GlobalProtect Linux VPN Client Installation

Linux users should download and install the GlobalProtect VPN client.  The client can be downloaded from the ITC software downloads site here.  The client is supported for CentOS, Red Hat Enterprise Linux, and Ubuntu.  You will have to install either the downloaded .deb or .rpm file with your package manager.  An example of installing the .deb file on Ubuntu is to run:

         sudo dpkg -i ~/Downloads/GlobalProtect_deb-

You also need to enroll in Duo before your are able to authenticate to the VPN.  If you have not yet enrolled in Duo, you may do so here.  While you are on that page, you also need to set a default second factor for authentication.  To do so, click on the link for My Settings & Devices.

Once you have the client installed, connect by running the command:

globalprotect connect -p

You may be prompted to install the server certificate on your client the first time that you connect.  Press 'y' to proceed.  You will then be prompted for your username and password.  After entering your username and password, your default Duo action will be taken, but there will be no prompt telling you that this is happening.  After the Duo authentication completes, you will be connected.

user@linuxhost:~$ globalprotect connect --portal
Retrieving configuration...                                            
There is a problem with the security certificate, so the identity of cannot be verified. Please contact the Help Desk for your organization to have the issue rectified.
Warning: The communication with may have been compromised. We recommend that you do not continue with this connection.
Error details:Do you want to continue(y/n)?y
Retrieving configuration...                                            
Disconnected - portal:local:Enter login credentials
Retrieving configuration...                                            
Discovering network...
With this first authentication, your credentials are cached locally and so on subsequent connections you will not see a prompt for a username or password.  Instead, in the background your default Duo action will be taken, but you won't have any notice that this is happening.  You will have to be ready to confirm a Duo push, answer a phone call, or respond to whatever your default Duo action may be.  After you have responded to the Duo action you will be connected.

If you are running Linux and want the split-tunnelled version that only sends traffic to and over the tunnel, the portal to use is

To disconnect, run 'globalprotect disconnect'.

If you are not running Ubuntu, CentOS or RHEL, you may be able to work around this issue.  Create the file /etc/lsb-release with the contents:


Next restart gpd.service (e.g. 'sudo systemctl restart gpd.service').  You should now be able to connect.


See Related Articles to the right for more information.
20% helpful - 5 reviews


Article ID: 72415
Thu 2/21/19 3:20 PM
Mon 1/4/21 4:30 PM