How does the GlobalProtect Client get a New Configuration?

Printer Friendly Page

Issue

How and when does the GlobalProtect client get a new configuration?

 

Resolution

The GlobalProtect client configuration is refreshed when:

  1. The GlobalProtect client is launched when logging into the system.
  2. The network is rediscovered from the GlobalProtect icon in the task tray.  
    • Launch GlobalProtect client UI (when logging into the system).
    • Rediscover the network from GlobalProtect icon in the task tray. The GlobalProtect client refreshes the cached portal configuration every 24 hours. GlobalProtect client updates to the newer version and retrieves portal configuration after the update.

 

owner:  yogihara

Tags (4)
Comments

What happens when the Global Protect portal is down/unavailable but the gateways are up? How long will the GP client work with just the cached portal config?

Rediscover Network is almost always greyed out(I've seen it not greyed out a handful of times), did an update to the access routes on one of the portals - had to reconnect for it to get the updated routes.

"Enable Rediscover Network" is checked on the mentioned portal. Ideas anyone on what could determine it being greyed out or not?

We would like to know the same. Can someone from PA please confirm what happens in this case?

We would also like to know the same thing.  PA can you please confirm?

I will try to address the question about when "Rediscover Network" is greyed out when the option is enabled.

 

The network/gateway config will refresh after 24 hours, and in some cases it can be 12 hours for the config to be refreshed from the Portal/Gateway.

 

The Rediscover Network option is meant to give the ability to help the GlobalProtect client to know if it is internal to a network or external and in turn know when to connect or not.  Sometimes with the machine is put to sleep, without disconnecting, this can cause some confusion and may cause the option to be grayed out.

In that case, I would see if a restart of the machine would change this or not.

Still queestion "What happens when the Global Protect portal is down/unavailable but the gateways are up? How long will the GP client work with just the cached portal config?" is unanswered

The option for Rediscover Network is always disabled when the connect method is On Demand for GlobalProtect agent versions 4.0 and earlier. With the release of the 4.1 client, the interface has been updated and we now see an option labeled "Refresh Connection".

 

If a Portal is unavailable, GP will attempt to connect to it and fail. It will then attempt to connect to the gateways that it already knows about. I just now tested this with GP 4.1 connecting to PAN-OS 8.1

 

 

Hi,

 

Question regarding an unreachable "Global Protect Portal".....I can confirm that the GlobalProtectClient does connect properly to a gateway (which has been cached) but if the portal is unavailable, a pop-up appears saying that "Portal Not Found" and the GP-client says "Connection Failed - Invalid Portal"

 

Per definition this is correct, BUT, it must be really confusing for the user that does not know (should not have to either) if the connection via the gateway has been established or not.

 

I would like to see something like a message saying something like "Yep...you are still connected to your company network but there is a problem with the portal so that you might encounter some problems". This would be considered more as a warning or notification to the user rather than popping up a splash screen with a lot of red error messages.

Thoughts on this?


By the way....running PanOS 8.1.3 and client 4.1.4.

//C