Palo Alto Networks GlobalProtect
This VPN connection type is supported on iOS and Android devices.
Use the following guidelines to configure the Palo Alto Networks GlobalProtect VPN connection type.
Proxy - None (default)
Use the following guidelines to configure a Palo Alto Networks GlobalProtect VPN without a proxy.
Item |
Description |
Name |
Enter a short phrase that identifies this VPN setting. |
Description |
Provide a description that clarifies the purpose of these settings. |
Channel |
For macOS only. Select one of the following distribution options: •Device channel - the configuration is effective for all users on a device. This is the typical option. •User channel - the configuration is effective only for the currently registered user on a device. |
Connection Type |
Select Palo Alto Networks GlobalProtect. |
Server |
Enter the IP address, hostname, or URL for the VPN server. |
Proxy |
None is the default setting. To configure a Manual or Automatic proxy, go to Proxy - Manual or Proxy - Automatic. |
Username |
Specify the user name to use (required.) The default value is $USERID$. Include at least one of the following variables: $USERID$, $EMAIL$, $SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as the following: •$USERID$:$EMAIL$ •$USERID$_$EMAIL$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username. |
User Authentication |
Select the user authentication to use: •Password - see next row for information. •Certificate - If you select Certificate, select the identity certificate to be used as the account credential. If you select Certificate, and extended authentication (EAP) is not used, this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. |
Specify the password to use (required.) The default value is $PASSWORD$. Include at least one of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as $EMAIL$:$PASSWORD$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password. |
|
VPN On Demand |
The Palo Alto Networks GlobalProtect field displays. On Demand rules are associated with an array of dictionaries that define the network match criteria identifying a particular network location. VPN On Demand matches the dictionaries in the On Demand Rules against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows: •If domain-based matching is enabled for a matching On Demand Rule dictionary, then for each dictionary in that dictionary’s connection evaluation array, VPN On Demand compares the requested domain against the domains listed in the Domains array. •If domain-based matching is not enabled, the specified behavior (Connect, Disconnect, Allow, or Ignore) is used if the dictionary otherwise matches.
VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.
For instructions, see Palo Alto Networks GlobalProtect. |
Per-App VPN |
|
If Per-App VPN is set to Yes, define whether the per-app VPN service will tunnel traffic at the application layer (app-proxy) or the IP layer (packet-tunnel). Select app-proxy (default) or packet-tunnel. |
Proxy - Manual
If you select Manual, you must specify the proxy server, port number. and proxy domain information.
Item |
Description |
Enter the name for the proxy server. |
|
Enter the port number for the proxy server. Type - Select Static or Variable for the type of authentication to be used for the proxy server. |
|
Proxy Server User Name |
If the authentication type is Static, enter the username for the proxy server. If the authentication type is Variable, the default variable selected is $USERID$. |
Proxy Server Password |
If the authentication type is Static, enter the password for the proxy server. Confirm the password in the field below. If the authentication type is Variable, the default variable selected is $PASSWORD$. |
Username |
Specify the user name to use (required.) The default value is $USERID$. Include at least one of the following variables: $USERID$, $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $NULL$ You can use combinations such as the following: •$USERID$:$EMAIL$ •$USERID$_$EMAIL$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username. |
User Authentication |
Select the user authentication to use: •Password - see next row for information. •Certificate - If you select Certificate, select the identity certificate to be used as the account credential. If you select Certificate, and extended authentication (EAP) is not used, this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. |
Password |
Specify the password to use (required.) The default value is $PASSWORD$. Include at least one of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as $EMAIL$:$PASSWORD$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password. |
VPN On Demand |
|
Per-App VPN |
|
Provider Type |
|
Proxy - Automatic
If you selected an Automatic proxy, you must specify the proxy server URL and proxy domain(s).
Item |
Description |
Enter the URL for the proxy server. Enter the URL of the location of the proxy auto-configuration file. |
|
Username |
Specify the user name to use (required.) The default value is $USERID$. Include at least one of the following variables: $USERID$, $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $NULL$ You can use combinations such as the following: •$USERID$:$EMAIL$ •$USERID$_$EMAIL$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username. |
User Authentication |
Select the user authentication to use: •Password - see next row for information. •Certificate - If you select Certificate, select the identity certificate to be used as the account credential. If you select Certificate, and extended authentication (EAP) is not used, this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. |
Specify the password to use (required.) The default value is $PASSWORD$. Include at least one of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as $EMAIL$:$PASSWORD$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password. |
|
VPN On Demand |
|
Per-App VPN |
|
|