The following guide describes how to configure your Palo Alto Firewall for SSL VPN access using GlobalProtect. GlobalProtect is the replacement of NetConnect for initiating a VPN tunnel.
When you need to install the GlobalProtect agent for the first time, you need administrative privileges. The agent can be downloaded via the GlobalProtect portal site or deployed via group policy.
After the agent has installed, you can initiate a VPN session using this component.
Here is the document how to configure SSL VPN access. The user needs to be a member of a group in Active Directory and authentication is performed using Network Policy Server on Windows Server 2012.
http://www.accessdenied.be/blog/documentation/Configuring GlobalProtect SSL VPN using a user-defined port.pdf