GlobalProtect
Download and Install the GlobalProtect App for Linux
Table of Contents
Download and Install the GlobalProtect App for Linux
GlobalProtect offers you two different methods to install the
GlobalProtect app on your Linux device: a GUI-based installation version and a CLI
version. If you use a supported Linux operating system that supports a graphical
interface, you can install the GUI version of the GlobalProtect; otherwise, download
and install the CLI version of the GlobalProtect app.
Download and Install the GUI Version of GlobalProtect for Linux
If your Linux device supports a graphical user interface, complete
these steps to install the GUI version of GlobalProtect for Linux.
- Download the GlobalProtect app for Linux.
- Log in to the Customer Support Portal. After you enter your username and password credentials, you are authenticated and you are logged in to the support site.
- Select UpdatesSoftware Updates.
- Filter by GlobalProtect Agent for Linux, and download the associated TGZ file.
- Extract the files from the package.
user@linuxhost:~$ tar -xvf ~/pkgs/PanGPLinux-5.2.0.tgz ./ ./GlobalProtect_deb-5.2.0.0-62.deb ./GlobalProtect_deb_arm-5.2.0.0-62.deb ./GlobalProtect_rpm-5.2.0.0-62.rpm ./GlobalProtect_rpm_arm-5.2.0.0-62.rpm ./GlobalProtect_tar-5.2.0.0-62.tgz ./GlobalProtect_tar_arm-5.2.0.0-62.tgz ./GlobalProtect_UI_deb-5.2.0.0-62.deb ./GlobalProtect_UI_rpm-5.2.0.0-62.rpm ./GlobalProtect_UI_tar-5.2.0.0-62.tgz ./manifest ./relinfo
You will see multiple installation packages for supported operating system versions—DEB for Debian and Ubuntu and RPM for CentOS and Red Hat. The package for the GUI version is denoted by a GlobalProtect_UI prefix.
- (Optional) If your Linux endpoint must use a manual proxy server
configuration, configure the proxy settings.The GlobalProtect app for Linux supports only a basic proxy server configuration but does not support the use of Proxy Auto-Configuration (PAC) files and proxy authentication.The GlobalProtect app for Linux obtains the proxy settings from the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables in the /etc/environment file. If you later change the system proxy configuration, verify that the terminal from which GlobalProtect runs uses the proxy environment variables. If you do not see the new settings, log out and back in for the new settings to take effect.If you have configured the HTTP_PROXY variable or the HTTPS_PROXY variable, make sure that the GlobalProtect portal matches the settings configured for the NO_PROXY variable.
- To set your proxy on your Linux endpoint, edit the HTTP_PROXY environment variable or HTTPS_PROXY environment variable (for example, HTTPS_PROXY=”https://yourproxy.local:8080”).
- To configure the IP addresses or domain names that you want to
exclude from the proxy, edit the
NO_PROXY environment variable (for
example,
NO_PROXY=”www.gpqa.com”).Use commas to separate multiple IP addresses or domain names. Starting with GlobalProtect app 5.1.6, you can use the wildcard character (*) for IP addresses or domain names (for example, NO_PROXY=”*.domain.com”).
- (Optional) To import a certificate, complete the following
steps.When you want to pre-deploy a client certificate to an endpoint for certificate-based authentication, you can copy the certificate to the endpoint and import it for use by the GlobalProtect app. Use the globalprotect import-certificate --location <location> command to import the certificate on the endpoint. When prompted you must supply the certificate password.
user@linuxhost:~$ globalprotect import-certificate --location /home/mydir/Downloads/cert_client_cert.p12 Please input passcode: Import certificate is successful.
- Install the GUI version of the GlobalProtect app for Linux.Install the app using root privileges and use an installation method that will automatically add any missing packages that are required by the GlobalProtect app.For Debian and Ubuntu, use the sudo apt-get install <gp-app-pkg> command.where <gp-app-pkg> is the path of the UI distribution package for your Linux version.The following example instructs the package manager to install the GlobalProtect_UI_deb-5.2.6.0-12.deb UI distribution package:
user@linuxhost:~$ sudo apt-get install GlobalProtect_UI_deb-5.2.6.0-12.deb [sudo] password for gpqa: Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'globalprotect' instead of '/home/gpqa/Downloads/GlobalProtect_UI_deb-5.2.6.0-12.deb' The following NEW packages will be installed: globalprotect 0 upgraded, 1 newly installed, 0 to remove and 90 not upgraded. After this operation, 0 B of additional disk space will be used. Get:1 /home/gpqa/Downloads/GlobalProtect_UI_deb-5.2.6.0-12.deb globalprotect all 5.2.6-12 [7,416 kB] E: read, still have 59 to read but none left E: Error reading archive member header E: Prior errors apply to /home/gpqa/Downloads/GlobalProtect_UI_deb-5.2.6.0-12.deb debconf: apt-extracttemplates failed: No such file or directory Selecting previously unselected package globalprotect. (Reading database ... 318427 files and directories currently installed.) Preparing to unpack .../GlobalProtect_UI_deb-5.2.6.0-12.deb ... Start installing gp... Unpacking globalprotect (5.2.6-12) ... Setting up globalprotect (5.2.6-12) ... Enable gp service... Starting gp service... Set default browser, errors other than gp.desktop can be ignored... enable ping net.ipv4.ping_group_range = 0 0 Starting gpa... start GPA for sudo user gpqa start PanGPUI for sudo gpqa Processing riggers for man-db (2.8.3-2ubuntu0.1)...
For CentOS and Red Hat, use the sudo yum install -y <gp-app-pkg> command.where <gp-app-pkg> is the path of the UI distribution package for your Linux version.The following example installs the GlobalProtect_UI_rpm-5.2.6.0-9.rpm UI distribution package from the repository to your system:user@linuxhost:~$ sudo yum install -y ./GlobalProtect_UI_rpm-5.2.6.0-9.rpm [sudo] password for gpqa: Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager Examining ./GlobalProtect_UI_rpm-5.2.6.0-9.rpm: globalprotect_UI-5.2.6-9.x86_64 Marking ./GlobalProtect_UI_rpm-5.2.6.0-9.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package globalprotect_UI.x86_64 0:5.2.6-9 will be installed --> Finished Dependency Resolution https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/optional/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. To address this issue please refer to the below knowledge base article https://access.redhat.com/solutions/69319 If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - ForbiddenTrying other mirror. Dependencies Resolved =============================================================================== Package Arch Version Repository Size =============================================================================== Installing: globalprotect_UI x86_64 5.2.6-9 /GlobalProtect_UI_rpm-5.2.6.0-9 31 M Transaction Summary===============================================================================Install 1 Package Total size: 31 M Installed size: 31 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Start installing gp... Installing : globalprotect_UI-5.2.6-9.x86_64 1/1 Enable gp service... Set default browser, errors other than gp.desktop can be ignored... enable ping /var/tmp/rpm-tmp.VLWi5h: line 23: $LOG: ambiguous redirect Starting gp service.. Starting gpa... Verifying : globalprotect_UI-5.2.6-9.x86_64 1/1 https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/c76c2299-12f3-4f9c-b7bd-03bacee2c363: [Errno 14] HTTPS Error 403 - ForbiddenTrying other mirror. Installed: globalprotect_UI.x86_64 0:5.2.6-9 Complete!
- Use the GUI
version of the GlobalProtect App for Linux.After installation completes, the GlobalProtect app automatically launches. Specify your portal address and enter your credentials when prompted to begin the connection process.Because the GlobalProtect service supports only one socket connection to the GlobalProtect agent and to the GUI version of the GlobalProtect app, you must either log out of the Linux operating system or the SSH session depending on the installation method used as a root user after installing the app. You must log back in to the Linux endpoint as another user with non-privileged user privileges and the app launches.
Download and Install the CLI Version of GlobalProtect for Linux
If your Linux device does not support a GUI, install the GlobalProtect
app for Linux by completing these steps. The GlobalProtect app for Linux
supports the DEB, RPM, and TAR installation packages.
- Download the GlobalProtect app for Linux.
- Obtain the app package from your IT administrator and
then copy the TGZ file to the Linux endpoint.For example, if you downloaded the package to a macOS endpoint, you can open a terminal and then copy the file:
macUser@mac:~$ scp ~/Downloads/PanGPLinux-5.2.0.tgz linuxUser@linuxHost: <DestinationFolder>
where <DestinationFolder> is a location such as ~/pkgs/ where you want to store the TGZ file. - From the Linux endpoint, unzip the package.
user@linuxhost:~$ tar -xvf ~/pkgs/PanGPLinux-5.2.0.tgz
After you unzip the package, you will see installation packages—DEB for Ubuntu and RPM for CentOS and Red Hat—and the scripts to install and uninstall the packages.
- Obtain the app package from your IT administrator and
then copy the TGZ file to the Linux endpoint.
- (Optional) If your Linux endpoint must use a manual proxy server
configuration, configure the proxy settings.The GlobalProtect app for Linux supports only a basic proxy server configuration but does not support the use of Proxy Auto-Configuration (PAC) files and proxy authentication.The GlobalProtect app for Linux obtains the proxy settings from the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables in the /etc/environment file. If you later change the system proxy configuration, verify that the terminal from which GlobalProtect runs uses the proxy environment variables. If you do not see the new settings, log out and back in for the new settings to take effect.If you have configured the HTTP_PROXY variable or the HTTPS_PROXY variable, make sure that the GlobalProtect portal matches the settings configured for the NO_PROXY variable.
- To set your proxy on your Linux endpoint, edit the HTTP_PROXY environment variable or HTTPS_PROXY environment variable (for example, HTTPS_PROXY=”https://yourproxy.local:8080”).
- To configure the IP addresses or domain names that you want to
exclude from the proxy, edit the
NO_PROXY environment variable (for
example,
NO_PROXY=”www.gpqa.com”).Use commas to separate multiple IP addresses or domain names. Starting with GlobalProtect app 5.1.6, you can use the wildcard character (*) for IP addresses or domain names (for example, NO_PROXY=”*.domain.com”).
- Install the CLI version of the GlobalProtect app for Linux.Use either the sudo dpkg -i <gp-app-pkg> command, sudo apt-get install <gp-app-pkg> command, or the sudo yum install -y <gp-app-pkg> command.where <gp-app-pkg> is the path of the CLI distribution package for your Linux version. For the apt-get command, ensure that you add ./ before the package name.For installation of the CLI version on Linux Ubuntu 20.04 LTS, due to underlying operating system issues, you cannot use the sudo apt-get install <gp-app-pkg> command. Instead, use the sudo dpkg -i <gp-app-pkg> command to install the CLI version of the GlobalProtect app. For more information, see GlobalProtect 5.2.x or above fails to install package when using the apt-get utility on Ubuntu 20.04 .The following example installs the GlobalProtect_deb-5.2.0.0-25.deb CLI distribution package:
user@linuxhost:~$ sudo dpkg -i GlobalProtect_deb-5.2.0.0-25.deb Selecting previously unselected package GlobalProtect. (Reading database ... 265621 files and directories currently installed.) Preparing to unpack GlobalProtect_deb-5.2.0.0-25.deb ... gp service is running and we need to stop it... Disable service... Start upgrading gp... Unpacking GlobalProtect (5.2.0-25) over (5.2.0-25)... systemd is detected. Setting up GlobalProtect (5.2.0-25) ... Enable gp service... Starting gp service... Starting gpa... Processing triggers for man-db (2.8.3-2ubuntu0.1)...
The following example instructs the package manager to install the GlobalProtect_deb-5.2.6.0-12.deb CLI distribution package:user@linuxhost:~$ sudo apt-get install ./GlobalProtect_deb-5.2.6.0-12.deb [sudo] password for gpqa: Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'globalprotect' instead of '/home/gpqa/Downloads/GlobalProtect_deb-5.2.6.0-12.deb' The following NEW packages will be installed: globalprotect 0 upgraded, 1 newly installed, 0 to remove and 94 not upgraded. After this operation, 0 B of additional disk space will be used. Get:1 /home/gpqa/Downloads/GlobalProtect_deb-5.2.6.0-12.deb globalprotect all 5.2.6-12 [6,301 kB] E: read, still have 59 to read but none left E: Error reading archive member header E: Prior errors apply to /home/gpqa/Downloads/GlobalProtect_deb-5.2.6.0-12.deb debconf: apt-extracttemplates failed: No such file or directory Selecting previously unselected package globalprotect. (Reading database ... 318427 files and directories currently installed.) Preparing to unpack .../GlobalProtect_deb-5.2.6.0-12.deb ... Start installing gp... Unpacking globalprotect (5.2.6-12) ... Setting up globalprotect (5.2.6-12) ... Enable gp service... Starting gp service... enable ping net.ipv4.ping_group_range = 0 0 Starting gpa... start GPA for sudo user gpqa Processing riggers for man-db (2.8.3-2ubuntu0.1)...
The following example installs the GlobalProtect_rpm-5.2.6.0-9.rpm CLI distribution package from the repository to your system:user@linuxhost:~$ sudo yum install -y ./GlobalProtect_rpm-5.2.6.0-9.rpm [sudo] password for gpqa: Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager Examining ./GlobalProtect_rpm-5.2.6.0-9.rpm: globalprotect_UI-5.2.6-9.x86_64 Marking ./GlobalProtect_rpm-5.2.6.0-9.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package globalprotect.x86_64 0:5.2.6-9 will be installed --> Finished Dependency Resolution https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/optional/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. To address this issue please refer to the below knowledge base article https://access.redhat.com/solutions/69319 If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - ForbiddenTrying other mirror. Dependencies Resolved =============================================================================== Package Arch Version Repository Size =============================================================================== Installing: globalprotect x86_64 5.2.6-9 /GlobalProtect_rpm-5.2.6.0-9 26 M Transaction Summary===============================================================================Install 1 Package Total size: 26 M Installed size: 26 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Start installing gp... Installing : globalprotect-5.2.6-9.x86_64 1/1 Enable gp service... Starting gp service... Starting gpa... Verifying : globalprotect-5.2.6-9.x86_64 1/1 https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/c76c2299-12f3-4f9c-b7bd-03bacee2c363: [Errno 14] HTTPS Error 403 - ForbiddenTrying other mirror. Installed: globalprotect.x86_64 0:5.2.6-9 Complete!
The GlobalProtect app for Linux installs to the /opt/paloaltonetworks/globalprotect directory. After GlobalProtect first runs, the app also creates a GlobalProtect user folder $HOME/.globalprotect to save user registry configuration and other CLI related settings. - ( Optional) Change CLI modes. You can run commands in either command-line or prompt mode. Command-line mode requires you to specify the full GlobalProtect command. Prompt mode requires you to specify only the command (without the app name) and displays more detailed output than command-line mode.
- To switch to prompt mode, enter
globalprotect without any arguments.
user@linuxhost:~$ globalprotect >>
- To exit prompt mode, enter quit.
>> quit user@linuxhost:~$
- To switch to prompt mode, enter
globalprotect without any arguments.
- View the help for GlobalProtect app for Linux.Prompt mode:
>> help Usage: only the following commands are supported: collect-log -- collect log information connect -- connect to server disconnect -- disconnect disable -- disable connection import-certificate -- import client certificate file quit -- quit from prompt mode rediscover-network -- network rediscovery remove-user -- clear credential resubmit-hip -- resubmit hip information set-log -- set debug level show -- show information
Command-line mode:user@linuxhost:~$ globalprotect help Usage: only the following commands are supported: collect-log -- collect log information connect -- connect to server disconnect -- disconnect disable -- disable connection import-certificate -- import client certificate file quit -- quit from prompt mode rediscover-network -- network rediscovery remove-user -- clear credential resubmit-hip -- resubmit hip information set-log -- set debug level show -- show information
- Use the CLI version of the GlobalProtect app for Linux.