that you can call. If you want I can provide you the client.

You can PM me.
edited by jos on 6/13/2013

Hi.
I would like to add to the previous. This addon will be nice to have.

Hello,

Devolutions says that they cannot manage the VPN client.

I've requested the CLI feature at Palo Alto.

Palo says they update their VPN client twice a year.

I will send you an update when there is any news.
edited by jos on 9/5/2013

Let us know as soon as they add the CLI

Any news on this?

We would love to migrate our various connections to RDM.

I don't know if they have updated their VPN. Does anyone know?

I haven't received an e-mail yet, I'm gonna e-mail them again.


Edit: just send an e-mail. I will keep you posted.
edited by jos on 3/4/2014

I just received an e-mail. It looks like they are not going to build this because there are not many people who ask for this.

I suggest that more people are send this feature request. You can do that here: support@paloaltonetworks.com

Perhaps it's time to check for another VPN?

I just sent them an email explaining our situation.


Unfortunately we cannot migrate from GlobalProtect as it is a client's choice.

We are in same position. Based on clients decision we also must use Global Protect. And from next week another client also migrate from OpenVPn to GlobalProtect. :(

Hi Guys,

I just had a call from a guy from Palo Alto Networks.

He says that if we can get him an exact specification for the requirement of the CLI, he will append it to the FR and hopefully it may get dealt with.

David - could you provide me with this specification to email him with?

Cheers

Will Mc

Hi Will,
I need you for this. Usually we need a /Connect and /Disconnect with some other parameters. For example if it's possible to specify a profile or an host, it's really nice to have that in the command line as well. However I don't know the details for this specific VPN.

For example it could be something like this

vpn.exe /Connect "myprofile"

Hi there,

any news concerning a potential GlobalProtect plugin ?

Best regards

Hi Guys,

Sorry - I dropped the ball on this one.

Have emailed them again regarding it, with the extra info appended.

Hopefully good things will happen.

Cheers

Will

Please I will second the request, we have many customers using Palo Altos.

Hi Charles,

Palo alto will not respond to non-customers. If anyone here is Palo alto customer directly. Please do try to contact them about this!

Our PaloAlto partner has forwarded my change request today, if I get any response I'll let you know.

Perfect!

Hello Dries Verbruggen,

Could you have any feedbacks fot this case ? Do you have any mails from Palo Alto Nw

We got answered that there is an existing feature request for multiple profiles in the GlobalProtect client, they added us to the existing feature request.

Since this is not excactly what we need, I asked them in return to add to the case that we would like to be able to choose which profile to use with a command line switch. I gave as example "PanGP.exe /connect /profile:myprofile1"

But I had no response on this any more since august 2015

Is there any updates for this case ?

Nothing new from our side.

Regards

Hi,

Just going to bump this thread up - I wrote some third party automation behind Global Protect (saving/switching profiles, command line arguments). Whilst we can't force the client to connect through any methods, you can at least load/switch profiles using the CLI now with my utility. I've some some ideas for how I can make it automatically connect, but I need to have the time to do some testing for that.

Have a read here:

http://www.boofis.com/2016/06/palo-alto-networks-global-protect-switcher-take-2/

Cheers

Hi there, I'd like to throw my hat in on this and say we also have more clients moving to this vpn so it would be great if there was an integration. Anything I can do I am happy to help.

John

Hi,
Do you know if we can invoke a command line?

Regards

Hi All; I work with a Platinum Partner of Palo Alto Networks and I have a few tested workarounds for customers looking to keep their devolutions VPN functionality but cannot connect to Palo Alto Firewalls using the Global Protect Client.

These workarounds assume that you are comfortable installing a 3rd party VPN client or using Windows native VPN on Windows 10 and are not looking for Host Information (Licensed GlobalProtect Features) to remain as part of the connection. If you just want to connect to the VPN through devolutions and do not mind using another tool other than the GlobalProtect client which comes with the firewall...read on.

Workaround 1: Use another VPN Client. On Windows/Linux machines you can use VPNC clients to connect to Palo Alto Networks.

Step 1) Download the the VPNC client for Windows: https://sourceforge.net/projects/vpncfe/
Step 2) Configure X-AUTH for Global Protect on your firewall: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkhCAC
Step 3) Configure a custom VPN connection https://forum.devolutions.net/topic27462-how-to-setup-a-custom-command-line-for-vpn.aspx (Make sure it's custom and not generic).

Note: You will need to make sure that a VPNC configuration file is put on the systems which uses a groupname and password. You can also harden this with a certificate as well but those aren't included in the instructions.


Workaround 2: Use new IKEV2 for Windows Native VPN. This is similar to how Azure connects to the firewall and is natively supported by devolutions.
Step 1) Setup IKEV2 for Windows machines: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm6WCAS
Step 2) Connect to the firewall using IKEV2 on Windows: https://strongvpn.com/setup-windows-10-ikev2/
Step 3) Setup a "Microsoft VPN" in the devolutions wizard: https://help.remotedesktopmanager.com/index.html?vpn.htm

Things that don't work: Using Anyconnect (Cisco) to connect to Palo Alto, Scripting Global Protect or making it a custom VPN (No CLI/Powershell)

Good luck all.
- Adam