Posts by adam05 (adam05)

Posts: 1

Hi All; I work with a Platinum Partner of Palo Alto Networks and I have a few tested workarounds for customers looking to keep their devolutions VPN functionality but cannot connect to Palo Alto Firewalls using the Global Protect Client.

These workarounds assume that you are comfortable installing a 3rd party VPN client or using Windows native VPN on Windows 10 and are not looking for Host Information (Licensed GlobalProtect Features) to remain as part of the connection. If you just want to connect to the VPN through devolutions and do not mind using another tool other than the GlobalProtect client which comes with the on.

Workaround 1: Use another VPN Client. On Windows/Linux machines you can use VPNC clients to connect to Palo Alto Networks.

Step 1) Download the the VPNC client for Windows:
Step 2) Configure X-AUTH for Global Protect on your firewall:
Step 3) Configure a custom VPN connection (Make sure it's custom and not generic).

Note: You will need to make sure that a VPNC configuration file is put on the systems which uses a groupname and password. You can also harden this with a certificate as well but those aren't included in the instructions.

Workaround 2: Use new IKEV2 for Windows Native VPN. This is similar to how Azure connects to the firewall and is natively supported by devolutions.
Step 1) Setup IKEV2 for Windows machines:
Step 2) Connect to the firewall using IKEV2 on Windows:
Step 3) Setup a "Microsoft VPN" in the devolutions wizard:

Things that don't work: Using Anyconnect (Cisco) to connect to Palo Alto, Scripting Global Protect or making it a custom VPN (No CLI/Powershell)

Good luck all.
- Adam

12 mths Palo Alto Networks firewalls VPN add-on