This page is a good guide.

Palo Alto Networks list the licence requirements here.

You need a licence to

• Performs HIP checks
• Supports the GlobalProtect app for mobile endpoints
• Supports the GlobalProtect app for Linux endpoints
• Provides IPv6 connections
• Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application.

You do not need the licence to get the Portal to run certificate checks as match critiera on endpoints. You do need the licence to get the Portal to run machine serial checks as match critera on endpoints.

For GlobalProtect Internal Host detection to work, the following conditions must be met

• The internal host detection IP is pingable.
• The DNS server is returning the hostname and the returned result is in lowercase.
• The reverse lookup (PTR record) was returning a hostname that matched the hostname configured in the internal detection section of the GlobalProtect client configuration.
• For On-demand mode (Manual user initiated connection), users will have to manually launch the agent to connect to GlobalProtect. Use this connect method for external gateways only. I.E. mode.

* If pre-logon tunnel isn't working, it might be that endpoint security software is prohibiting a network brdige from establishing prior to logon (e.g. some SafeNet software). * If web browsing is very very slow when using GlobalProtect, it is possible that there is a proxy setting with is not working but which is still being attepmted by the browser.

MAC: If new versions of MacOS are not connecting try this.

From this Reddit page

The newest version of MacOS requires you accept 3rd party kernel extensions. GlobalProtect is one such application that requires it. Go to system preferences > security. You may have a button to allow GP on the bottom of that window

If you run netstat -an and you see that global protect is not listening on port 4767, restart the mac with command+R to get to recovery mode. Open a terminal from the menus at the top then run spctl kext-consent add PXPZ95SK77 then reinstall the global protect client. The cause seems to be OSx disables kernel extensions from untrusted sources.

GlobalProtect is not officially supported on Windows Server. However, for the most part, you are likely to find that it can work. One point to consider is SAML authentication. It would appear that SAML requires IE 11.x to be installed on the system. While you can get Server 2008 R2 SP1 and Server 2012 R2 to install IE 11.x, you can't install IE 11.x to install on Server 2012.

• VM-100 – 500 sessions
• VM-300 – 2,000 sessions
• VM-500 – 6,000 sessions
• PA-200 – 25 sessions
• PA-220 – 250 sessions
• PA-500 – 100 sessions
• PA-820 – 1,000 sessions
• PA-850 – 1,000 sessions
• PA-3020 – 1,000 sessions
• PA-3050 – 2,000 sessions
• PA-3060 – 2,000 sessions
• PA-3220 – 1,024 sessions
• PA-3250 – 2,048 sessions
• PA-3260 – 2,048 sessions
• PA-5020 – 5,000 sessions
• PA-5050 – 10,000 sessions
• PA-5060 – 20,000 sessions
• PA-5220 – 15,000 sessions
• PA-5250 – 30,000 sessions
• PA-5260 – 60,000 sessions

Restrictions

• CLI Only
• HIP Data Collection: Host state only
• Upgrade: Manual only
• Connect method: User-logon & On-demand

Notes:

• Reboot after install
• Launch with command globalprotect

Connect with the following command connect -p domain.com -u username

Command help lists commands

Here are some commands to play with

• show –details
• show –statistics
• show –host-state
• show –status
• show –version
• show –welcome-page
• disconnect
• disable

GlobalProtect can be configured to allow endpoints to establish a VPN tunnel as user type/user name 'pre-logon' after booting up but before anyone logs in to the computer.

NOTE: If Windows Group Policy is to get the workstation to download the entire Group Policy before a user logs in, you may find that enabling Pre-Login increases login time significantly. This is because the machine is downloading Group Policy before letting the user log in. Change Group Policy to allow the user to continue logging in before the download is finished.

Palo Alto Networks have a good guide to this.

The above guides are written for administrators who are setting up GlobalProtect that is only to be used for endpoints that have machine certificates. If you want to use a mixture, the following are my observations based on some labbing I did.

If you have pre-login for all endpoints, you can use one Portal and one Gateway. For Windows endpoints that connect pre-logon, when the user actually logs in, the IP address remains the same and the VPN session remains up. The only change is that the username changes (in my Lab, this happended 50 seconds after the user logged in). With Mac endpoints, the tunnel gets torn down and reconnected with the new username.

If you have a mixure of endpoints where some use pre-login and some do not (e.g. if you are slowly migrating to a full), you are able so keep using a single portal but you require two gateways. The first gateway has a certificate profile set and the second gateway does not have a certificate profile set. You then set two client configurations in the portal. Both client configurations have connection type set to “pre-logon”. However, the first client configuration has “User/User Group” set to “pre-logon” and points to the gateway that has client certificate profile set. The second client configuration (which should always be below the first client configuration) has “User/User Group” set to “any” (or to the appropriate User Group) and points to the gateway that has no client certificate profile set.

Endpoints that do not have a machine certificate will not create a VPN tunnel until a user logs in. When the user logs in, the tunnel will be to the gateway that does not have a client certificate profile set.

Endpoints that do have a machine certificate will create a VPN tunnel pre-logon to the gateway that has a client certificate profile set. A caveat is that, when a user logs in on such an endpoint, the tunnel will get torn down and the endpoint will reconnect to the gateway that does not have the client certificate profile set. This is because, after loggin in, the endpoint is able to associate a username with the endpoint rather than the label “pre-login”. This means it is no longer allowed to Portal→Client Configuration that connects to the pre-logon gateway as that is restricted to the 'pre-logon' user only. The problem is that you cannot set the user type to 'any' for the 'pre-logon' client configuration because then even endpoints without a machine certificate will try and use it (and fail because they can't get onto the pre-logon gateway without a certificate).

An alternative solution is to have a Portal and Gateway for the endpoints that do not have machine certificates and a seperate portal and gateway for endpoints that do have machine certificates.

1. Edit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
2. Right click on the CLSID of the provider
3. Select New → DWORD (32-bit) Value
4. Enter the value name to Disabled and modify the value data to 1.

See this page.

You can get the GlobalProtect agent to be the default user of log in credentials by manually looking for “Sign-in options” on the logon screen or by running this reg file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect]
"SetGPCPDefault"=dword:00000001

If you are installing with MSI, you can use the following install command to ensure that SSO is enabled.

msiexec.exe /i c:\users\username\Desktop\GlobalProtect.msi /quiet PORTAL="vpn.example.com" CONNECTMETHOD="always-on" USESSO="yes"

If you have two active ISP links to a firewall, you can have resilient GlobalProtect.

If you have a single virtual router, then you are limited to using the second ISP link only when the first one fails. However, you can use a single loopback to host a single gateway and thus a single IP pool of addresses. You use destination NAT to send traffic to either ISP public IP to the loopback. Configure route monitoring on the default route. When ISP link 1 fails, ISP link 2 will be accessible. The portal will be accessible if you update the DNS record to point to it.

If you have two virtual routers, then you can have both gateways active at the same time. However, this means you will need two gateways and two sets of IP pools. You put the second gateway on the second virtual router. Note: You can (and should?) put the second gateway's tunnel interface on the main virtual router. The only interfaces that need to be on the second virtual router is an interface to the second ISP link and the second GlobalProtect gateway. You probably want the main virtual router to have its own interface to the second ISP link.

When Linux is not supported.

REPLACE=`lsb_release -ds | sed -e 's/"//g' | xxd -l6 -g1 | cut -d '' -f2,3,4,5,6,7 | sed -e 's/*/\\\\x/g' -e 's/ /\\\\x/g'`
sed -i "s/\x55\x62\x75\x6e\x74\x75/$REPLACE/g" /opt/paloaltonetworks/globalprotect/PanGPS

On a Windows Endpoint, you can set the portal with

Computer\HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\LastUrl

For Windows, user related cookies are stored in:

C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect\

filenames have this format:

PanPUAC_17c2deb6776739fbe2e40a988c921b8.dat

For pre-logon cookies (not tied to a particular user, but to a machine), cookies can be found in:

C:\Program Files\Palo Alto Networks\GlobalProtect\

filenames have this format:

PanPPAC_811c13bcd3d719c3cdf84fac1ceab29.dat

When you go to a GlobalProtect portal that requires a client certificate be selected, you used to be able to add the site (in Internet Explorer) to the list of 'trusted sites' and the browser would then remember to select the certificate. In the latest version of Edge, it seems that they have changed that. You have to import the “Edge ADMX” and put the following settings in:

​​​​​​​{​​​​​​​​"pattern":"https://gpportal","filter":{​​​​​​​​"ISSUER":{​​​​​​​​"CN":"ISSUER NAME"}​​​​​​​​}​​​​​​​​}​​​​​​​​

ADMX is group policy for Edge.

On Linux Mint, you may need to install the certificate being used by the GlobalProtect portal.

Copy the PEM/CRT files to /usr/local/share/ca-certificates and then run sudo update-ca-certificates.

Edit registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\portal

Set the Uninstall REG_DWORD value to 0 to remove this manually.

Restart the agent services or restart the machine to read the new value.

https://vpn.example.com/global-protect/getmsi.esp

https://vpn.example.com/global-protect/getsoftwarepage.esp

If you want to create an inbound URL blocker

 *.example.com/global-protect/getsoftwarepage.esp
 *.example.com/global-protect/getmsi.esp

https://vpn.example.com/global-protect/getmsi.esp?version=32&platform=windows
https://vpn.example.com/global-protect/getmsi.esp?version=64&platform=windows
https://vpn.example.com/global-protect/getmsi.esp?version=none&platform=mac

https://vpn.example.com/global-protect/msi/GlobalProtect32.msi
https://vpn.example.com/global-protect/msi/GlobalProtect64.msi
https://vpn.example.com/global-protect/msi/GlobalProtect.pkg