Create SSL VPN on PA-500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create SSL VPN on PA-500

L2 Linker

Hello. Week ago friend of mine gave me an old PA-500 w/o license and subscrption.

Software Version 6.0.2

Since I had no admin pass therefore device was factory reseted. As Internet firewall device work fine now. Do somebody know is it possible to make up SSL VPN outside connection with such conditions? Thanks in advance!

14 REPLIES 14

L2 Linker

Also as far as I know were a problems with upgrade this device. So far I have a 6.0.2 s/w. There is a PanOS_500-8.1.0 downloaded file but it is impossible to install due to error. Somebody know how it is possible to upgrade?

Cyber Elite
Cyber Elite

Hi @Demong ,

 

The PA-500 is EoL.  https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dat...

 

I am surprised you were able to download anything.  To upgrade from PAN-OS 6.0.2 to 8.1.0, you would have to upgrade to 7.x 1st.

 

With regard to SSL VPN, here are the instructions.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK

 

No license is required for Windows and Mac devices to connect.  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-overview/abou...

 

PAN-OS 6.0 supports GlobalProtect.  You can configure it without having to upgrade.  I am sure the GUI will be different from the doc since the PAN-OS is so old.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@Demong,

Just to touch specifically on the upgrade piece, I don't think you'll really find any support there to get the images that you would require to complete that upgrade. You can maybe find an image searching the internet that someone has posted here and there for the PA-500, but I wouldn't personally trust them to actually step the device through an upgrade. 

 

Normally on a device that is this old that's still under active support you would need to reach out to TAC and have them provide you the images so you can walk it through the upgrade path. In this scenario, there's no way that you'll get legitimate access to any of the PA-500 images anymore.

L2 Linker

@TomYoung thanks a lot! I will track instructions you've sent. The problems I've faced with s/w 6.0.2 are it impossible to connect with current versions of browsers and to see in Certificate profile just created certs
@BPry thank you too, course would be nice if somebody gracefully shared me an offline image of some 7.x version for PA-500)))

L2 Linker
 

L2 Linker

Hello. I still working on this device. At present time the problem is unable to transfer file to PA-500 via scp from Debian 12 sshd. In CLI I recieved an error:

admin@PA-500> scp import software from root@xxx.xx.xx.xxx:/var/tmp/PanOS_500-7.0.1
no hostkey alg
When I tried this:
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/firewall-administration/manage-firewall-a...

I got next:
admin@PA-500> configure
Entering configuration mode
[edit]
admin@PA-500# set mgt-config users admin preferences enable-scp-server yes

Invalid syntax.
Can somebody help me?

L2 Linker

Well, tftp connection helped me, nevertheless seems I'm unable to jump to f/w 7.0.1 from 6.0.2, am I?

@Demong -- Unfortunately.  The box is a brick.  The hardware itself has been EOS for almost 2 years.  6.X is EOS, 7.X is EOS, 8.X is EOS, 9.X is EOS, 10.0 is EOS & 10.1 is soon to be EOS.  You will probably have a better chance at winning the lottery than making this PA-500 useful to you.

L2 Linker

@Brandon_Wertz thanks, but for my SOHO tasks this box works enough. And I still hope to...


@Demong wrote:

@Brandon_Wertz thanks, but for my SOHO tasks this box works enough. And I still hope to...


Good luck

L2 Linker

@Brandon_Wertz thanks

L2 Linker

Hello! 
First of all thanks again for @Brandon_Wertz , @BPry@TomYoung !!!
Nevertheless I succeeded to find a s\w so now my PA-500 on 8.1.26-h1 and I was able to set up a SSL VPN due to @TomYoung suggestion: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK
However since I'm not so experienced one to Palo Alto and still learning up can somebody give me a piece of advices for how properly give access to local resources? Clent recived an address 10.10.10.1 due to sets in article above but can't ping anything an local area 172.28.0.0 though default virtual router has static routes, see attach. Well, some of the problem with reach resources by IP was fixed because access routes for local nets was abscent. But how could I translate a DNS server of local net to remote clients?
Also there are problems with CRM Bitrix24. Messages transferring with delay or you need to refresh page messages in browser or in full client software and impossible to make a calls.
Please help me or drive me in right direction, thanks in advance!

L2 Linker

Hello! 
First of all hanks again for  @Brandon_Wertz ,  @BPry,  @TomYoung !!!
On my PA-500 I was able to set up a SSL VPN due to  @TomYoung suggestion: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK
There are problems with CRM Bitrix24. Messages transferring with delay or you need to refresh page messages in browser or in full client software and impossible to make a calls.
Please help me or drive me in right direction, thanks in advance!

L2 Linker

Hey! Since nobody can help me with Bitrix and WA dalaying seems to me we should close this conversation. Developers presents here rather know an answer I believe.

  • 3944 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!