University Client VPN

Navigate to vpn.upenn.edu using a browser. You should see a screen similar to the one below:

Image

Click on "Download Mac 32/64 bit GlobalProtect agent." This will download a file called GlobalProtect.pkg — double-clicking on this file will cause it to bring up a dialog box that will ask you a series of questions and walk you through the installation process. 

Image

Selecting "Continue" on this screen will walk you through installation of the application.

On some versions of macOS, you may need to approve kernel extensions in order for the GlobalProtect VPN client to function normally. In this event, you will be prompted with a dialog box like the one shown below. Click on the button labeled "Open Security Preferences":

Image

This will open your System Preferences dialog box. A warning will be displayed at the bottom of the dialog box next to the button labelled Allow. Click on the Allow button to continue.

Image

Configuring the application and connecting to the VPN

Once you have installed the application, you will see an icon appear in the upper-right-hand side of the menu bar. The GlobalProtect icon looks like a globe.

When you open the application, you will need to provide the Portal address:

vpn.upenn.edu
 

Image

Clicking on the Connect button will cause a browser window to open and prompt you for your PennKey credentials through the usual WebLogin screen.

Image

After entering your username and password you should then see the usual Two-Step Verification screen:

Image

Once you have successful performed the necessary Two-Step Verification, you will then be connected to the VPN and the icon should change to indicate that you are connected.

Image

Navigate to vpn.upenn.edu using a browser. You should see a screen similar to the one below:

Image

Click the appropriate Windows link for your system; in nearly all circumstances this will be the Windows 64-bit GlobalProtect agent. Doing so will download a file called GlobalProtect64.msi for a 64-bit operating system or GlobalProtect.msi for a 32-bit operating system. Double-clicking on this file will cause it to bring up a dialog box that will ask you a series of questions and walk you through the installation process.

Image

Windows will then ask for an installation location. (Accepting the default should be fine.)

Image

After this dialog box, the application will be installed.

Configuring the application and connecting to the VPN

Once you have installed the application, you will see an icon appear in the bottom-right-hand side of the taskbar. The GlobalProtect icon looks like a globe.

When you open the application, you will need to provide the Portal address:

vpn.upenn.edu

Image

Clicking on the Connect button will cause a browser window to open and prompt you for your PennKey credentials through the usual WebLogin screen.

Image

After entering your username and password you should then see the usual Two-Step Verification screen:

Image

Once you have successful performed the necessary Two-Step Verification, you will then be connected to the VPN and the icon should change to indicate that you are connected.

Image

To install on iOS, you will need to find the GlobalProtect client in the Apple App Store and install it using the normal process for iOS app installation.

For example, on an iPhone, click on the App Store icon on your phone, search for “GlobalProtect” and select the GlobalProtect app developed by Palo Alto Networks. Click on the button labelled Install (shown below as "Open", because the app has already been installed).

Image

Configuring the application and connecting to the VPN

Once you have installed the app on your iOS device, you should be able to open it and configure the Portal address, as shown below:

Image

To install on Android, you will need to find the GlobalProtect client in the Google Play Store and install it using the normal process for Android apps.

For example, on an Android Device, click on the Play Store icon on your phone, search for “GlobalProtect” and select the GlobalProtect app developed by Palo Alto Networks. Click on the button labelled Install:

Image

Configuring the application and connecting to the VPN

Once you have installed the app on your Android device, you should be able to open it and configure the Portal address, as shown below:

Image

Please note: Linux is not an officially supported operating system at Penn. Installers are provided "as-is."

Current Linux installers, as well as installation instructions describing GUI and CLI-based installs can be found in the following Penn+Box folder:

GlobalProtect Linux Installers (Box link)

Additional resources:

• Palo Alto's instructions for Linux client installation
• Palo Alto's instructions for Linux client usage
• Palo Alto’s instructions for Linux client troubleshooting

The University Firewall is an automated security tool used to filter out known malicious network traffic. Malicious network activity is designed to exploit vulnerabilities in devices connected to Penn’s network, allowing others to gain unauthorized access to, and control of, your devices and the information they hold.

The University Firewall permits Penn to quickly, consistently, and broadly defend against attacks that could result in in the destruction, alteration, and disclosure of confidential University data.

The University Firewall is maintained by a team of Penn network administrators and security specialists who ensure that the list of identifiable threats being blocked by the Firewall is kept current, based upon trends in real-time network activity around the globe, threat reporting from authoritative third-party sources, and a thorough examination of known attack vectors.

The actions of the team are guided by a governance group containing representatives from Schools and Centers across the University.

No. The University Firewall is not designed to inspect the semantic content of any network traffic, and upholds Penn’s commitment to open expression and electronic privacy. Instead, it is focused on protecting against certain categories of functional threats (such as seizing control of your computer from a remote location) that can compromise devices connected to Penn’s network.

You will receive a message in your web browser stating that the web page you are trying to view has been blocked by the University Firewall. (Click to see how this message looks.)

If you are having trouble connecting to networked resources outside of Penn using tools other than web browsers, contact your Local Support Provider (LSP) for help in identifying the root cause of your connectivity issue.

Possibly. Some Schools and Centers at Penn have deployed local firewalls designed to protect a specific group of assets within the University network. The University Firewall is configured to protect “at the border,” at a network transmission’s first point of contact with any protected portion of the entire Penn campus network. If your School or Center has also activated a local firewall, you may be receiving an additional set of protections that support your organization’s specific needs. Your Local Support Provider (LSP) can provide clarification about your particular situation.

It’s highly unlikely. Because the University Firewall is designed to block identified threats, your actions on the network would remain completely unaffected by the Firewall unless they would bring you into contact with a verified threat source. As always, your Local Support Provider (LSP) remains the best source of information about your particular connectivity issue when you are using the campus network.

It should not. The University Firewall is designed to block incoming and outbound network traffic which has been reliably identified as a known threat, such as traffic originating from malicious hosts in remote locations or traffic from Penn hosts attempting to reach malicious off-campus hosts. The devices and hosts you use to conduct your Penn-related activities while you are away from campus are extremely unlikely to be among the sources of malicious activity that the Firewall blocks from campus.

The recommended practice of using only known, secured networks to conduct University-related activities while away from campus also helps ensure that your access to University assets remains unaffected by the Firewall.

The University Firewall is constructed in alignment with, and in support of, Penn’s academic mission. Because the Firewall is not designed to inspect the semantic content of any network traffic, it does not restrict the open exchange of ideas and information.

In exceptional cases where the work of Penn researchers requires direct contact with known sources of technical threats to the campus network (e.g., computer security research), or relies upon high-performance computing that may be affected by the Firewall, a researcher can initiate a request for network arrangements outside the University Firewall. Should you need these arrangements, speak with your Local Support Provider (LSP) to learn more about how to proceed.

It is ill-advised to rely upon the University Firewall for comprehensive virus protection. The University Firewall is designed to block known threats that employ the campus network at the very moment their attacks are being carried out. Many computer viruses and other malware remain dormant or encrypted while they are being spread, actively attacking infected devices at a later point in time.

It is also possible to acquire computer viruses when your device operates outside the University Firewall. While the Firewall may allow Penn to identify network traffic to malicious host sites from our campus, it is by no means designed to detect or report all compromised devices.

To protect your devices against viruses, malware, and other forms of transmissible compromise, speak with your Local Support Provider (LSP) about antivirus tools and best practices.

The University Firewall is set up to block known threats from traffic to and from the Penn campus network. It is not designed to examine individual devices within the campus network and assess whether those devices have been compromised, nor is it designed to examine all traffic within the Penn campus network. If an infected device is connected to the campus network, the potential remains for that device to infect other devices on the campus network.

Although the Firewall will identify when devices connected to the campus network attempt to connect to malicious remote sites, these connection attempts may take place weeks, or even months, after those devices have been compromised. In the interim, the malware that initially compromised those devices can continue to rapidly and silently spread.

Speak with your Local Support Provider (LSP) about tools and best practices for detecting and protecting against the compromise of any device you use to conduct University-related activities.

The University Firewall is not designed to inspect the semantic content of any network traffic, and thus cannot categorize individual emails based upon their subject matter. If you feel you are receiving too much irrelevant email in your Penn email account, speak with your Local Support Provider (LSP) about available options for filtering your email content.