For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto itself. If the additional features such as HIP profiling are not needed, this variant fits perfectly.
I am showing a few screenshots and logs from the Android smartphone as well as from the Palo Alto to show the differences.
This post is very similar to the post about the iPhone. I am running a PA-200 with PAN-OS version 7.0.3. The phone is a Samsung Galaxy S4 Mini with Android version 4.4.2.
The GlobalProtect app from Palo Alto works without any problems if a correct Portal and Gateway are already configured. In order to use the native “IPSec Xauth PSK” on Android, the “X-Auth Support” must be enabled on the GlobalProtect Gateway, such as shown here in my post about the Linux vpnc client.
GlobalProtect App vs. Native VPN
The following Android screenshots show the configuration steps for the native IPsec VPN tunnel. The “IPSec Xauth PSK” type must be chosen:
Just for a comparison: The GlobalProtect app looks like that:
Palo Alto Logs
It is interesting to see the differences in the Palo Alto logs, i.e., the GlobalProtect Previous User, System Log and Traffic Log. Here are the differences:
That’s it. ;)
Featured image “android” by Simon Q is licensed under CC BY-NC-ND 2.0.
I have our cluster set-up for GP clients on Laptops authenticating with their machine certificate pushed out when they joined the domain. Is it possible to run the gateway to accept GP Client Laptops and phones as shown above ?
I cannot afford to screw around on a live system so any advice very very welcome.
Thanks for sharing this guide
Hello, thanks for the guide. I am able to connect and access my palo alto via vpn from my cellhpone (Andriod). However, I am unable to browse the internet.. I think that is a dns issue, but not sure how to fix it.. Any ideas?
Hi Ed.
I am sorry, but there are way too little information to have any ideas. ;) Please troubleshoot it by yourself. Try ping, try DNS, try HTTP. Have a look at the traffic logs on the Palo. Do you see any of those sessions? If yes, are they successful? What are the DNS settings on the Android? And so on…
Do you know if Android supports IPSec IKEv2 rather than XAuth? We can’t seem to configure this on our PaloAlto VM-100 running 7.1
Sorry Jeet, but I don’t know. Please use Google. ;)
(I am not sure what your asking though. Even if you use IKEv2 you must use XAuth for authenticating the user, don’t you?)
Do we still need GlobalProtect license in order to connect vpn from mobile devices? like this configuration?
Thanks!