topic Re: For user GlobalProtect client refresh in General Topics

Force user GlobalProtect client refresh

Claw4609 — Thu, 25 Jan 2024 14:35:17 GMT

Piggy backing off of this earlier thread (LIVEcommunity - Force GlobalProtect Portal refresh of connected clients? - LIVEcommunity - 514881 (paloaltonetworks.com)). It there a way whether by registry or whatever, to force the client to grab its new config. We are switching over from on-demand to always-on and want to have users connect without them having to interact. Is there a way to do this?

Re: For user GlobalProtect client refresh

Brandon_Wertz — Tue, 23 Jan 2024 16:37:36 GMT

@Claw4609 wrote:

Piggy backing off of this earlier thread (LIVEcommunity - Force GlobalProtect Portal refresh of connected clients? - LIVEcommunity - 514881 (paloaltonetworks.com)). It there a way whether by registry or whatever, to force the client to grab its new config. We are switching over from on-demand to always-on and want to have users connect without them having to interact. Is there a way to do this?

Why not just adjust this value down to 1 hour, then after a day or however long it take to get everyone connected up and received the new setting you can adjust the check-in interval back to whatever your standard is. Trying to force the client to check in through a registry/GPO change is probably going to be more effort than worth the result given you can just change the below setting.

Re: For user GlobalProtect client refresh

Claw4609 — Tue, 23 Jan 2024 16:50:11 GMT

This would only apply to people that connect to Globalprotect correct? The main issue we have is the people who just dont connect to GP at all or havent in months. We have some internal gateways spun up in non-tunnel mode for the purpose of user-id/hip and I would like to begin retrieving this information via globalprotect from all clients.

Re: For user GlobalProtect client refresh

Claw4609 — Wed, 24 Jan 2024 17:22:54 GMT

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

But Im not sure why it keeps thinking its on-demand

Is there a cli/powershell command we could run to tell the clients globalprotect to connect?

Re: For user GlobalProtect client refresh

Brandon_Wertz — Wed, 24 Jan 2024 17:46:56 GMT

@Claw4609 wrote:

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

But Im not sure why it keeps thinking its on-demand

Is there a cli/powershell command we could run to tell the clients globalprotect to connect?

How are you connecting to these remote devices to make these registry changes if their VPN isn't enabled? I'm not certain what the potential CLI/PS command would be to force this.

Re: For user GlobalProtect client refresh

Brandon_Wertz — Wed, 24 Jan 2024 17:44:18 GMT

@Claw4609 wrote:

This would only apply to people that connect to Globalprotect correct? The main issue we have is the people who just dont connect to GP at all or havent in months. We have some internal gateways spun up in non-tunnel mode for the purpose of user-id/hip and I would like to begin retrieving this information via globalprotect from all clients.

Yes, this setting would require the users needing to first connect to get that update.

Re: For user GlobalProtect client refresh

Claw4609 — Wed, 24 Jan 2024 17:50:38 GMT

Im able to replicate the scenario on my machine, I connect myself to an on-demand config, flip the portal configs around so Ill hit the an always-on config the next time I connect. So the issue Im having is getting clients to connect to where they get the always-on config. But yes we've tried changing various registry settings but even with connect method set to user-logon and on-demand set to no, the client isnt auto connecting.

Re: For user GlobalProtect client refresh

Brandon_Wertz — Wed, 24 Jan 2024 18:14:01 GMT

@Claw4609 wrote:

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

But Im not sure why it keeps thinking its on-demand

Is there a cli/powershell command we could run to tell the clients globalprotect to connect?

I think the settings you're looking for are defined here:

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options#id51e0e000-9cce-425d-a4fd-e7fe51e1c8fb

If the endpoints are connected/managed from SCCM you can create a package to uninstall and reinstall the GP client coupled with a reboot. When the client reboots the OS will automatically try to connect to it's defined portal to get the app config. When it does this the machines will get the config updates you're wanting them to have.

Re: For user GlobalProtect client refresh

BPry — Wed, 24 Jan 2024 22:33:45 GMT

@Claw4609,

What registry changes are you making at the moment exactly, and are you trying to get them to utilize a new portal or simply update the connection method on an existing portal without having them connect?

Can't say that I've ever encountered any issues changing this as we go with clients. Set the registry values properly, restart PanGPS to get it to read everything, and you're good to go.

Re: For user GlobalProtect client refresh

Claw4609 — Thu, 25 Jan 2024 13:21:29 GMT

@Brandon_Wertz We do actually use SCCM and we tried something similar with some success, but this seemed to only work on about half of our roughly 100 person test group. We actually pushed it out with /norestart so wonder it that caused some issues? We also pushed it out with CONNECTMETHOD="user-logon". The half it didnt work on it did actually install the new version fine, they just didnt auto connect, and looking through some of their GP client debug logs it still thinks its on-demand connect method.

@BPry We're using the same portal. Even if the users dont normally connect to GP I want to initiate connections on existing users as we have some internal gateways in non-tunnel mode where I want to start obtaining user-id/hip information from these clients.

I've tried various things at this point but of the two things I though would work was: I added string "connect-method" with a value of pre-logon (I also tried it with user-logon) as well as I flipped the "on-demand" string to "no". With both of them being located here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

Re: For user GlobalProtect client refresh

Claw4609 — Thu, 25 Jan 2024 20:19:50 GMT

We found the issue and it ended up being how the PanGPA exe was running as it didnt have application to read the registry, no nothing I was entering was even mattering.