Install GlobalProtect for IoT on Raspbian

1. From the Support Site, select UpdatesSoftware Updates and download the GlobalProtect package for your OS.
2. Install the GlobalProtect app for IoT.

   From the IoT device, use the sudo dpkg -i GlobalProtect_deb_arm<version>.deb command to install the software.

   sudo dpkg -i GlobalProtect_deb_arm-5.1.0.0-84.deb

   To later uninstall the software, use the sudo dpkg -P globalprotect command.
3. Configure the VPN settings you want to predeploy for Raspbian IoT devices.

   1. In the client-cert path, import the certificate in pcks12 format and save the file with a .pfx extension (for example, pan_client_cert.pfx).
   2. In the client-cert-passphrase path, save the passcode file with .dat extension (for example, pan_client_cert_passcode.dat)
   3. In the log-path-service path, if you are not using the default path for PanGPS (for example, /opt/paloaltonetworks/globalprotect), make sure that the log-setting path folder has the same privilege as the globalprotect folder under opt/paloaltonetworks.
   4. Create the /opt/paloaltonetworks/globalprotect/pangps.xml pre-deployment configuration file in the following format and edit the IP address of the GlobalProtect portal, and authentication settings, either: username and password, or client certificate path (client-cert-path) and pass-phrase file (client-cert-passphrase). You can also specify an optional folder in which to store GlobalProtect service (log-path-service) and agent (log-path-agent) logs.

   <?xml version="1.0" encoding="UTF-8"?>
   
   <GlobalProtect>
    <PanSetup>
             <Portal>192.168.1.160</Portal>       //pre-deployed portal address
   </PanSetup>
    <PanGPS>
    </PanGPS>
    <Settings>
            <portal-timeout>5</portal-timeout>
            <connect-timeout>5</connect-timeout>
            <receive-timeout>30</receive-timeout>
            <os-type>IoT</os-type>             //pre-deployed OS type for IoT. If this tag does not present, GP will automatic detect the OS type.
            <head-less>yes</head-less>       //pre-deployed head-less mode
            <username>abc</username>    //optional pre-deployed username
            <password>xyz</password>       //optional pre-deployed password
            <client-cert-path>cli_cert_path</client-cert-path>       //optional pre-deployed client certificate file(p12) path
            <client-cert-passphrase>cli_cert_passphrase_path<	/client-cert-passphrase>       //optional pre-deployed client certificate passphrase file path
            <log-path-service>/tmp/gps</log-path-service>  //optional pre-deployed log folder for PanGPS
            <log-path-agent>/tmp/gpa</log-path-agent>      //optional pre-deployed log folder for PanGPA and globalprotect CLI          
    </Settings>
   </GlobalProtect>

4. Restart the GlobalProtect process for the pre-deployment configuration to take effect.
5. After you deploy the IoT device, you can collect logs as needed using the globalprotect collect-log command.

   user@raspbianhost:~/Desktop/data$ globalprotect collect-log
   The support file is saved to /home/gptest/.GlobalProtect/GlobalProtectLogs.tgz

6. (Optional) If the authentication method is a is combination of username/password and client certificate authentication, make sure that the CommonName of the client certificate matches the username.