This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Add new portal to Linux GlobalProtect app

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Add new portal to Linux GlobalProtect app

mgabriel
L0 Member

‎04-01-2022 08:36 AM - edited ‎04-01-2022 08:37 AM

Hi,

I'm trying to set up two different VPN relying on two different accounts on the same Linux (Linux Mint 20.2 Uma, base: Ubuntu 20.04 focal), but I'm having some issues.

From what I understood (as the VPN rely on different emails) I need to create different portals.

I have already one portal setup on my laptop using GlobalProtect, but when when I try to follow the commands indicated here https://docs.paloaltonetworks.com/globalprotect/5-3/globalprotect-app-user-guide/globalprotect-app-f...) I get the following error:

 

$ globalprotect connect --portal XXXXXX
Cannot parse your input. The valid CLI commands that you can now use are:
collect-log
import-certificate
launch-ui [--recover]
show --version

 

So it seems that the 'connect' command is not recognized. How so?
I'm using GlobalProtect version 5.3.1-36

 

Thanks

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
4 REPLIES 4

kiwi
Community Team Member

‎04-05-2022 04:05 AM

Hi @mgabriel ,

 

The PanGPLinux package contains both UI and non-UI versions. 

If I recall correctly the "globalprotect connect" option is not available in the UI package. 

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

mgabriel
L0 Member
In response to kiwi

‎04-05-2022 05:00 AM

Hi @kiwi,

Yes, that is correct. I unistalled theUI version and I moved to the CLI
one. This allowed me to use the `connect` command.

However, now I'm stuck my another issue: while one of the VPN requires
2FA and works correctly using the CLI version, the other one requires a
certificate.
Even if I first import the certificate with (run in the location where
the certificate is located):

$ globalprotect import-certificate --location .
Please input passcode:
Import certificate is successful.

I then get this message:

$ globalprotect connect --portal YYYYYYYY
Retrieving configuration...
Retrieving configuration...
Failed to connect to YYYYYYYY.
Error: A valid client certificate is required for authentication. If the
issue
persists, contact your administrator.

I've tried with multiple certificates (even newly generated), but the
issue persists.

0 Likes Likes

kiwi
Community Team Member

‎04-05-2022 06:33 AM

Hi @mgabriel ,

 

I'm assuming the client certificate was created by the CA.

Verify that the certificate is installed properly in the globalprotect directory.

I would turn on debugging and check if PanGPS.log can provide some additional information on why it failed to connect.

 

Cheers!

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

mgabriel
L0 Member

‎04-08-2022 05:51 AM

Hi @kiwi,

Thanks for your help!

Yes, the certificate was created by the CA.

What folder do you mean? I see only a folder "~/.GlobalProtect" with
only the logs and three dat files. One of them is called
"PanPortalCfg_*.dat" so it might seems that it has something to do with
the portals configuration, but it's binary so I have not found a way to
read it.

I've tried to copy the p12 certificate in this folder and import it from
here, but the result is still the same:

Retrieving configuration...
Retrieving configuration...
Failed to connect to gp-dica.vpn.polimi.it.
Error: A valid client certificate is required for authentication. If the
issue persists, contact your administrator.

Looking at the PanGPi.log file I read this message, where VPN1 is the
vpn service which requires the 2FA and is working, while VPN2 is the one
which requires the certificate and is not working:

P11533-T150869760 04/07/2022 08:29:19:541 Debug( 118): From GPA:
statusDisconnectedA valid
client certificate is required for authentication. If the issue
persists, contact your
administrator.ni-ext-gw.vpn.VPN1ni-ext-gw.vpn.VPN1yesnodc-ext-gw.vpn.VPN1dc-ext-gw.vpn.VPN1yesnoClient
Cert
Requiredgp-dica.vpn.VPN2noyes.

By looking at them on the line it makes me think that there must be some
sort of mixup with the portals. Could this be the case?

Also I saw in the PanGPA.log the user for VPN2, which however I did not
remember writing anywhere and, for this reason, I think it was read by
the certificate...


0 Likes Likes
  • 3407 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks