I just spent 3 hours on a Zoom with a colleague trying to figure out what the issues our Linux users were facing when running GlobalProtect.
To install the CLI-only version, you must first you download the files, untar/detar/whatever it…
tar -xvf ~/PATH/TO/PACKAGE.tgzThen you run the installer script
./gp_install --cli-onlyWoo hoo! It’s installed!
Kinda, there’s a few things missing.
- For SAML auth we need it to use the default browser
- We need to point it to our portal
- Reboot
- We need to tell our default browser how to handle globalprotectcallback: URLs… BECAUSE PALO ALTO DOESN’T DO THIS FOR YOU!
Default Browser
In the document /opt/paloaltonetworks/globalprotect/pangs.xml, add the following line in the <settings> section…
<default-browser>yes</default-browser>Point to your Portal
In the document /opt/paloaltonetworks/globalprotect/pangs.xml, add the following line in the <PanSetup> section…
<Portal>your.fully.qualified.domain</Portal>
Save the document and exit.
Reboot
You don’t need me to tell you how to do that… reboot your computer.
globalprotectcallback: URLs
Create the file /usr/share/applications/gp.desktop with the following contents:
[Desktop Entry]
Name=GlobalProtect
Exec=/usr/bin/globalprotect defaultbrowser %u
Type=Application
NoDisplay=true
MimeType=x-scheme-handler/globalprotectcallback;Save that file and run the command:
sudo update-desktop-databaseThis file is created automatically when you install the GUI version of GlobalProtect, but is not installed with the --cli-only flag enabled.
Connect to GlobalProtect
globalprotect connect