LLNL Remote Access

Antivirus required to connect. Please click here for details.

Do not use these manual installers on LLNL-managed computers
When using the GUI version, GlobalProtect will launch your system default web browser to complete the authentication process.
While we endeavor to keep these instructions clear and up-to-date, Palo Alto Networks also provides regularly-updated instructions at their own site:
- See here for Linux Installation instructions: Palo Alto Install Instructions
- See here for Linux use instructions: Palo Alto Usage Instructions

Download and extract the files from the package:

You will see multiple installation packages for supported operating system versions—DEB for Debian and Ubuntu and RPM for CentOS and Red Hat. The package for the GUI version is denoted by a “GlobalProtect_UI” prefix.

Install the GlobalProtect app for Linux using the $ ./gp_install.sh command:
Starting from GlobalProtect Linux version 6.2.1, you must use the following commands to install the CLI or GUI versions of the app:
- To install the GlobalProtect UI package- $ ./gp_install.sh
- To install the GlobalProtect CLI package- $ ./gp_install.sh --cli-only
Log out of the Linux operating system or the SSH session depending on the installation method you used and log back in.
When you log out, package updates are applied and you are able to see the GlobalProtect icon (as well as any other relevant updates) when you log back in. This step is required to ensure that any new package updates during install are applied to the GlobalProtect app.
1. If you do not see the GlobalProtect icon in the tray after logging in, follow one of the steps below:
  1. Type the globalprotect launch-ui CLI command in a terminal window.
  2. Search for globalprotect in the application list and pin it to your dashboard.

Specify the portal address “gpvpn.llnl.gov” and Connect. If you skip this step or mistype/need to edit the portal address, you can use the menu button and click Settings:

then set your portal here and click OK:
A login window will now appear in your default web browser. Select whichever option is most convenient for you, and one that corresponds to a device you already have (i.e., don’t choose ‘DOE PIV Card’ if you don’t have one).
- MyPass
- DOE PIV Card (badge with embedded chip)
- RSA (SecurID, also known at LLNL as the One-Time Password, or OTP)
If you choose RSA, enter your OUN in the Username field and your OTP (PIN + token code) in the Password field that appears on the next screen. Proceed to step 4.
If you choose MyPass or PIV, you will be prompted to select the proper certificate:
- For MyPass, choose the certificate with your official username somewhere in the subject.
- For PIV, choose the certificate with your name in uppercase letters. It might also say ‘Affiliate.’
Once you authenticate successfully, your browser will display the following window:

Follow the instructions given and select “Open GlobalProtect” if you see a system dialog prompt (at which point you can choose to “Always Remember”) or click the “click here" link to launch the GlobalProtect client and complete the connection.

After installing the CLI version, use the following command to initiate the connection process:

globalprotect connect –portal gpvpn.llnl.gov
A browser instance will open to enable MyPass/PIV/RSA authentication, identical to the process shown above for the GUI version. Proceed through the prompts normally.

Note: If you are on a non-UI/”headless” system, use the following command to connect to our RSA-only portal:

globalprotect connect –portal gpvpn-rsa.llnl.gov

and provide your RSA username and PIN/composite password when prompted.

To confirm connection status, use the following commands:

globalprotect show --status

globalprotect show --details
To confirm that antivirus/etc. detection is working properly, use the following commands to validate the current detection state, and to manually resubmit HIP data if needed:

globalprotect show –-host-state

globalprotect show resubmit-hip