topic Re: Checking Global Protect Client Status via Command Line in General Topics

Checking Global Protect Client Status via Command Line

BeejCyr — Thu, 03 Aug 2017 12:48:36 GMT

We have had a heck of a time getting Global Protect 4.0.2 deployed in our environment. One of the things I am coming across is that the install goes fine, at least accoring to the exit code on msiexec and in looking thoguht the log created by msiexec. However, the pangps service does not always get created. Granted, the number of macine affected by this problem is smallish. I would say 3-6%. Now I can check for the existance of the service and manually create it and that fixes most of the machines, but now I am trying to circle back around for all the machines to determine if the global protect client is working ok. On many machines I can check to see if the PanGP interface has an IP address in the range we assigned, but other machines "live" at a location where the site has a connections, either via MPLS or DMVPN to the main office, so Global Protect is considered to be on its home network. I am looking for a way that will allow me to detect if GP is running correctly whether it is on a home network or not. A string in a log, a registry key, a command line that will give me an exit code, etc. something I can deploy that will allow me to see if the client is in "home", active or disabled mode from a command prompt. Powershell is also an option. Ideas?

Re: Checking Global Protect Client Status via Command Line

ansharma — Thu, 03 Aug 2017 13:44:15 GMT

Hey @BeejCyr

To allow users to connect to GP even when they are at "home" site, make use of 'Internal Gateways'.

Regards,

Anurag

Re: Checking Global Protect Client Status via Command Line

BeejCyr — Thu, 03 Aug 2017 13:39:35 GMT

Thanks for the resources, but it is not quite what I am going for. I am looking for a way to determine the status of the Global Protect agent from the command line. My script will not be able to "see" the icon, and the script may be running while all users are logged out and the client will be connected in a prelogin state. Another couple of facts that may figure in to the solution:

We are using SSO.
I have no access to the gateway. My area of responsibility is client deployment.

@ansharma wrote:
Hey @BeejCyr

To allow users to connect to GP even when they are at "hom" site, make use of 'Internal Gateways'.

Here's some information to get you started:

https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/internal-gateway-selection-by-source-ip-address
https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/configure-globalprotect-gateways

HTH.

Regards,
Anurag

Re: Checking Global Protect Client Status via Command Line

BeejCyr — Thu, 03 Aug 2017 13:40:53 GMT

FYI, I get a 404 on all three links you supplied.

Re: Checking Global Protect Client Status via Command Line

ansharma — Thu, 03 Aug 2017 13:42:38 GMT

That's odd.

I guess I'll remove the links since they wouldn't help in your requirement.

Re: Checking Global Protect Client Status via Command Line

DonohoeRobert — Thu, 03 Aug 2017 16:42:12 GMT

Hi Mate,

Not sure if this ticks the box. But from the cli ye can see the current users logged in for th eglobal protect and the gateways they are logged on to. Can add to the cli command to just check for internal or external gateways if needed.

admin@NextGen-01> show global-protect-gateway current-user gateway
TAC-LAB-GW TAC-LAB-GW
internalGW internalGW
tacgwExt tacgwExt
<value> Show for given GlobalProtect gateway

admin@NextGen-01> show global-protect-gateway current-user gateway

Doesn't scale well I guess with 100's or 1000s.

From the web ui you can also see the current users logged in,

networks>global protect > gateways -> far right , current users..

screenshot below from lab set up showing external user on the ext gateway and a local guy on the internal gateway.

best regards,

Rob

Re: Checking Global Protect Client Status via Command Line

BeejCyr — Thu, 03 Aug 2017 18:43:09 GMT

Rob,

Yeah, if I could get access to the gateway it would be easier, but alas I cannot.

With the Cisco AnyConnect VPN client we are replacing, I can do something like vpncli /status and it would product some test I could search through. I was really hoping GlobalProtect did something similar.

Re: Checking Global Protect Client Status via Command Line

Remo — Thu, 03 Aug 2017 19:01:32 GMT

Probably not the simple solution you are looking for, but in the local log files that GP client is writing to the folder where it was installed you should find the information you want