Palo Alto Remote Access VPN for Android

For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto itself. If the additional features such as HIP profiling are not needed, this variant fits perfectly.

I am showing a few screenshots and logs from the Android smartphone as well as from the Palo Alto to show the differences.

This post is very similar to the post about the iPhone. I am running a PA-200 with PAN-OS version 7.0.3. The phone is a Samsung Galaxy S4 Mini with Android version 4.4.2.

The GlobalProtect app from Palo Alto works without any problems if a correct Portal and Gateway are already configured. In order to use the native “IPSec Xauth PSK” on Android, the “X-Auth Support” must be enabled on the GlobalProtect Gateway, such as shown here in my post about the Linux vpnc client.

GlobalProtect App vs. Native VPN

The following Android screenshots show the configuration steps for the native IPsec VPN tunnel. The “IPSec Xauth PSK” type must be chosen:

Just for a comparison: The GlobalProtect app looks like that:

Palo Alto Logs

It is interesting to see the differences in the Palo Alto logs, i.e., the GlobalProtect Previous User, System Log and Traffic Log. Here are the differences:

That’s it. 😉

2 thoughts on “Palo Alto Remote Access VPN for Android

  1. I have our cluster set-up for GP clients on Laptops authenticating with their machine certificate pushed out when they joined the domain. Is it possible to run the gateway to accept GP Client Laptops and phones as shown above ?

    I cannot afford to screw around on a live system so any advice very very welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *