Installation and Information Gathering

Complete the following steps to download and install the required software on a Linux based system.

Installation of Software Components

Install the required software from Prerequisites by running the following commands:

  • Debian based.

sudo apt-get install python3-pip certbot openssl
sudo pip3 install pan-python
  • RedHat based.

sudo yum install python3-pip certbot openssl
sudo pip3 install pan-python

Palo Alto Information Gathering

Generate an API key and locate the required profiles within Palo Alto GlobalProtect configurations.

API Key Generation

To generate an API key for your firewall, run the following command.

panxapi.py -h PAN_MGMT_IP_OR_FQDN -l USERNAME:'PASSWORD' -k
Sectigo ACME Palo Alto GlobalProtect API Key Generation

Palo Alto GlobalProtect Configuration Gathering

Locate the TLS/SSL Service Profile, which links the certificates used by GlobalProtect components. GlobalProtect consists of two significant components GlobalProtect Portal and GlobalProtect Gateway:

  • GlobalProtect Portal provides management functions. Endpoints receive their configuration from the portal.

  • GlobalProtect Gateway provides the VPN connection.

To configure GlobalProtect:

  1. Once logged into the Palo Alto firewall management web interface, navigate to Network  GlobalProtect  Portals and select the portal name to view configurations.

  2. Select Authentication, then select SSL/TLS Service Profile in the Server Authentication section.

    Sectigo ACME Palo Alto GlobalProtect Portal Configuration
  3. In the firewall management web interface, navigate to Network  GlobalProtect  Gateways and select the portal name to view configurations.

  4. Select Authentication, then select SSL/TLS Service Profile in the Server Authentication section.

    Sectigo ACME Palo Alto GlobalProtect Gateway Configuration
  5. In this guide, GP_SSLProfile is used as the SSL/TLS Service Profile for both components. The next step is to identify the certificate that is being used by the profile. Navigate to Device  Certificate Management  SSL/TLS Service Profile and select the profile used by GlobalProtect.

    Sectigo ACME Palo Alto GlobalProtect Certificate Name
  6. To view details of current certificate, navigate to Device  Certificate Management  Certificates and select the active certificate from SSL/TLS Service Profile.

    Sectigo ACME Palo Alto GlobalProtect Active Certificate