Add new portal to Linux GlobalProtect app

cancel
Showing results for 
Search instead for 
Did you mean: 

Add new portal to Linux GlobalProtect app

L0 Member

Hi,

I'm trying to set up two different VPN relying on two different accounts on the same Linux (Linux Mint 20.2 Uma, base: Ubuntu 20.04 focal), but I'm having some issues.

From what I understood (as the VPN rely on different emails) I need to create different portals.

I have already one portal setup on my laptop using GlobalProtect, but when when I try to follow the commands indicated here https://docs.paloaltonetworks.com/globalprotect/5-3/globalprotect-app-user-guide/globalprotect-app-f...) I get the following error:

 

$ globalprotect connect --portal XXXXXX
Cannot parse your input. The valid CLI commands that you can now use are:
collect-log
import-certificate
launch-ui [--recover]
show --version

 

So it seems that the 'connect' command is not recognized. How so?
I'm using GlobalProtect version 5.3.1-36

 

Thanks

4 REPLIES 4

Community Team Member

Hi @mgabriel ,

 

The PanGPLinux package contains both UI and non-UI versions. 

If I recall correctly the "globalprotect connect" option is not available in the UI package. 

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Hi @kiwi,

Yes, that is correct. I unistalled theUI version and I moved to the CLI
one. This allowed me to use the `connect` command.

However, now I'm stuck my another issue: while one of the VPN requires
2FA and works correctly using the CLI version, the other one requires a
certificate.
Even if I first import the certificate with (run in the location where
the certificate is located):

$ globalprotect import-certificate --location .
Please input passcode:
Import certificate is successful.

I then get this message:

$ globalprotect connect --portal YYYYYYYY
Retrieving configuration...
Retrieving configuration...
Failed to connect to YYYYYYYY.
Error: A valid client certificate is required for authentication. If the
issue
persists, contact your administrator.

I've tried with multiple certificates (even newly generated), but the
issue persists.

Community Team Member

Hi @mgabriel ,

 

I'm assuming the client certificate was created by the CA.

Verify that the certificate is installed properly in the globalprotect directory.

I would turn on debugging and check if PanGPS.log can provide some additional information on why it failed to connect.

 

Cheers!

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

L0 Member
Hi @kiwi,

Thanks for your help!

Yes, the certificate was created by the CA.

What folder do you mean? I see only a folder "~/.GlobalProtect" with
only the logs and three dat files. One of them is called
"PanPortalCfg_*.dat" so it might seems that it has something to do with
the portals configuration, but it's binary so I have not found a way to
read it.

I've tried to copy the p12 certificate in this folder and import it from
here, but the result is still the same:

Retrieving configuration...
Retrieving configuration...
Failed to connect to gp-dica.vpn.polimi.it.
Error: A valid client certificate is required for authentication. If the
issue persists, contact your administrator.

Looking at the PanGPi.log file I read this message, where VPN1 is the
vpn service which requires the 2FA and is working, while VPN2 is the one
which requires the certificate and is not working:

P11533-T150869760 04/07/2022 08:29:19:541 Debug( 118): From GPA:
statusDisconnectedA valid
client certificate is required for authentication. If the issue
persists, contact your
administrator.ni-ext-gw.vpn.VPN1ni-ext-gw.vpn.VPN1yesnodc-ext-gw.vpn.VPN1dc-ext-gw.vpn.VPN1yesnoClient
Cert
Requiredgp-dica.vpn.VPN2noyes.

By looking at them on the line it makes me think that there must be some
sort of mixup with the portals. Could this be the case?

Also I saw in the PanGPA.log the user for VPN2, which however I did not
remember writing anywhere and, for this reason, I think it was read by
the certificate...


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!