Does PA supports Agentless Remote Access VPN

L1 Bithead

Does PA supports Agentless Remote Access VPN

Hi All,


Please let me know, whether PA supports agentless(GlobalProtect) remote access VPN? With SSL or IPSec.

If it supports, please let me know how to configure it.


Thank you in advance..

L4 Transporter



How you imagine to build up a Client-VPN connection without any agents?

PANOS requires GP for Client-VPN.






L1 Bithead

Thanks Hithead for your response.


But, its not my imagination; It was a client's requirement and also I said its not possible. They have insisted to getr an answer the same from PA. So, I have posted the question.


Anyway Thanks!!!

L7 Applicator

As Windows built in VPN client is not standards based IPSec then it does not work with Palo.

You need GlobalProtect agent for it (Cisco vpn client works also).

With IOS and Android you can use GlobalProtect app (you need gateway subscription in your firewall) or you can use built in vpn client and no additional license is required. Built in client is actually Ciscos client.



Enterprise Architect @ Cloud Carib
L7 Applicator

Hi All


There are some products out there that support what is called "clientless vpn". In reality this is usually a sort of web-portal that allows the user proxied access to certain applications via browser plugins. GlobalProtect however is a full suite VPN solution that allows for additional security including HIP checks and pre-windows-logon full security VPN. It does support ipsec and SSL but does require a client.


hope this helps


Tom Piens -
Like my answer? check out my book!
L7 Applicator

There are products that are able to do remote vpn via web browser based clients only or using the built in clients of the OS.  these are especially useful when you are trying to allow a VPN to a vendor or contractor where you do not have access to install software on the computer, or the user will not have the access to do so, or company policy does not allow adding software, or there are already VPN clients installed for use that conflict.


Palo Alto does not support this approach at this time.  If you company wants an official answer, you will need to contact your sales engineer or open an officlal support ticket.  Palo Alto does not discuss roadmap product features in public forums.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L7 Applicator

Not all clientless solutions out there does not mean it really works out of the box.

For example you might need to install active-x plugin. To install that you might need Admin permissions and it is not available in Edge browser. There are also Java solutions available but this means that they still need supporting software. 

Enterprise Architect @ Cloud Carib
L1 Bithead

Thank you all for your responses!!



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!