topic Add new portal to Linux GlobalProtect app in General Topics

Add new portal to Linux GlobalProtect app

mgabriel — Fri, 01 Apr 2022 15:37:42 GMT

Hi,

I'm trying to set up two different VPN relying on two different accounts on the same Linux (Linux Mint 20.2 Uma, base: Ubuntu 20.04 focal), but I'm having some issues.

From what I understood (as the VPN rely on different emails) I need to create different portals.

I have already one portal setup on my laptop using , but when when I try to follow the commands indicated here https://docs.paloaltonetworks.com/globalprotect/5-3/globalprotect-app-user-guide/globalprotect-app-for-linux/use-the-globalprotect-app-for-linux.html) I get the following error:

$ globalprotect connect --portal XXXXXX
Cannot parse your input. The valid CLI commands that you can now use are:
collect-log
import-certificate
launch-ui [--recover]
show --version

So it seems that the 'connect' command is not recognized. How so?
I'm using version 5.3.1-36

Thanks

Re: Add new portal to Linux GlobalProtect app

kiwi — Tue, 05 Apr 2022 11:05:53 GMT

Hi @mgabriel ,

The PanGPLinux package contains both UI and non-UI versions.

If I recall correctly the "globalprotect connect" option is not available in the UI package.

Hope this helps,

-Kiwi.

Re: Add new portal to Linux GlobalProtect app

mgabriel — Tue, 05 Apr 2022 12:00:45 GMT

Hi @kiwi,

Yes, that is correct. I unistalled theUI version and I moved to the CLI
one. This allowed me to use the `connect` command.

However, now I'm stuck my another issue: while one of the VPN requires
2FA and works correctly using the CLI version, the other one requires a
certificate.
Even if I first import the certificate with (run in the location where
the certificate is located):

$ globalprotect import-certificate --location .
Please input passcode:
Import certificate is successful.

I then get this message:

$ globalprotect connect --portal YYYYYYYY
Retrieving configuration...
Retrieving configuration...
Failed to connect to YYYYYYYY.
Error: A valid client certificate is required for authentication. If the
issue
persists, contact your administrator.

I've tried with multiple certificates (even newly generated), but the
issue persists.

Re: Add new portal to Linux GlobalProtect app

kiwi — Tue, 05 Apr 2022 13:33:25 GMT

Hi @mgabriel ,

I'm assuming the client certificate was created by the CA.

Verify that the certificate is installed properly in the globalprotect directory.

I would turn on debugging and check if PanGPS.log can provide some additional information on why it failed to connect.

Cheers!

-Kiwi.

Re: Add new portal to Linux GlobalProtect app

mgabriel — Fri, 08 Apr 2022 12:51:02 GMT

Hi @kiwi,

Thanks for your help!

Yes, the certificate was created by the CA.

What folder do you mean? I see only a folder "~/.GlobalProtect" with
only the logs and three dat files. One of them is called
"PanPortalCfg_*.dat" so it might seems that it has something to do with
the portals configuration, but it's binary so I have not found a way to
read it.

I've tried to copy the p12 certificate in this folder and import it from
here, but the result is still the same:

Retrieving configuration...
Retrieving configuration...
Failed to connect to gp-dica.vpn.polimi.it.
Error: A valid client certificate is required for authentication. If the
issue persists, contact your administrator.

Looking at the PanGPi.log file I read this message, where VPN1 is the
vpn service which requires the 2FA and is working, while VPN2 is the one
which requires the certificate and is not working:

P11533-T150869760 04/07/2022 08:29:19:541 Debug( 118): From GPA:
statusDisconnectedA valid
client certificate is required for authentication. If the issue
persists, contact your
administrator.ni-ext-gw.vpn.VPN1ni-ext-gw.vpn.VPN1yesnodc-ext-gw.vpn.VPN1dc-ext-gw.vpn.VPN1yesnoClient
Cert
Requiredgp-dica.vpn.VPN2noyes.

By looking at them on the line it makes me think that there must be some
sort of mixup with the portals. Could this be the case?

Also I saw in the PanGPA.log the user for VPN2, which however I did not
remember writing anywhere and, for this reason, I think it was read by
the certificate...