The Fire Drill That Made Me Rethink Everything
Three months of deployment. Hundreds of angry users. An IT team ready to quit.
That was the mess I walked into last week. Their GlobalProtect VPN was “configured properly” — certificates, portal, gateway, all the boxes checked. But users either couldn’t connect, or connected and couldn’t access anything.
I’ve been fighting this beast for five years. Here’s what the official docs won’t tell you.
Authentication: Don’t Put All Your Eggs in One Basket
Certificate vs SAML vs LDAP
Palo Alto says: “As a best practice, use a certificate signed by a public CA.” That’s true, but it’s only half the story.
Look at this config:
# Portal settings
set shared portal GlobalProtect-Portal authentication authentication-profile GP-Auth
set shared portal GlobalProtect-Portal authentication authentication-profile GP-Auth allow-list enable yes
# Auth profile - certificate only
set shared authentication-profile GP-Auth method certificate
See the problem? Certificate-only. When a user’s cert expires — and it will — they’re locked out. No fallback.
My approach: dual-factor authentication. Certificate as the first layer, SAML as the second. If the cert fails, SAML still works.
The Auth Timeout Trap
Default timeout is 30 seconds. Your IdP (especially Azure AD) occasionally takes 35. Users stare at “Connecting…” then get an error.
# Bump the timeout
set shared portal GlobalProtect-Portal agent auth-timeout 60
Set it to 60 seconds. Problem solved.
Split Tunnel: The Heresy That Works
Reddit user nailed it: “Pan doesn’t recommend split tunnel, but i do when your users use their private devices.”
Full tunnel is the official recommendation. Every packet goes through the VPN. Secure? Yes. User experience? Garbage.
People on personal devices want to watch Netflix without routing through your corporate network. They’ll hate you if you force it.
Here’s my config:
# Tunnel settings - corporate traffic only
set shared gateway GlobalProtect-Gateway tunnel split-tunnel include-domains "*.corp.company.com"
set shared gateway GlobalProtect-Gateway tunnel split-tunnel include-domains "10.0.0.0/8"
set shared gateway GlobalProtect-Gateway tunnel split-tunnel exclude-domains "0.0.0.0/0"
Key rule: be precise with your include list. Don’t lazy-code 0.0.0.0/0 then exclude — that’s full tunnel with extra steps.
HIP: Stop BYOD From Becoming BYOD (Bring Your Own Disaster)
HIP (Host Information Profile) is GlobalProtect’s most underrated feature.
I saw a client’s config that let anything connect — including a personal laptop running pirated Windows 7. Ransomware hit their internal network through that VPN user.
Here’s what a proper HIP config looks like:
# HIP object - must have antivirus
set shared hip-object Must-Have-AV criteria antivirus-product package-name "CrowdStrike Falcon"
set shared hip-object Must-Have-AV criteria antivirus-product package-name "Symantec Endpoint Protection"
set shared hip-object Must-Have-AV criteria antivirus-product package-version greater-equal "14.0"
# HIP profile - block non-compliant
set shared hip-profiles Block-No-AV match all
set shared hip-profiles Block-No-AV match hip-object Must-Have-AV
set shared hip-profiles Block-No-AV action deny
But don’t over-tighten. I’ve seen someone require an exact version number. User updated their AV, version bumped, and they got kicked offline.
Best practice: Use greater-equal for version checks, not equal.
Portal and Gateway: Same Interface? Yes, But…
Palo Alto’s docs say: “If you configure a gateway and portal on the same interface, we recommend that you…”
Honestly, for small deployments it’s fine. But when you scale up, you’ll see portal-gateway conflict errors in your logs.
Here’s my sizing guide:
| Scale | Setup | Why |
|---|---|---|
| < 500 users | Same interface | Simple, low maintenance |
| 500-2000 users | Separate interfaces | Avoid conflicts, easier debugging |
| > 2000 users | Multi-gateway cluster | Load balancing + HA |
Certificate Management: Public CA vs Internal CA
Another case where the docs and reality diverge.
Public CA certs: Expensive but painless. No extra root certs on user devices.
Internal CA certs: Free but you’re running a PKI. The killer: every user device needs your root CA installed or they can’t connect.
Biggest screw-up I’ve seen: internal CA root cert expired. All VPN users dropped simultaneously. My phone exploded with angry calls.
Now I use Let’s Encrypt. Free, auto-renewing, publicly trusted. Setup is straightforward:
# ACME auto-renewal config
set shared certificate-profile GlobalProtect-Cert profile-type acme
set shared certificate-profile GlobalProtect-Cert acme email admin@company.com
set shared certificate-profile GlobalProtect-Cert acme domain vpn.company.com
The Stuff Nobody Warns You About
1. Connection Fails? Check DNS First
When a user says “it won’t connect”, 90% of the time it’s DNS. GlobalProtect is hypersensitive to DNS resolution.
# Check DNS
dig vpn.company.com
# Client logs (Windows)
%ProgramData%\PaloAltoNetworks\GlobalProtect\PanGPA\PanGPA.log
2. Change the Default Port
Port 443 is constantly scanned. Switch to something else and block 90% of automated attacks.
set shared gateway GlobalProtect-Gateway portal port 8443
3. Client Version Matters
Users running old GlobalProtect clients? Prepare for connection issues. Every new release fixes connectivity bugs.
# Force client updates
set shared portal GlobalProtect-Portal agent upgrade-check-interval 60
set shared portal GlobalProtect-Portal agent force-upgrade yes
Best Practices Cheat Sheet
| Config Item | Official Recommendation | My Recommendation | Why |
|---|---|---|---|
| Authentication | Single factor | Dual (cert + SAML) | Single point of failure |
| Tunnel mode | Full tunnel | Split tunnel (precise includes) | Better UX |
| Certificate | Public CA | Let’s Encrypt | Free + auto-renew |
| Portal/Gateway | Same interface | Separate (500+ users) | Avoid conflicts |
| HIP checks | Optional | Mandatory | Prevent BYOD disasters |
| Auth timeout | 30s | 60s | IdP latency buffer |
| Client updates | Manual | Force push | Fewer support tickets |
FAQ
How good is GlobalProtect VPN?
Depends entirely on your config. Done right, it’s rock solid. Done wrong, you’ll get complaints daily. Better than AnyConnect for Palo Alto shops, but the learning curve is steeper.
How to configure GlobalProtect VPN?
Three steps: Portal config (auth + client settings) → Gateway config (tunnel + security policies) → Certificate setup. Don’t skip steps — each one builds on the last.
Is GlobalProtect VPN SSL or IPSec?
Both. Default is SSL (TLS), but you can switch to IPSec. I recommend SSL — better compatibility, easier firewall traversal.
Why does GlobalProtect fail?
Most common causes: DNS resolution failure, untrusted certificates, auth timeout, outdated client. Check the logs before guessing.
Bottom line: The docs are a starting point, not the final word. Understand what each config line actually does. Your users will thank you.