University of Southampton

iSolutions

How to set up the Virtual Private Network (VPN) via GlobalProtect

The University provides a Virtual Private Network (VPN) service for you to connect and login to the University network from off-campus locations or on-campus from personal laptops. If possible, set up the VPN on you computer while you are on campus.

When you need to use this service

Use this service when:

  • You are working away from campus
  • You need to access University IT systems and services
  • You would like access to Library resources (such as databases and journals)
  • You need access to your University Personal filestore (My Documents) and shared filestores

Instructions are below and you will need the following information:

  • Address: globalprotect.soton.ac.uk
  • Your University username
  • Your University password
To check that you have been successful in connecting to VPN, go to the page Am I on VPN?

Note that the VPN service is provided for use with University staff and student accounts, and it may not be used with generic accounts (that is, group, departmental or club accounts). Alumni will not be able to connect to VPN.

Back to the top

How to install the VPN on your device

Windows

The current version of GlobalProtect requires Windows 8.1 or later

  1. Connect to https://globalprotect.soton.ac.uk
  2. Log in using your University account
  3. Select the "Download Windows 64 bit GlobalProtect agent"
  4. The installer will download. When complete, launch the installer and follow the wizard through the installation process.
  5. Once installed a globe shaped icon will appear in the Notification area.
  6. Click on the globe icon and enter the portal address 'globalprotect.soton.ac.uk'.
  7. Click ‘Connect’. Enter user credentials when prompted.
  8. You will now be connected to the University’s VPN service.
  9. To disconnect, press ‘Disconnect’. The GlobalProtect icon will always appear in the Notification area, regardless of the status of the connection.

Back to the top

macOS

  1. Log in to https://globalprotect.soton.ac.uk using your University account.
  2. Select the appropriate version of the agent, relevant to your OS.
  3. The installer will download. When complete, launch the installer and follow the wizard through the installation process.
  4. Once installed a globe shaped icon will appear in the top menu bar.
  5. Click on the globe icon and enter the portal address 'globalprotect.soton.ac.uk'.
  6. Click ‘Connect’. Enter user credentials when prompted.
  7. You will now be connected to the University’s VPN service.
  8. To disconnect, press ‘Disconnect’. The GlobalProtect icon will always appear in the Notification area, regardless of the status of the connection.

Please Note:

You may have to allow the GlobalProtect application to connect with the university system. In order to do this select the following:

  • Apple Menu -> System Preferences -> Security and Privacy -> Select General
  • Ensure that the option to allow Palo Alto Networks is set to Allow.

Once completed, click the lock icon to make the changes.

Back to the top

Google Android

  1. In the Google Play Store, search for and install the GlobalProtect app, published by Palo Alto Networks.
  2. When installed, select ‘Open’ and enter the portal information as ‘globalprotect.soton.ac.uk’.
  3. Press ‘Connect’ and enter your University credentials. You will now be connected to the University’s VPN service. An icon resembling a key will appear in the top bar.
  4. To disconnect, press ‘Disconnect’ at the bottom of the screen.

Back to the top

Apple IOS

  1. In the Apple App Store, search for and install the GlobalProtect app, published by Palo Alto Networks.
  2. When installed, open the app and enter the portal information as ‘globalprotect.soton.ac.uk
  3. Press ‘Connect’ and enter your University credentials. You will now be connected to the University’s VPN service. A ‘VPN’ icon will appear in the top bar.
  4. To disconnect, press ‘Disconnect’ at the bottom of the screen.

Back to the top

Linux

For Linux you will need visit the Software Center and:

  1. Select "Linux" in the right hand menu.
  2. Select GlobalProtect.
  3. Click on the Linux version and then download it.

Installation

  1. Download/copy the .tgz file to the Linux system.
  2. In a terminal, enter: cd /path/to/file where /path/to/file is the directory containing the .tgz file you downloaded.
  3. Next, unzip the package using: tar zxvf PanGPLinux-5.3.1.0-36.tar.gz (the files will be extracted to the current directory)
  4. After you unzip the package, you will see:
    1. 9 installation packages,
    2. a .deb for Debian-based systems (including Ubuntu, and Linux Mint),
    3. a .rpm for Red Hat-based systems (including RHEL, Fedora, and CentOS),
    4. ARM versions for devices such as the Raspberry PI
    5. a .tgz package for manual installation.

      There are now also GUI versions of GlobalProtect that look and behave just like their Windows and Mac counterparts, the packages can be identified with “_UI_” present in the package name.

      For Debian-based distributions (including Ubuntu and Linux Mint), install the package using either:

      sudo apt-get install GlobalProtect_deb-5.3.1.0-36.deb
      sudo apt-get install GlobalProtect_UI_deb-5.3.1.0-36.deb

      For Red Hat-based distributions (including RHEL, Fedora, and CentOS), install the package using either:

      1. sudo yum install GlobalProtect_rpm-5.3.1.0-36.rpm
      2. sudo yum install GlobalProtect_UI_rpm-5.3.1.0-36.rpm

Please note: with the latest version of GlobalProtect, there no longer exists the "finalise" script that needed to be ran followed by a reboot.

How to Use Global Protect

  1. The GlobalProtect application installs to the /opt/paloaltonetworks/globalprotect directory.
    After GlobalProtect first runs, it creates a GlobalProtect user folder in $HOME/.globalprotect to save user registry configuration and other CLI related settings.
  2. Once installed, enter the following command in a terminal to connect to the service for the first time:
    globalprotect connect -p globalprotect.soton.ac.uk -u <username>
    (replacing <username> with your iSolutions username)
  3. For subsequent connections, the application will remember the address and username, so you can simply enter the following in a terminal: globalprotect connect
  4. To disconnect from the service, enter the following in a terminal: globalprotect disconnect.

Use the CLI Version of the GlobalProtect App for Linux

Using the command-line interface (CLI) of the GlobalProtect™ app for Linux, you can perform tasks that are common to the GlobalProtect app. The following examples display the output in command-line mode. To run the same command in prompt-mode, enter it without the globalprotect prefix (for more information, see "Download and Install the GlobalProtect App for Linux").

Connect to a GlobalProtect portal

Use the globalprotect connect –portal <gp-portal> command where <gp-portal> is the IP address or FQDN of your GlobalProtect portal. 

For example:

user@linuxhost:~$
globalprotect connect --portal myportal.example.com (please note: the University Portal is globalprotect.soton.ac.uk)

Retrieving configuration...
Disconnected
myportal.example.com - portal:local:Enter login credentials username:user1
Password:
Retrieving configuration... Discovering network...
Connecting...
Connected

When you use certificate-based authentication, the first time you connect without a root CA certificate, the GlobalProtect app and GlobalProtect portal exchange certificates. The GlobalProtect app displays a certificate error, which you must acknowledge before you authenticate. When you next connect, you will not be prompted with the certificate error message.

user@linuxhost:~$
globalprotect connect --portal myportal.example.com
Retrieving configuration...
Disconnected

There is a problem with the security certificate, so the identity of 10.3.188.61 cannot be verified. Please contact the Help Desk for your organization to have the issue rectified.
Warning: The communication with 10.3.188.61 may have been compromised. We recommend that you do not continue with this connection.
Error details:Do you want to continue(y/n)?
y

Retrieving configuration...
Disconnected

10.3.188.61 - portal:local:Enter login credentials username:
user1

Password:
Retrieving configuration...
Discovering network...

Connecting...
Connected

You can also specify a username in the command using the –username <username> option. The GlobalProtect app prompts you to authenticate and, if you specified the username option, confirm your username.

Import a certificate

When you want to pre-deploy a client certificate to an endpoint for certificate-based authentication, you can copy the certificate to the endpoint and import it for use by the GlobalProtect app. Use the globalprotect import-certificate --location <location> command to import the certificate on the endpoint. When prompted you must supply the certificate password.

user@linuxhost:~$ globalprotect import-certificate --location
/home/mydir/Downloads/cert_client_cert.p12

Please input passcode:
Import certificate is successful.

Connect to a gateway

(Optional) Display the manual gateways to which you can connect using the globalprotect show --manual-gateway command.

Connect to a gateway using the globalprotect connect –gateway <gp-gateway> command where <gp-gateway> is the IP address or FQDN of the GlobalProtect gateway.

View details about your connection using the globalprotect show --details command.

user@linuxhost:~$ globalprotect show --manual-gateway

Name Address
gw1 192.168.1.180
gw2 192.168.1.181


user@linuxhost:~$ globalprotect connect --gateway 192.168.1.180

Retrieving configuration...
Discovering network...
Connecting...
Connected
 
Verify the status of and view details about your GlobalProtect connection

Use the globalprotect show --status command to verify the status of your connection.

user@linuxhost:~$
globalprotect show --status

GlobalProtect status: Connected
user@linuxhost:~$
globalprotect show --details

Assigned IP address: 192.168.1.132
Gateway IP address: 192.168.1.180
Protocol: IPSec

Uptime(sec): 231

Rediscover the network

Use the globalprotect rediscover-network command to disconnect and reconnect from GlobalProtect.

user@linuxhost:~$ globalprotect rediscover-network

Disconnecting...
Retrieving configuration...
Retrieving configuration...
Discovering network...

Connecting...
Connecting...
Connected

GlobalProtect status: Connected

Clear the credentials for the current user

Use the globalprotect remove-user command to clear the credentials used to authenticate with the portal and gateways. After you confirm that the GlobalProtect app should clear your credentials, the GlobalProtect app disconnects the tunnel and then requires you to enter your credentials the next time you connect.

user@linuxhost:~$ globalprotect remove-user

Credential will be cleared and current tunnel will be terminated.
Do you want to continue(y/n)? y

Clear is done successfully.
 
user@linuxhost:~$ globalprotect connect --portal 192.168.1.179
Retrieving configuration...

Disconnected
192.168.1.179 - portal:local:Enter login credentials
username: user1

Password:
Retrieving configuration...
Discovering network...

Connecting...
Connected

Resubmit host information to the gateway

Use the globalprotect show --host-state command to view the current host information about your endpoint.

Use the globalprotect resubmit-hip command to resubmit information about the endpoint to the gateway. This is useful in cases where HIP-based security policy prevents users from accessing resources because it allows the user to fix the compliance issue on the endpoint and then resubmit the HIP.


user@linuxhost:~$ globalprotect show --host-state

generate-time: 09/28/2017 11:24:07
categories host-info
client-version: 4.1.0
os: Linux Ubuntu 16.04.3 LTS
os-vendor: Linux
domain:
host-name: linuxhost
host-id: 4C4C4544-0034-4D10-804C-************

network-interface
enp0s31f6

description: enp0s31f6
mac-address: D4:81:D7:D4:5A:A5 wlp2s0
description: wlp2s0
mac-address: 14:AB:C5:DE:D1:0E

user@linuxhost:~$ globalprotect resubmit-hip

Resubmit is successful.

View any GlobalProtect notifications

Use the globalprotect show –notification command to view notifications.

View the GlobalProtect system tray icon

Use the globalprotect launch-ui command to display the system tray icon on your desktop. You can launch the GlobalProtect app by clicking the system tray icon.

View the Welcome page

Use the globalprotect show --welcome-page command. The GlobalProtect app displays the Welcome page in a browser if a Welcome page exists or displays a notification if the Welcome page does not exist.


View errors

Use the globalprotect show –error command to view errors reported by the app.

user@linuxhost:~$ globalprotect show --error

Error: Cannot connect to GlobalProtect Portal


Collect logs

The app stores the PanGPA and PanGPI log files in the /home/<user>/.Globalprotect directory. Use the globalprotect collect-logs command to enable the GlobalProtect app for Linux to package these logs and other useful information. You can then use the logs to troubleshoot issues or forward them to a Support engineer for expert analysis.


user@linuxhost:~$ globalprotect collect-log
Start collecting...

collecting network info...
collecting machine info...
copying files...

generating final result file...
The support file is saved to /home/user/.GlobalProtect/Collect.tgz


Display the version of the GlobalProtect app for Linux

user@linuxhost:~$ globalprotect show --version

GlobalProtect: 4.1.0-23

Copyright(c) 2009-2017 Palo Alto Networks, Inc.


Uninstall GlobalProtect

Ubuntu:

  • sudo dpkg -P globalprotect
    or
  • sudo apt-get remove globalprotect
    •  Redhat/CentOS:
    • sudo yum remove GlobalProtect_deb-X.X.X.X-X.deb

 

Using OpenConnect as an Alternative Solution

If the GlobalProtect client is unavailable or unreliable for your Linux distribution, you can try using OpenConnect.

To connect to the university VPN (Virtual Private Network) you will need at least v8.00 of openconnect (released Jan 2019, with support for the GlobalProtect protocol ).

Then, in a terminal, run the following as root (replace USERNAME with your university login): 
sudo openconnect --protocol=gp globalprotect.soton.ac.uk -u USERNAME --csd-wrapper=/usr/lib/ openconnect/hipreport.sh

Where the location of the hipreport.sh may vary depending on your distribution.


Troubleshooting for Ubuntu

systemctl show gpd.service | fgrep Environment

which should output:

Environment=SSL_CERT_DIR=/usr/lib/ssl/certs

If that's fine, then maybe try:

  1. ls -l /usr/lib/ssl/certs/ | fgrep -i quo
  2. …And ensure that the user gets a bunch of QuoVadis_Root_CA* .pem files that are symlinks to other things, and a bunch of <hex-number>.0 files that also symlink to these QuoVadis_Root_CA* files.

 

Ubuntu – GlobalProtect Errors When Installing

Symptom(s)

After you extract the files from the package (PanGPLinux-5.2.5-c46.tgz), you will install the package in Ubuntu or Kali (Debian) Linux with the following command, but you get an error as below:

  • sudo apt-get install ./GlobalProtect_deb-5.2.5.0-46.deb
    analysisman@ubuntu:~$ sudo apt-get install ./GlobalProtect_deb-5.2.5.0-46.deb
    Reading package lists... Error!
  • E: read, still have 59 to read but none left
  • E: Error reading archive member header
  • E: Could not read meta data from ./GlobalProtect_deb-5.2.5.0-46.deb
  • E: The package lists or status file could not be parsed or opened.

    or

  • analysisman@ubuntu:~/pkgs$ sudo apt-get install GlobalProtect_UI_deb-6.0.0.1-44.deb
  • Reading package lists... Done
  • Building dependency tree       
  • Reading state information... Done
  • E: Unable to locate package GlobalProtect_UI_deb-6.0.0.1-44.deb
  • E: Couldn't find any package by glob 'GlobalProtect_UI_deb-6.0.0.1-44.deb'
  • E: Couldn't find any package by regex 'GlobalProtect_UI_deb-6.0.0.1-44.deb'

Resolution

Use the following dpkg command instead of apt-get install:

sudo dpkg -i ./GlobalProtect_deb-5.2.5.0-46.deb

Please note: replace the version name of GlobalProtect with the correct one (if applicable) and remember the naming convention for the GUI version.

See https://www.makeuseof.com/apt-vs-dpkg/ for details of apt vs dpkg.

 

Was this article helpful?

If you have any further comments, please put them below.

Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.


Thank you for your feedback, it is much appreciated.

Tweet This Article

Back to List

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×