GlobalProtect
Download and Install the GlobalProtect App for Linux
Table of Contents
Download and Install the GlobalProtect App for Linux
GlobalProtect offers you two different methods
to install the GlobalProtect app on your Linux device: a GUI-based
installation version and a CLI version. If you use a supported Linux
operating system that supports a graphical interface, you can install
the GUI version of the GlobalProtect; otherwise, download and install
the CLI version of the GlobalProtect app.
Download and Install the GUI Version of GlobalProtect for Linux
If your Linux device supports a graphical
user interface, complete these steps to install the GUI version
of GlobalProtect for Linux.
The GlobalProtect Linux UI agent works is supported on GNOME with
X11 on compatible Linux platforms.
- Download the GlobalProtect app for Linux.
- Log in to the Customer Support Portal. After you enter your username and password credentials, you are authenticated and you are logged in to the support site.Select .Filter by GlobalProtect Agent for Linux, and download the associated TGZ file.Extract the files from the package.
![]()
You will see multiple installation packages for supported operating system versions—DEB for Debian and Ubuntu and RPM for CentOS and Red Hat. The package for the GUI version is denoted by a GlobalProtect_UI prefix.(Optional) If your Linux endpoint must use a manual proxy server configuration, configure the proxy settings.The GlobalProtect app for Linux supports only a basic proxy server configuration but does not support the use of Proxy Auto-Configuration (PAC) files and proxy authentication.The GlobalProtect app for Linux obtains the proxy settings from the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables in the /etc/environment file. If you later change the system proxy configuration, verify that the terminal from which GlobalProtect runs uses the proxy environment variables. If you do not see the new settings, log out and back in for the new settings to take effect.If you have configured the HTTP_PROXY variable or the HTTPS_PROXY variable, make sure that the GlobalProtect portal matches the settings configured for the NO_PROXY variable.- To set your proxy on your Linux endpoint, edit the HTTP_PROXY environment variable or HTTPS_PROXY environment variable (for example, HTTPS_PROXY=”https://yourproxy.local:8080”).To configure the IP addresses or domain names that you want to exclude from the proxy, edit the NO_PROXY environment variable (for example, NO_PROXY=”www.gpqa.com”).Use commas to separate multiple IP addresses or domain names. Starting with GlobalProtect app 5.1.6, you can use the wildcard character (*) for IP addresses or domain names (for example, NO_PROXY=”*.domain.com”).Install the GUI version of the GlobalProtect app for Linux.To Install the GlobalProtect app UI distribution package, use the $ ./gp_install.sh command:
$ ./gp_install.sh --help Usage: $ sudo ./gp_install [--cli-only | --arm | --help] --cli-only: CLI Only --arm: ARM no options: UI
Starting from GlobalProtect Linux version 6.2.1, you must use the following commands to install the CLI or GUI versions of the app:- To install the GlobalProtect UI package- $ ./gp_install.sh
- To install the GlobalProtect CLI package- $ ./gp_install.sh --cli-only
You don't need to run the ./gp_install.sh with sudo for GlobalProtect app Linux 6.2.1 and later versions. As the script executes, users will be prompted to enter the sudo password.The script checks the Linux distribution and version in your environment to identify and install the packages required. After installation completes, the GlobalProtect app automatically launches.Log out of the Linux operating system or the SSH session depending on the installation method you used and log back in.When you log out, package updates are applied and you are able to see the GlobalProtect icon (as well as any other relevant updates) when you log back in. This step is required to ensure that any new package updates during install are applied to the GlobalProtect app.If you do not see the GlobalProtect icon in the tray after logging in, follow one of the steps below:- Type the globalprotect launch-ui CLI command in a terminal window.
- Search for globalprotect in the application list and pin it to your dashboard.
Specify your portal address and enter your credentials when prompted to begin the connection process.(Optional) To import a certificate, complete the following steps.When you want to pre-deploy a client certificate to an endpoint for certificate-based authentication, you can copy the certificate to the endpoint and import it for use by the GlobalProtect app. Use the globalprotect import-certificate --location <location> command to import the certificate on the endpoint. When prompted you must supply the certificate password.user@linuxhost:~$ globalprotect import-certificate --location /home/mydir/Downloads/cert_client_cert.p12 Please input passcode: Import certificate is successful.Download and Install the CLI Version of GlobalProtect for Linux
If your Linux device does not support a GUI, install the GlobalProtect app for Linux by completing these steps. The GlobalProtect app for Linux supports the DEB, RPM, and TAR installation packages.- Download the GlobalProtect app for Linux.
- Obtain the app package from your IT administrator and then copy the TGZ file to the Linux endpoint.For example, if you downloaded the package to a macOS endpoint, you can open a terminal and then copy the file:
macUser@mac:~$ scp ~/Downloads/PanGPLinux-6.0.0.tgz linuxUser@linuxHost: <DestinationFolder>where <DestinationFolder> is a location such as ~/pkgs/ where you want to store the TGZ file.From the Linux endpoint, unzip the package.user@linuxhost:~$ tar -xvf ~/pkgs/PanGPLinux-6.0.0.tgzAfter you unzip the package, you will see installation packages—DEB for Ubuntu and RPM for CentOS and Red Hat—and the scripts to install and uninstall the packages.(Optional) If your Linux endpoint must use a manual proxy server configuration, configure the proxy settings.The GlobalProtect app for Linux supports only a basic proxy server configuration but does not support the use of Proxy Auto-Configuration (PAC) files and proxy authentication.The GlobalProtect app for Linux obtains the proxy settings from the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables in the /etc/environment file. If you later change the system proxy configuration, verify that the terminal from which GlobalProtect runs uses the proxy environment variables. If you do not see the new settings, log out and back in for the new settings to take effect.If you have configured the HTTP_PROXY variable or the HTTPS_PROXY variable, make sure that the GlobalProtect portal matches the settings configured for the NO_PROXY variable.- To set your proxy on your Linux endpoint, edit the HTTP_PROXY environment variable or HTTPS_PROXY environment variable (for example, HTTPS_PROXY=”https://yourproxy.local:8080”).To configure the IP addresses or domain names that you want to exclude from the proxy, edit the NO_PROXY environment variable (for example, NO_PROXY=”www.gpqa.com”).Use commas to separate multiple IP addresses or domain names. Starting with GlobalProtect app 5.1.6, you can use the wildcard character (*) for IP addresses or domain names (for example, NO_PROXY=”*.domain.com”).Install the app package using CLI Only command:
$ ./gp_install.sh --help Usage: $ sudo ./gp_install [--cli-only | --arm | --help] --cli-only: CLI Only --arm: ARM no options: UI
Starting from GlobalProtect Linux version 6.2.1, you must use the following commands to install the CLI or GUI versions of the app:- To install the GlobalProtect UI package- $ ./gp_install.sh
- To install the GlobalProtect CLI package- $ ./gp_install.sh --cli-only
You don't need to run the ./gp_install.sh with sudo for GlobalProtect app Linux 6.2.1 and later versions. As the script executes, users will be prompted to enter the sudo password.( Optional) Change CLI modes.You can run commands in either command-line or prompt mode. Command-line mode requires you to specify the full GlobalProtect command. Prompt mode requires you to specify only the command (without the app name) and displays more detailed output than command-line mode.- To switch to prompt mode, enter globalprotect without any arguments.
user@linuxhost:~$ globalprotect >>To exit prompt mode, enter quit.>> quit user@linuxhost:~$View the help for GlobalProtect app for Linux.Prompt mode:>> help Usage: only the following commands are supported: collect-log -- collect log information connect -- connect to server disconnect -- disconnect disable -- disable connection import-certificate -- import client certificate file quit -- quit from prompt mode rediscover-network -- network rediscovery remove-user -- clear credential resubmit-hip -- resubmit hip information set-log -- set debug level show -- show informationCommand-line mode:user@linuxhost:~$ globalprotect help Usage: only the following commands are supported: collect-log -- collect log information connect -- connect to server disconnect -- disconnect disable -- disable connection import-certificate -- import client certificate file quit -- quit from prompt mode rediscover-network -- network rediscovery remove-user -- clear credential resubmit-hip -- resubmit hip information set-log -- set debug level show -- show informationInstall the CLI Version of GlobalProtect for Linux for RPM Based Distros
Strating from GlobalProtect app 6.2.6 or later versions, the CLI-only agent for RPM distros now supports direct installation and management of the GlobalProtect app using native package manager such as yum, rpm and dnf. You can also customize the installation paths to specify a non-default location and can install the app in arbitrary directories when using rpm as the package manager with the –prefix parameter. Even if the GlobalProtect app is installed in a non-default location, the troubleshoot logs are stored in the home/<user>/.Globalprotect directory.- Obtain the Globalprotect package from your IT admi nistrator and then copy the TGZ file to the Linux endpoint. The package should have the following name: PanGPLinux-6.2.6-c6.tgzFrom the Linux endpoint, unzip the package. After you unzip the package, you will see the RPM installation package for the CLI-only agent with the following name: GlobalProtect_focal_rpm-6.2.6.1-286.rpmInstall the app package using the CLI Only command -sudo rpm -ivh --prefix=/path/tobeinstalled/ ‘name of GP rpm’
- Installation path should be owned by root.
- Home directory should be owned by the user installing the agent.
For example:sudo mkdir /install-path/ sudo rpm -ivh --prefix=/opt/PAN/GP/ GlobalProtect_focal_rpm-6.2.6.1-286.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Start installing gp... Updating / installing... GlobalProtect_focal_rpm-6.2.6.1-286################################# [100%] Enable gp service...
Uninstall GlobalProtect App from the Linux Endpoints- Get the GlobalProtect package name by using the command:rpm -qa | grep GlobalProtect
- Then, use the following command:sudo rpm -e <the name of GlobalProtect rpm package> , where the name of the of GlobalProtect rpm package is the one you obtained after using the first command (rpm -qa | grep GlobalProtect).
(Optional), Use the CLI version of the GlobalProtect app for Linux to connect and use the app.Install the CLI Version of GlobalProtect for Linux for Debian Based Distros
Strating from GlobalProtect app 6.2.6 or later versions, the CLI-only agent for Debian distros supports direct installation and management of the GlobalProtect app using native package manager such as dpkg. You can also customize the installation paths to specify a non-default location and can install the app in arbitrary directories with the steps shown below. Even if the GlobalProtect app is installed in a non-default location, the troubleshoot logs are stored in the /home/<user>/.Globalprotect directory- Obtain the Globalprotect package from your IT administrator and then copy the TGZ file to the Linux endpoint. The package should have the following name: PanGPLinux-6.2.6-c6.tgzFrom the Linux endpoint, unzip the package. After you unzip the package, you will see the debian (DEB) installation package for the CLI-only agent with the following name: GlobalProtect_deb-6.2.6.1-293.debInstall the app manually to non-default location using the below commands:
- sudo mkdir -p /path/install/to, for example /opt/PAN/GPTo extract debian package use, sudo dpkg-deb -R GlobalProtect_focal_deb.deb /opt/PAN/GPGo to /opt/PAN/GP/DEBIAN run the preinst script with the new installation path, for example: sudo ./preinst install /opt/PAN/GPGo to /opt/PAN/GP/DEBIAN, use: sudo ./postinst configure. Run postinst script to replace the default path in all the scripts and config files and enable all required services.Uninstall GlobalProtect App from the Linux EndpointsTo uninstall GlobalProtect for Linux on Debian based distros (CLI only agent), navigate to /opt/PAN/GP/DEBIAN, and run:
- sudo ./prerm remove
- sudo ./postrm remove
(Optional), Use the CLI version of the GlobalProtect app for Linux to connect and use the app.
