On the last week’s post for Cisco AnyConnect VPN on macOS, I had a request for publishing a similar guide for deploying Palo Alto’s VPN on corporate macOS devices. So on the request of Mieszko Ślusarczyk, this article will help you as an exhaustive guide for installing and
On the last week’s post for Cisco AnyConnect VPN on macOS, I had a request for publishing a similar guide for deploying Palo Alto’s VPN on corporate macOS devices. So on the request of Mieszko Ślusarczyk, this article will help you as an exhaustive guide for installing and configuring GlobalProtect VPN on your macOS devices.
GlobalProtect is Palo Alto Networks’ VPN solution, which delivers the capabilities of their Security Operating Platform to remote workers and mobile devices. It provides excellent protection for network connections and in-depth visibility into who is accessing an organization’s network. GlobalProtect establishes a secure SSL or IPsec VPN connection between users and the network.
The GlobalProtect app software runs on endpoints and enables access to your network resources through the GlobalProtect portals and gateways you have deployed. The GlobalProtect app for Windows and macOS endpoints is deployed from the GlobalProtect portal. You can configure the app’s behaviour—for example, which tabs the users can see—in the client configuration(s) you define on the portal. See Define the GlobalProtect Agent Configurations, Customize the GlobalProtect App, and Deploy the GlobalProtect App Software for details.
You don’t require GlobalProtect licenses if you wish to use them to offer a secure remote access or virtual private network (VPN) solution via one or more internal/external gateways. However, you need to buy an annual GlobalProtect Gateway license to access more sophisticated services (such as HIP checks and related content updates, support for the GlobalProtect mobile app, or IPv6 compatibility). This license needs to be set up on each firewall that controls a gateway that:
For GlobalProtect Clientless VPN, you must also install a GlobalProtect Gateway license on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature.
For detailed info on licenses, you can refer – Palo Alto Licenses
You must download and install the GlobalProtect app on your macOS endpoint before you can join the GlobalProtect network. You should always download the app directly from a GlobalProtect portal within your organization. Because of this, you will not find any direct download link for the GP app on the Palo Alto Networks website.
To download the installer, ask your administrator for the IP address or FQDN of the GlobalProtect site. Your administrator should also confirm the username and password you can use to log into the portal and gateways. You usually connect to your company network using the same username and password.
Follow the steps to download the app:
Apple has restricted the support for kernel extensions for macOS 10.15.4 and higher versions. This means you now have to use system extensions instead of kernel extensions. In addition to enabling system extensions, you must also enable network extensions to suppress the Network Extensions Configuration pop-up prompts that may occur for the Split Tunnel and enforce GlobalProtect Connections for Network Access features.
Use the following steps to configure a profile to approve the system extensions automatically:
This is how the configuration profile should look like:
We will use a script that pre-populates GlobalProtect app settings, such as the default portal address and connection method.
#!/bin/bash
## Description: Checks for global preferences file and populates
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################
# Get current Console user
active_user=$( stat -f “%Su” /dev/console )
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
## Logic ##########################################################
# Check to see if the global preference file already exists…
if [[ -e $gPrefs ]]; then
echo “Default global portal already exists. Skipping.”
else
echo “Setting default global portal to: your.portal.here.com”
# If it does not already exist, create it and populate the default portal using the echo command
echo ‘
echo $?
# Kill the Preference caching daemon to prevent it from overwriting any changes
killall cfprefsd
echo $?
fi
# Check exit code.
exit $?
The end user must successfully authenticate through an authentication profile and a certificate profile to access a GlobalProtect portal or gateway configured, which works as a two-factor authentication. This means that certificates must be pre-deployed on the endpoints before their initial portal connection for portal authentication. A user’s client certificate must also match the requirements specified in the certificate profile.
You have the below available options to configure 2FA for remote access VPN:
You must have a conversation with the team managing VPN solutions in your organization to choose and configure the best option.
However, since you are deploying the GlobalProtect VPN solution to your company’s macOS devices, I would say that the best and easiest method for enabling 2FA will be to use certificates and authentication profiles.
Please note that installing GlobalProtect requires an automated logout and restart of your Mac.
If you have multiple profiles/gateways, you might see a list/dropdown to select the profile. Select the correct profile and click connect.
I hope you will find this post helpful in configuring and deploying GlobalProtect VPN client to your managed macOS devices with much ease now.
Please leave feedback and comments below if you liked it.
