Global Protect (basic-mode) for Android and PC - licensing and coexistence

Reply
Highlighted
L2 Linker

Global Protect (basic-mode) for Android and PC - licensing and coexistence

Hello everyone, one of my customers wants to connect using their Android smartphone.  I read the doc, seems like the only gotcha is it requires client certs.  If I do this, then all SSLVPN users will be required to have client certs.  I did not see a way to allow android/ios devices to use client certs while allowing PC's to simply connect in.

Has anyone else been faced by this?

Also - there is the question of licensing.  I have received different answers so I am asking once again,.  If I understand correctly:

1.  The PA comes with a portal and SINGLE gw (no license required) 

2.   I wanted to have a 2nd sslvpn on a second WAN interface, then I would need to purchase a "gateway License."

This is in a HA pair- so will I need a 2nd license\for the Passive PA firewall?

Any verification of this woudl be much appreciated,

Regards,

Don

Tags (2)
L5 Sessionator

Re: Global Protect (basic-mode) for Android and PC - licensing and coexistence

License requirements ::

GlobalProtect portal license is one time permanent license. The gateway license is a one or three year

subscription license.

1. No license is required for single portal/ gateway deployment without Host checks

2. Only  a portal license is required for multiple gateway deployment without Host check

3. Portal license and gateway subscription license is required when Host check is implemented, either

with single or multiple gateways

2nd sslvpn on a second WAN interface would be a Multiple Gateway with Single Portal  which would need a  portal license.

This is in a HA pair- so will I need a 2nd license\for the Passive PA firewall? :Yes


Ref:https://live.paloaltonetworks.com/docs/DOC-2020

L1 Bithead

Re: Global Protect (basic-mode) for Android and PC - licensing and coexistence

Hi Don,

We came across a similar requirement as we operate in a mixed device environment and as such use android/ios devices with Xauth-psk (using the native OS client) as opposed to certificates and accept the tradeoff between risk/functionality.

Just in case it gives you ideas on how to solve your second interface issue, we use the single portal instance configured with multiple gateways (bound to loopbacks) such that a windows/mac device wishing to run the globalprotect client can point at the portal and receive its configuration, whilst other devices can point at the address of their gateway to establish the IPSec tunnel and obtain appropriate IP addressing/policies etc.

cheers

damian

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!