Thursday, December 29, 2022

globalprotect client tips

 We are going thru some global protect VPN deployment, and the same issues always come up about the server certificate.


1: Ideally, you want  the certificate signed by a public CA or your internalCA that is already trusted

2: On Android to install the certificate, you need a file. extension that ends in <name>.crt. the extension.Cert or .cert will not work

3: On unbuntu , download the latest client and dpkg install it.


e.g 


 
sudo 
dpkg -i ./GlobalProtect_deb-6.0.4.1-28.deb


4: On Android it's sometimes best to use an altName and ip.address value since it's harder to trust private certificates or the DNS name check will mess you up.


5: If you have a rooted phone you cand adb get /etc/systems/hosts  and modify the file and push it back into the device


6: Always check logs and cli for successful connections



7: If you need multiple gateways best practice is to use a loop back interface and set up multiple addresses with different gateways


e.g


loop0 IP 1.1.1.1 = gateway1

loop0 IP 1.1.1.2 = gateway2

loop0 IP 1.1.1.3 = gateway3

Doing this will let you craft different auth-profile, different gateways, pools, different rules, etc...


8: Lastly, if remote authentication is required, do not forget any service routes if you are not using the mgmt-interface for the auth access








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o

      /      \