Skip to content

PaloAlto VPN

tags: Application Provisioning, PaloAlto, VPN, Connectivity Software, Windows


A VPN is available for users that allows centrally managed devices to connect to CERN to access a subset of CERN services whilst not at CERN. It is configured to allow access to:

  • CMF to receive monthly patches, package updates and install centrally distributed software
  • The entire DFS structure
  • The CERN Windows administration website Windows Toolbox

What is a VPN?

A Virtual Private Network (VPN) is software that makes your computer behave as if it was connected to another network. This is useful for securely accessing a subset of CERN resources which are reserved for devices connected to the CERN network.

What does a VPN do?

It identifies when you are connecting to three CERN hosted resources (CMF, Windows Toolbox and DFS) and routes that traffic via CERN. This enables you to access these services as if you were at CERN. This is useful if you have a centrally managed computer/laptop that you use at home since you will be able to e.g. update your device via CMF, access your LAPS password without having to bring it to CERN.

What this VPN doesn't do

All other traffic (e.g. accessing other CERN websites, surfing the internet, downloading software from websites other than the CMF website) is not affected, and it will not be routed via CERN. It will not make your computer appear as if it was at CERN to any other websites. Furthermore, the VPN will ONLY work when outside the CERN network i.e. you are not directly connected to the CERN network via WiFi or Ethernet.


ALL DNS TRAFFIC IS ROUTED VIA CERN WHILST USING THE VPN. This means that e.g. when you navigate to a website in your browser or perform a DNS lookup, the URL is sent to CERN to determine where the traffic should be routed and will be recorded. The VPN is intended for CERN Owned Devices so please make sure to comply with the CERN computing rules.

How to install PaloAltoVPN

The package can be installed like any other CMF package, for which detailed instructions can be found here. The package name is PaloAltoVPN. It is only available to a subset of users, please check with the administrator of your computer if you think you should have access to it.

How to connect to PaloAltoVPN

The PaloAltoVPN tray icon appears in the bottom right hand corner.

Right clicking the icon will cause the interface to appear.

Click connect and the VPN will connect.

The tray icon will also indicate that that the VPN is connected.

You will then be able to access CMF and Windows Toolbox.