Global Protect For Linux, need help

Terrible_Air_Fryer · March 13, 2025, 3:32am

For some reason I’m stuck testing Global Protect App for Linux. I downloaded a brand new Xubuntu 24.04 Image and installed it on virtual box only for this purpose. Following the following link https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app it’s told that GP Linux App 6.2.0 would match my Xubuntu 24.04 Image. Installed the deb package for the GUi version and opened it, connected to my VPN, everything looks ok excepts that the GUI disappears and I have to call GP again on the search bar so it shows up again. The probem is I cannot browse any page on the web browser (Firefox and Chromium), it’s like the browser cannot resolve DNS, although I can access servers/firewalls/etc using IPs instead of names on the browsers. The tunnel appers to be working fine. I open terminal to see if the problem is in fact name resolution but on terminal I CAN resolve names. Apparently only browsers are not able to resolve names. I check /etc/resolv.conf ant the correct internal DNSs are set there, the file is actually a link to /opt/paloaltonetworks/globalprotect/network/config/resolv.conf which is expected I guess. I also ran tcpdump to see if I could catch any DNS query attempt from the browser but it looks like there’s no DNS query. For example, if I run “tcpdump -i gpd0 port 53” and right after I run “nslookup reddit.com” I can see the query. If I https://reddit.com or an any other domain from the browser I don’t see any query, not even if I change -i to the “physical” interface, because I suspected that the browser might be sending DNSs querys somewhere else. I can even wget any page and it works fine but the problem seems to be on the browser Would anyone know how to solve it, I tryed to manipulate other files like /run/systemd/resolve/stub-resolve.conf with no success. I need to use the GUI version. I know it’s more Linux related but wondering If i can find an answer here.

Edit: I’ve just run a new tcpdump option “tcpdump -eni any port 53” and found out that the browser DNS queries are being sent to and from loopback 127.0.0.1. Don’t know how to solve it yet.

Edit 2: figured out that firefox uses 127.0.0.53 (systemd-resolved standar IP). When Paloalto establishes the tunnel it changes to 127.0.0.1, which is not enabled. Setting DNSStubListener=yes and DNStubliatenerExtra=udp:127.0.0.1:53 on /etc/systemd/resolved.conf is a workaround.

sjhwilkes · March 13, 2025, 3:32am

Watching with interest, as I couldn’t get it working on 24.4 either. I think 22.4 may work but haven’t had a moment to build a VM to try it.

omnicons · March 13, 2025, 3:32am

I wonder if it’s trying to do DNS over TLS. I had several issues with that when I was setting up tests for Global Protect on Linux (though we’re using RHEL). Disabling that in the browsers fixed the issue for me, but this is on 6.1.x and I haven’t really tested since, as noone ended up using it.

Edit: Missed your edit, whoops.

jaaydub42 · March 13, 2025, 3:32am

Try the highest avail 5.X version of the Global Protect client for Linux. I went back and forth with odd quirks with v6 that I just haven’t experienced with v5.

robmuro664 · March 13, 2025, 3:32am

If I’m not mistaken GP for linux requires an aditional license, might be that or like others have said the DNS over TLS settings in the browser.

JKIM-Squadra · March 13, 2025, 3:32am

Look at doh (TCP 443) , dot (TCP 853), also check for quick udp 443 and try blocking / disabling those in policy or browser configb

kvernNC · March 13, 2025, 3:33am

Don’t use 6.1.4 linux client, it bugs, ans it mess with your dns configuration.
Use 6.1.3, is working on Ubuntu 24 for us.

Zzzaidi · March 13, 2025, 3:33am

I have the exact same problem with both 6.1.3 and 6.1.4 where the GUI on the application bar never opens so I have to search it in the apps to open it each time. 6.1.4 is way worse, it just broke my network and wifi kept reconnecting. I might just try testing the 5 version but I am not sure if if it does HIP checks and SAML.

andremiani · March 13, 2025, 3:33am

On Google Chrome it works! But on terminal still not working. Bellow a know issue from GlobalProtect

||
||
|GPC-19499|On Linux endpoints, the Firefox browser stops working when you try to connect the GlobalProtect app with the SAML default browser.|

Conscious_Spare_7476 · March 13, 2025, 3:33am

I have followed your suggestions from the second edit, but I still can’t connect to my network. My corporate network requires version 6.2.6, which works on Windows, but not on Linux. I have also tried other third-party solutions, but the result is still the same, been stuck since my corporate should try to use **WINDOWS** he said

Basilic0 · March 13, 2025, 3:33am

6.1.5 is better for HIP (bug in 6.1.3 )and wireless access ( bug in 6.1.4 )

Terrible_Air_Fryer · March 13, 2025, 3:33am

Thanks. I’ve tryed 6.1.3 and it’s showing the same behaviour. Are you sure you tested the GUI version?

kvernNC · March 13, 2025, 3:33am

Yes tested with gui because we use Azure MFA. I only have one linux user at the moment, and I did run multiple linux installation on a laptop to understand that 6.1.4 was creating issue with the wifi.
Did make it works with Ubuntu 24.04.
As suggested, 6.1.5 should have corrected the bug.