Install GlobalProtect for IoT on Raspbian

To install GlobalProtect for IoT on Raspbian devices, complete the following steps.

GlobalProtect for IoT for Raspbian and Ubuntu supports an Arm-based architecture only.

1. From the Support Site, select and download the GlobalProtect package for your OS.

2. Install the GlobalProtect app for IoT.

From the IoT device, use the

sudo dpkg -i GlobalProtect_deb_arm

<version>

.deb

command to install the software.

sudo dpkg -i GlobalProtect_deb_arm-5.1.0.0-84.deb

To later uninstall the software, use the

sudo dpkg -P globalprotect

command.

3. Configure the VPN settings you want to predeploy for Raspbian IoT devices.

1. In the

client-cert

path, import the certificate in pcks12 format and save the file with a .pfx extension (for example,

pan_client_cert.pfx

).

2. In the

client-cert-passphrase

path, save the passcode file with .dat extension (for example,

pan_client_cert_passcode.dat
 )

3. In the

log-path-service

path, if you are not using the default path for PanGPS (for example,

/opt/paloaltonetworks/globalprotect

), make sure that the

log-setting

path folder has the same privilege as the globalprotect folder under

opt/paloaltonetworks

4. Create the

/opt/paloaltonetworks/globalprotect/pangps.xml

pre-deployment configuration file in the following format and edit the IP address of the GlobalProtect portal, and authentication settings, either: username and
password, or client certificate path (

client-cert-path

) and pass-phrase file (

client-cert-passphrase

). You can also specify an optional folder in which to store GlobalProtect service (

log-path-service

) and agent (

log-path-agent

) logs.
<?xml version="1.0" encoding="UTF-8"?>

<GlobalProtect>
<PanSetup>
<Portal>192.168.1.160</Portal> //pre-deployed portal address
</PanSetup>
<PanGPS>
</PanGPS>
<Settings>
 <portal-timeout>5</portal-timeout>
<connect-timeout>5</connect-timeout>
<receive-timeout>30</receive-timeout>
<os-type>IoT</os-type> //pre-deployed OS type for IoT. If this tag does not present, GP will automatic detect the OS type.
<head-less>yes</head-less> //pre-deployed head-less mode
<username>abc</username> //optional pre-deployed username
<password>xyz</password> //optional pre-deployed password
<client-cert-path>cli_cert_path</client-cert-path> //optional pre-deployed client certificate file(p12) path
<client-cert-passphrase>cli_cert_passphrase_path< /client-cert-passphrase> //optional pre-deployed client certificate passphrase file path
<log-path-service>/tmp/gps</log-path-service> //optional pre-deployed log folder for PanGPS
<log-path-agent>/tmp/gpa</log-path-agent> //optional pre-deployed log folder for PanGPA and globalprotect CLI
</Settings>
</GlobalProtect>

4. Restart the GlobalProtect process for the pre-deployment configuration to take effect.

5. After you deploy the IoT device, you can collect logs as needed using the

globalprotect collect-log

command.
user@raspbianhost:~/Desktop/data$ globalprotect collect-log
The support file is saved to /home/gptest/.GlobalProtect/GlobalProtectLogs.tgz

6. (
Optional

) If the authentication method is a is combination of username/password and client certificate authentication, make sure that the

CommonName

of the client certificate matches the username.