>
    Deploy App Settings to Linux Endpoints
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Apps
    4. Deploy App Settings Transparently
    5. Deploy App Settings to Linux Endpoints
    Download PDF
    GlobalProtect

    Deploy App Settings to Linux Endpoints

    Table of Contents

    Deploy App Settings to Linux Endpoints

    Customize GlobalProtect app settings in pre-deployment configuration file for deploying to Linux endpoints.
    You can set the GlobalProtect app customization settings in the pre-deployment configuration file (pangps.xml). This enables deployment of GlobalProtect app settings to Linux endpoints prior to their first connection to the GlobalProtect portal.
    On Linux endpoints, the pre-deployment configuration file (pangps.xml) is located in /opt/paloaltonetworks/globalprotect.
    The following table lists the pre-deployment settings for Linux endpoints that you can add to the pangps.xml file to customize the behavior of the GlobalProtect app and how the user interacts with the GlobalProtect app.
    Portal Agent Configuration
    		Linux
    Default
    Connect Method
    connect-method on-demand | user-logon
    user-logon
    Allow User to Change Portal Address
    can-change-portal yes | no
    yes
    Allow User to Continue with Invalid Portal Server Certificate
    can-continue-if-portal-cert-invalid yes | no
    yes
    Use Default Browser for SAML Authentication
    default-browser yes | no
    no
    Portal Connection Timeout (sec)
    portal-timeout <portaltimeout>
    5
    TCP Connection Timeout (sec)
    connect-timeout <connect-timeout>
    5
    TCP Receive Timeout (sec)
    receive-timeout <receive-timeout>
    30
    Not in portal
    This setting is used to predeploy the full chain certificate verification flag.
    full-chain-cert-verify
    <Settings>
    <full-chain-cert-verify>yes</full-chain-cert-verify>
    </Settings>
    n/a
    Not in portal
    This setting specifies the default portal IP address (or hostname).
    Portal <IPaddress>
    n/a
    If you have already installed the GlobalProtect app on the Linux endpoint, follow these instructions:
    1. Modify the pre-deployment setting you want to edit for the pangps.xml file in /opt/paloaltonetworks/globalprotect.
    2. Reboot the Linux endpoint in order for the pre-deployment configuration changes to take effect.
    If you are installing the GlobalProtect app for the first time, follow these instructions to deploy various settings to the Linux endpoint.
    1. Create the /opt/paloaltonetworks/globalprotect/pangps.xml pre-deployment configuration file.
    2. Add the pre-deployment settings to the pangps.xml file, including the connect method for the GlobalProtect app and the default browser for SAML authentication.
      The following example shows the XML configuration of the pre-deployment changes that you deployed on the Linux endpoint, including the portal IP address (or hostname) under <PanSetup>.
      <?xml version="1.0" encoding="UTF-8"?>
<GlobalProtect>
      <Settings>
          <connect-method>on-demand</connect-method>
          <can-continue-if-portal-cert-invalid>yes</can-continue-if-portal-cert-invalid>
          <can-change-portal>no</can-change-portal>
          <portal-timeout>100</portal-timeout>
          <connect-timeout>100</connect-timeout>
          <receive-timeout>100</receive-timeout>
          <default-browser>yes</default-browser>
      </Settings>
      <PanSetup>
          <Portal>portal.acme.com</Portal>
      </PanSetup>
      <PanGPS>
      </PanGPS>
</GlobalProtect>
    3. Install the GlobalProtect app for Linux.

    © 2025 Palo Alto Networks, Inc. All rights reserved.