Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

Reply
L7 Applicator

Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

Hi community

 

Today Global Protect Version 5.0.2 was released. The way to this version was a long one. I had 10 open cases with different issues that I reported for Version 5.0.0 and 5.0.1. Most of them are fixed in 5.0.2 so this version - from what I was able to test so far - could be the best for the past years as also issues from earlier versions than 5 are now fixed. And in addition to the ones that my company reported there were even more issues from other ones and also fixed in 5.0.2.

Anyway what I intend to do with this topic is a collection of working deployments and also putting together a list with still open problems in Global Protect 5.0.2. My hope is that Global Protect- with the help of the community - will get even better and have less issues / bugs.

 

So I ask you to write your working configurations and also the open issues (including case numbers if possible so others can reference these numbers if they also open cases) - only related to GP 5.0.2.

 

Let's see if something helpful will be created in this topic ;)

 

Regards,

Remo

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

Working configurations ...

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

Open issues

#PA Bug IDDescriptionSteps to reproduceCase number(s)Fixed in Version
1-Two authentications sent from GP Agent to the firewall (in case of using MFA with SMS this means two SMS are sent to the user)Not (yet) available01096611-
2-In rare situations GP detects a Captive Portal dven if there isn't one. If you have configured MFA (with RADIUS) and you are also enforcing GP this meant if the user cancels the MFA he has access to the network/internet without a VPN connectionNot (yet) available01146221-
3-After resuming from sleep mode Global Protect gets stuck with Captive Portal detection (in a network without a captive portal) and is not able to connect without a manual reconnect.Not (yet) available--
4-After resuming from standby it took about about 30 seconds (after connection to external network was established) until global protect continued with establishing a connection. Prior to standby the computer was connected to the same external network and GP was connected.Not (yet) available01146236-
5-When nothing is entered on the OTP prompt, GP gets stuck at "still working" and only be restarting pangpa or with a reboot the issue can be resolved.Simply klick OK on the OTP prompt without entering anything

01147011

01147324

5.0.3
Highlighted
L1 Bithead

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

I have to agree that 5.0.2 is much better. We deployed GP about 8 months ago from 4.1.3 and have non-stop issues and experience for the user has been horrible. We had also identified bugs in each of the versions also. 

We still need to test the client when user is connecting from hotel, cafe wifi where there is captive portal involved.

 

 

Our Configuration is we are doing prelogon with always on setup. At the portal level we do LDAP with certificate and Gateway level OTP (Microsoft MFA (similar to duo cloud) ) with certificate. We are not doing split tunnel at this time and have enforce set to yes. We have enabled SSO. 

 

What is your current configuraiton? What are the issues you are seeing with 5.0.2 that are outstanding for you?

 

 

Curious if you or someone else has come across this issue.. seeing this 5.0.2 in the logs i think seen it in previous version but have not been able to re-produce and is not something that happens often 

 

When i took my machine out sleep connected to my home wifi seeing the below message during network discovery. Disconnected my wifi and then reconnected after which i was able to connect

 

(T14860) 05/07/19 23:06:25:349 Debug(1843): DnsQuery returns 1460
(T15604) 05/07/19 23:06:27:203 Debug(3905): CPD, reset cp detection history
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (captive.apple.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=0, iRet=-1, lastError=0
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (clients3.google.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=1, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (www.msftconnecttest.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=2, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Debug(4101): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T15604) 05/07/19 23:06:27:203 Debug(3993): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T14860) 05/07/19 23:06:28:351 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:28:351 Debug(1869): Already takes 3 seconds for all dns queries.
(T14860) 05/07/19 23:06:28:351 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:31:362 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:31:362 Debug(1869): Already takes 6 seconds for all dns queries.
(T14860) 05/07/19 23:06:31:362 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:34:363 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:34:363 Debug(1869): Already takes 9 seconds for all dns queries.
(T14860) 05/07/19 23:06:34:363 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:37:366 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:37:366 Debug(1869): Already takes 12 seconds for all dns queries.

 

 

 

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

@rj_raj 

Prior to entering sleep mode, where was your machine connected? in the internal/corporate network or were you already connected to your home wifi or another network?

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

I will test the following configurations:

  • Config 1
"Portal Client Config" {
  hip-collection {
    max-wait-time 20;
    collect-hip-data yes;
  }
  gateways {
    external {
      list {
        GATEWAY {
          fqdn GATEWAY;
          priority-rule {
            Any {
              priority 1;
            }
          }
          manual no;
        }
      }
      cutoff-time 5;
    }
  }
  authentication-override {
    generate-cookie no;
  }
  source-user any;
  os any;
  agent-ui {
    max-agent-user-overrides 0;
    agent-user-override-timeout 0;
  }
  internal-host-detection {
    ip-address INTERNAL-IP;
    hostname INTERNAL-FQDN;
  }
  gp-app-config {
    config {
      connect-method {
        value pre-logon;
      }
      refresh-config-interval {
        value 1;
      }
      agent-user-override {
        value allowed;
      }
      client-upgrade {
        value disabled;
      }
      use-sso {
        value yes;
      }
      logout-remove-sso {
        value yes;
      }
      krb-auth-fail-fallback {
        value yes;
      }
      retry-tunnel {
        value 1;
      }
      retry-timeout {
        value 1;
      }
      enforce-globalprotect {
        value yes;
      }
      captive-portal-exception-timeout {
        value 3600;
      }
      traffic-blocking-notification-delay {
        value 5;
      }
      display-traffic-blocking-notification-msg {
        value no;
      }
      traffic-blocking-notification-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
      }
      allow-traffic-blocking-notification-dismissal {
        value yes;
      }
      display-captive-portal-detection-msg {
        value yes;
      }
      captive-portal-detection-msg {
        value '<div style="font-family:'Verdana';"><h1 style="color:green; margin: 0; font-size: 16px;">Loginseite erkannt / Captive Portal Detected</h1><p style="margin: 0; font-size: 14px; line-height: 1.2em;">Bitte klicken Sie auf den
 Link, um sich anzumelden und Zugriff auf das Netzwerk zu erhalten: <a href="http://CAPTIVEPORTALREDIRECT">Klicken Sie hier</a><br/>Please click the link to login and to get access to the network: <a href="http://CAPTIVEPORTALREDIRECT">Click here</a></p></div>';
      }
      captive-portal-notification-delay {
        value 5;
      }
      certificate-store-lookup {
        value machine;
      }
      scep-certificate-renewal-period {
        value 7;
      }
      retain-connection-smartcard-removal {
        value yes;
      }
      enable-advanced-view {
        value yes;
      }
      enable-do-not-display-this-welcome-page-again {
        value yes;
      }
      rediscover-network {
        value yes;
      }
      resubmit-host-info {
        value yes;
      }
      can-change-portal {
        value no;
      }
      can-continue-if-portal-cert-invalid {
        value no;
      }
      show-agent-icon {
        value yes;
      }
      user-switch-tunnel-rename-timeout {
        value 0;
      }
      pre-logon-tunnel-rename-timeout {
        value 0;
      }
      show-system-tray-notifications {
        value no;
      }
      max-internal-gateway-connection-attempts {
        value 0;
      }
      portal-timeout {
        value 30;
      }
      connect-timeout {
        value 60;
      }
      receive-timeout {
        value 30;
      }
      enforce-dns {
        value yes;
      }
      flush-dns {
        value no;
      }
      proxy-multiple-autodetect {
        value no;
      }
      use-proxy {
        value yes;
      }
      wsc-autodetect {
        value yes;
      }
      mfa-enabled {
        value no;
      }
      mfa-listening-port {
        value 4501;
      }
      mfa-notification-msg {
        value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
      }
      ipv6-preferred {
        value yes;
      }
      init-panel {
        value no;
      }
    }
  }
  save-user-credentials 0;
  portal-2fa no;
  manual-only-gateway-2fa no;
  internal-gateway-2fa no;
  auto-discovery-external-gateway-2fa no;
  mdm-enrollment-port 443;
}

 

  • Config 2 (on this gateway local network access is disabled)
"Portal Client Config" {
  hip-collection {
    max-wait-time 20;
    collect-hip-data yes;
  }
  gateways {
    external {
      list {
        GATEWAY {
          fqdn GATEWAY;
          priority-rule {
            Any {
              priority 1;
            }
          }
          manual no;
        }
      }
      cutoff-time 5;
    }
  }
  authentication-override {
    generate-cookie no;
  }
  source-user any;
  os any;
  agent-ui {
    max-agent-user-overrides 0;
    agent-user-override-timeout 0;
  }
  internal-host-detection {
    ip-address INTERNAL-IP;
    hostname INTERNAL-FQDN;
  }
  gp-app-config {
    config {
      connect-method {
        value pre-logon;
      }
      refresh-config-interval {
        value 1;
      }
      agent-user-override {
        value disabled;
      }
      client-upgrade {
        value disabled;
      }
      use-sso {
        value yes;
      }
      logout-remove-sso {
        value yes;
      }
      krb-auth-fail-fallback {
        value yes;
      }
      retry-tunnel {
        value 30;
      }
      retry-timeout {
        value 5;
      }
      enforce-globalprotect {
        value yes;
      }
      captive-portal-exception-timeout {
        value 3600;
      }
      traffic-blocking-notification-delay {
        value 15;
      }
      display-traffic-blocking-notification-msg {
        value yes;
      }
      traffic-blocking-notification-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
      }
      allow-traffic-blocking-notification-dismissal {
        value yes;
      }
      display-captive-portal-detection-msg {
        value yes;
      }
      captive-portal-detection-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has tempo
rarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and
 click Connect to try again.</p></div>';
      }
      certificate-store-lookup {
        value machine;
      }
      scep-certificate-renewal-period {
        value 7;
      }
      retain-connection-smartcard-removal {
        value yes;
      }
      enable-advanced-view {
        value yes;
      }
      enable-do-not-display-this-welcome-page-again {
        value yes;
      }
      rediscover-network {
        value yes;
      }
      resubmit-host-info {
        value yes;
      }
      can-change-portal {
        value no;
      }
      can-continue-if-portal-cert-invalid {
        value no;
      }
      show-agent-icon {
        value yes;
      }
      user-switch-tunnel-rename-timeout {
        value 0;
      }
      pre-logon-tunnel-rename-timeout {
        value -1;
      }
      show-system-tray-notifications {
        value no;
      }
      max-internal-gateway-connection-attempts {
        value 0;
      }
      portal-timeout {
        value 5;
      }
      connect-timeout {
        value 5;
      }
      receive-timeout {
        value 30;
      }
      enforce-dns {
        value yes;
      }
      flush-dns {
        value no;
      }
      proxy-multiple-autodetect {
        value no;
      }
      wsc-autodetect {
        value yes;
      }
      mfa-enabled {
        value no;
      }
      mfa-listening-port {
        value 4501;
      }
      mfa-notification-msg {
        value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
      }
      ipv6-preferred {
        value no;
      }
    }
  }
  save-user-credentials 0;
  portal-2fa no;
  manual-only-gateway-2fa no;
  internal-gateway-2fa no;
  auto-discovery-external-gateway-2fa no;
  mdm-enrollment-port 443;
}

 

L1 Bithead

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

- My machine was docked - i put it sleep and then undocked it

- At home I had to connect to the WiFi as my conneciton is manual

- When connected to WiFi that is when i noticed it

 

I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

Added two rare issues in 5.0.2 to the third post in this topic.

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else


@rj_raj wrote:

- My machine was docked - i put it sleep and then undocked it

- At home I had to connect to the WiFi as my conneciton is manual

- When connected to WiFi that is when i noticed it

 

I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it


@rj_raj I have added this issue to the open issues list. Would be great if you can add more details or even better if you are able to reproduce it.

L7 Applicator

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

I have added another low priority issue and also case numbers for the 3 issues that I have experienced so far with 5.0.2. I need to add here, the issues from me in the list I so far saw only once. Even if I tried, so far I was not able to reproduce them (which is good and bad at the same time)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!