topic Re: change portal address remotely in GlobalProtect Discussions

change portal address remotely

NOC-VL — Tue, 11 Aug 2020 14:49:59 GMT

We want to move the users to a different portal adres. How can we do this without asking all users to manualy adjust the portal adres?

i've tried changing the reg key set at installation time, but this didn't work (tried rebooting and refresh connection).

After the reboot it even changed back!

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup

My assumption would be:

1. change regkey adres

2. delete the appdata folder

C:\Users\%username%\AppData\Local\Palo Alto Networks\GlobalProtect

3. reboot ?

Re: change portal address remotely

Remo — Thu, 13 Aug 2020 21:29:25 GMT

Hi @NOC-VL

Did you try this way?

Stop the PanGPS Service
Change the reg key for the portal
Start the PanGPS Service again

Re: change portal address remotely

NOC-VL — Fri, 14 Aug 2020 05:05:57 GMT

yes. and it changes it back to the old value after you start the service again.

Re: change portal address remotely

DavidStevens — Wed, 25 Nov 2020 10:39:21 GMT

Any updates on this? We have exactly the same issue. It works after i repair the installation manually on the computer, but that just isn't doable for all my users.

Re: change portal address remotely

NOC-VL — Wed, 06 Jan 2021 07:49:06 GMT

the sequence should be

net stop panGPS

[HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings] "LastUrl"="your-portal-here"

remove old portal
[-HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings\old-portal]

net start panGPS

But this can't be executed. a normal user can't stop/start pangps and a system user doesn't know the users regkey.

Re: change portal address remotely

NOC-VL — Thu, 25 Mar 2021 06:11:31 GMT

I've written a powershell script to do this. maybe this will help others.

It first stops pangs, changes and removes the old portals while iterating over the registery for all users and then starts it again.

Run it with elevated privilages.

#check for input if (!$args[0] ) { Write-Host "Invalid argument. usage: change-portal.ps1 <new portal>" exit } #vars $PortalAddress = $args[0] $OldPortals = @('x.oldportal1.com', 'x2.oldportal1.com' ) #Get current portal $pansetup = Get-ItemProperty -path "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup" -Name 'Portal' $pansetup = $pansetup.Portal Write-Host "Changing install portal address $pansetup to $PortalAddress" #stop global protect Stop-Service PanGPS #set portal adres for new installations Set-Itemproperty -path "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup" -Name 'Portal' -value $PortalAddress # Regex pattern for SIDs $PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$' # Get Username, SID, and location of ntuser.dat for all users $ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}, @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}} # Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded) $LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}} # Get all users that are not currently logged $UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username # Loop through each profile on the machine Foreach ($item in $ProfileList) { # Load User ntuser.dat if it's not already loaded IF ($item.SID -in $UnloadedHives.SID) { reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null } ##################################################################### # This is where you can read/modify a users portion of the registry "{0}" -f $($item.Username) | Write-Output Set-Itemproperty -path "registry::HKEY_USERS\$($Item.SID)\Software\Palo Alto Networks\GlobalProtect\Settings" -Name 'LastUrl' -value $PortalAddress Foreach ($Oldportal in $Oldportals) { Remove-Item -path "registry::HKEY_USERS\$($Item.SID)\Software\Palo Alto Networks\GlobalProtect\Settings\$OldPortal" -Recurse } ##################################################################### # Unload ntuser.dat IF ($item.SID -in $UnloadedHives.SID) { ### Garbage collection and closing of ntuser.dat ### [gc]::Collect() reg unload HKU\$($Item.SID) | Out-Null } } #start global protectc Start-Service PanGPS

Re: change portal address remotely

dcarr_Beachbody — Wed, 27 Oct 2021 05:21:11 GMT

I came here and created an account just say Thank you @NOC-VL !! This gave me a great starting point for my script. I am not sure why anyone else is not complaining about the fact that when you change the "pansetup" key it doesnt actually change anything for users that have already logged in via GP and created a profile (under their individual "HKEY_USERS" tree!

Re: change portal address remotely

IvanArmour — Fri, 17 Jun 2022 17:18:59 GMT

This is great work. Thank you for sharing it.

Re: change portal address remotely

alnangpal — Wed, 23 Aug 2023 22:09:43 GMT

Nice work one of my customer asked me this very question today and I told him I will try and get answer for him and he found this here and sent me the link. Great work thanks for sharing😊