https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-being-blocked-by-wdac-applocker/m-p/1223826#M6576 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1089541003">@L.Dyson</a>,</P> <P>Assuming that your AppLocker policy is configured to log attempts, you can view the logs of blocked activity by simply looking in the Event Viewer on one of the affected machines. That's where I would start since it'll tell you exactly what needs to be allowed. </P> <P>&nbsp;</P> <P>Secondly are you for sure using path exceptions for your AppLocker exceptions? I would <EM>not&nbsp;</EM>recommend doing that unless absolutely necessary. Any user on the machine can read your AppLocker rules, and if I can access into your machine it's an extremely quick way of telling me exactly where I need to place files to run on the machine. If that's truly your exception, I could place a file called C:\Users\ImABadDude\Local\Palo Alto Networks\GlobalProtect\RIPYourComputer.exe and your AppLocker policy will happily run it.&nbsp;</P> <P>&nbsp;</P> <P>There's nothing in the AppData location that you need to exclude, I would have that location immediately removed from your policy. If you're limiting Program Files you'll need to setup a publisher exception for PAN but also one for OPSWAT for the wa_3rd_party_host_32 and wa_3rd_party_host_64 executable. I'd also see if you've got the default exceptions for the \Windows\ directory as that would certainly break things if not fully excluded. </P> Thu, 13 Mar 2025 22:14:53 GMT BPry 2025-03-13T22:14:53Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-being-blocked-by-wdac-applocker/m-p/1223449#M6566 <P>We are using always-on VPN prelogon SAML and it works fine. However, after deploying a WDAC (Windows Defender Application Control) policy to lock down a device to select apps, Global Protect prelogon no longer works on that endpoint. It works if we remove the WDAC lockdown policy so it's definitely being blocked, but the following locations have been approved to run so I need to understand what other dependencies the always-on VPN relies on.</P> <P>C:\Program Files\Palo Alto Networks\GlobalProtect\*<BR />C:\Users\*\AppData\Local\Palo Alto Networks\GlobalProtect\*</P> <P>What else does, especially .exe's does GlobalProtect Always-On rely on?</P> <P>Manually connecting the GlobalProtect VPN works, so it's not the PanGPA.exe or PanGPS.exe's. It's just not showing the prelogon icon on the lock screen under sign-in options. Any help would be much appreciated!</P> Tue, 11 Mar 2025 15:19:58 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-being-blocked-by-wdac-applocker/m-p/1223449#M6566 L.Dyson 2025-03-11T15:19:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-being-blocked-by-wdac-applocker/m-p/1223826#M6576 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1089541003">@L.Dyson</a>,</P> <P>Assuming that your AppLocker policy is configured to log attempts, you can view the logs of blocked activity by simply looking in the Event Viewer on one of the affected machines. That's where I would start since it'll tell you exactly what needs to be allowed. </P> <P>&nbsp;</P> <P>Secondly are you for sure using path exceptions for your AppLocker exceptions? I would <EM>not&nbsp;</EM>recommend doing that unless absolutely necessary. Any user on the machine can read your AppLocker rules, and if I can access into your machine it's an extremely quick way of telling me exactly where I need to place files to run on the machine. If that's truly your exception, I could place a file called C:\Users\ImABadDude\Local\Palo Alto Networks\GlobalProtect\RIPYourComputer.exe and your AppLocker policy will happily run it.&nbsp;</P> <P>&nbsp;</P> <P>There's nothing in the AppData location that you need to exclude, I would have that location immediately removed from your policy. If you're limiting Program Files you'll need to setup a publisher exception for PAN but also one for OPSWAT for the wa_3rd_party_host_32 and wa_3rd_party_host_64 executable. I'd also see if you've got the default exceptions for the \Windows\ directory as that would certainly break things if not fully excluded. </P> Thu, 13 Mar 2025 22:14:53 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-being-blocked-by-wdac-applocker/m-p/1223826#M6576 BPry 2025-03-13T22:14:53Z