Windows VPN options with Palo Alto (with and without the GlobalProtect app)?

jwckauman · March 5, 2025, 2:02am

We use GlobalProtect for Windows x64 v6.2.2 to connect our Windows 10 Enterprise clients to the Palo Alto Firewall and establish a VPN. I’m curious what other options we have available to us for connecting a VPN between our Windows 10 clients and our Palo Alto Firewall?

Can we use Windows 10’s built-in VPN solution? If so, what would we choose when adding a VPN connection?

VPN Provider - all I have right now is Windows (built-in). Should there be a GlobalProtect option if we have GlobalProtect for Windows installed? is Windows (built-in) the right option?
For VPN Type, I have Automatic, PPTP, L2TP/IPSec (cert), LT2TP/IPSec (pre-shared key), SSTP, and IKEv2. Which one of these would we choose?
Type of Sign-in Info has username & password, smart card, one-time password, and cert. What are our options here?

Are there other options built-into Windows 10 besides the VPN settings?
If we stay with our GlobalProtect app (and not the VPN settings in Windows), then do we have options to connect the VPN before we logon to Windows? Currently, we’ve always connected the VPN after we login to Windows. Is there still a “before logon” option?

Is ‘Connect Before Logon’ still available? It seems to be for us but doesn’t work. It just hangs while it attempts to log the user in.
Is ‘Pre-Logon’ still an option? How does that differ from ‘Connect Before Logon’?
Can either of the above be performed on the client side without having to first make changes on the Palo Alto side? Or do we have to decide which model we are supporting in advance?

Atroskelis · March 5, 2025, 2:02am

In this context any options other than using the GlobalProtect App would require more work than using the Globalprotect app with no additional benefit.

Windows VPN is honestly a best effort and does not cater to most firewall vendors.

You can use On demand / User logon / Pre Logon. The last one requires machine certificates to connect without user auth. Most people use the first or the 2nd. User Logon uses SSO to get user credentials and connect to VPN.

From what i see, doing User Logon would be best if you want to make the vpn connection as invisible as possible to the user.

All if any of these require modification of the GlobalProtect App Profile on the Palo Alto Firewall. But these features are enabled and available on literally any palo alto firewall irrelevant of model and licensing.

HTH

kcornet · March 5, 2025, 2:02am

You can do straight up IPsec from clients to the Palo. I used to do this for Avaya VPN phones.

MeateaW · March 5, 2025, 2:02am

I’ve had experience with both.

The windows VPN provider was actually pretty good, but we couldn’t get the third party authentication working (no office 365 SSO).

The global protect app is what we use with SSO.

Aebiux · March 5, 2025, 2:02am

I would add the “connect before logon” as a viable PLAP option, which is different than the three mentioned above. You’ll need to look it up in the Global Protect admin guide: Use Connect Before Logon