Skip to content

PaloAlto VPN

PaloAlto VPN is currently unavailable

PaloAlto VPN is not available at the moment, an upgrade is needed for the SSO service that need to be updated to Keycloak 21. This action is foreseen in the autumn of 2024. During this time, if you need a workaround to the use cases fullfilled by the VPN access to CERN resources, please read the recommandations below:

  • To access CMF to receive monthly patches, package updates and install centrally distributed software, it will be necessary to physically come onsite and connect to the CERN network
  • To access Engineering licence servers, please refer to KB0006649
  • To access The CERN Windows administration website Windows Toolbox, please login first to the CERN Terminal Server Service and then open it from your web browser


A VPN is available for users that allows centrally managed devices to connect to CERN to access a subset of CERN services whilst not at CERN. It is configured to allow access to some or all of the following resources, depending on your requirements:

  • CMF to receive monthly patches, package updates and install centrally distributed software
  • The CERN Windows administration website Windows Toolbox
  • Engineering license servers

What is a VPN?

A Virtual Private Network (VPN) is software that makes your computer behave as if it was connected to another network. This is useful for securely accessing a subset of CERN resources which are reserved for devices connected to the CERN network.

What does a VPN do?

It identifies when you are connecting to three CERN hosted resources (CMF, Windows Toolbox and DFS) and routes that traffic via CERN. This enables you to access these services as if you were at CERN. This is useful if you have a centrally managed computer/laptop that you use at home since you will be able to e.g. update your device via CMF, access your LAPS password without having to bring it to CERN.

What this VPN doesn't do

All other traffic (e.g. accessing other CERN websites, surfing the internet, downloading software from websites other than the CMF website) is not affected, and it will not be routed via CERN. It will not make your computer appear as if it was at CERN to any other websites. Furthermore, the VPN will ONLY work when outside the CERN network i.e. you are not directly connected to the CERN network via WiFi or Ethernet.


  • ALL DNS TRAFFIC IS ROUTED VIA CERN WHILST USING THE VPN. This means that e.g. when you navigate to a website in your browser or perform a DNS lookup, the URL is sent to CERN to determine where the traffic should be routed and will be recorded. The VPN is intended for CERN Owned Devices so please make sure to comply with the CERN computing rules.

Installing PaloAltoVPN

The ability to install and use the the VPN is restricted to a subset of users depending on your requirements, please check with the administrator of your computer if you think you should have access to it. Once confirmed, please open a SNOW ticket.

How to install PaloAltoVPN when inside the CERN network

The package can be installed like any other CMF package, for which detailed instructions can be found here. The package name is PaloAltoVPN.

How to install PaloAltoVPN when outside the CERN network

The recommended method to install the VPN is via CMF. However, if you are outside the CERN network you will not be able to access CMF in order to install it. Instead, please use the following procedure AFTER you have been granted access:

  • Access (note that will not work) in your browser and select the 64-bit MSI to trigger the download
  • Once downloaded, open an administrative command prompt by searching for CMD in the start menu, highlighting "Command Prompt" and selecting "Run as administrator"
  • In the CMD prompt that appears copy/paste or type the following command:
    • msiexec /i C:\Users\YOURUSER\Downloads\GlobalProtect64.msi /quiet /l*xv "C:\Windows\Temp\GlobalProtect-install.log" DEFAULTBROWSER=YES PORTAL=""
  • Change the C:\Users\YOURUSER\Downloads\ component of the command to reflect the download location of the MSI, typically C:\Users\xxx\Downloads\ where xxx is your Windows username
  • Press enter

This will install the application without need for any further interaction.


  • Make sure to set the package as installed in the CMF webpage once you are able to connect via the VPN to avoid issues.

How to connect to PaloAltoVPN

The PaloAltoVPN tray icon appears in the bottom right hand corner.

Right clicking the icon will cause the interface to appear.

Click connect and the VPN will connect.

The tray icon will also indicate that that the VPN is connected.

You will then be able to access CMF and Windows Toolbox.

Mapping CERN DFS drives

Please see this KB for guidance on how to map CERN DFS drives in order to access DFS files from outside CERN using the VPN.