Install and Connect to the Prisma Access VPN on Linux
The official GlobalProtect GUI client, which is required for touchstone auth, only supports a narrow range of Linux Distros. Please see here for the authoritative list. For other distros it is possible to get openconnect to work using community projects, but please note that this is not officially supported by Palo Alto or IS&T. |
Official Client
Install
Download the MIT GlobalProtect Linux app. It includes the following files (you will NOT use them all):
- GlobalProtect_UI_tar-5.3.0.0-32.tgz
- GlobalProtect_UI_rpm-5.3.0.0-32.rpm
- GlobalProtect_UI_deb-5.3.0.0-32.deb
- GlobalProtect_tar_arm-5.3.0.0-32.tgz
- GlobalProtect_tar-5.3.0.0-32.tgz
- GlobalProtect_rpm_arm-5.3.0.0-32.rpm
- GlobalProtect_rpm-5.3.0.0-32.rpm
- GlobalProtect_deb_arm-5.3.0.0-32.deb
- GlobalProtect_deb-5.3.0.0-32.deb
(ONLY use the "UI" installation packages, the non-UI versions will not work with SAML.)
Use the *.deb version for Debian-based distros (Ubuntu, Linux Mint, etc.), use the *.rpm version for Red Hat based distros (RHEL, CentOS, etc.) and use the generic tar for other distros (Arch, etc.)
The *.deb and the *.rpm should be opened with the system package installer of your choosing (i.e. by double clicking the file and following the prompts.)
Manual Install:
- Extract the installation files:
mkdir GP_VPN_UI && tar xf GlobalProtect_UI_tar-5.3.0.0-32.tgz -C GP_VPN_UI
- Obtain root privileges and run the installation script:
sudo bash GP_VPN_UI/install.sh
Result: This will attempt to install the sole dependency (qt5-webkit) but this will only work on Debian based, or Red Hat based distros. If this fails for you, please search your package repositories for the appropriate packages, which e.g. for Arch is extra/qt5-webengine.
? sudo bash GP_VPN_UI/install.sh sudo password for <username>: systemd is detected. Enable gp service... Create symlink for gp cli... Starting gp service... Enable gp autostart... Starting gpa... Check for and install PanGPUI dependencies... wget: download QtWebkit... yum: Installing QtWebkit dependencies... Starting gpui for <username>...
Result: The GlobalProtect App is installed and immediately prompts you to connect (continue below).
Connect
- Click on the globe icon in your taskbar if it is not already open.
- Enter the address: gpvpn.mit.edu
- Click Connect.
- Authenticate using Touchstone Authentication.
Result: You're connected to MIT GlobalProtect VPN service and may go about your computing activities normally. The globe icon now includes a shield.
After the first time you connect, simply click on the globe icon in your taskbar and tap the Connect button to connect. You may be prompted to authenticate again depending on how long it has been since your last connection.
Disconnect
- Click on the globe and shield icon in your taskbar.
- Click the Disconnect button.
Result: You have been disconnected from the MIT GlobalProtect VPN service.
Unofficial Solutions
openconnect
Standard VPN client openconnect supports Global Protect, but requires a community tool to handle the Touchstone auth steps.
See: GlobalProtect-openconnect
This will allow you to negotiate the SAML auth, get the cookie you need, and use openconnect to tunnel traffic.
The only caveat is sometimes it doesn't like the gpvpn.mit.edu load balancer, so instead you need to manually use a particular gateway, so e.g. for US East, use: us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com