GlobalProtect Version 4.1.0-98
PAN OS 8.0.10
Login mode: on-demand
we've roll-out the GP-Software on everyone's PCs.
Everytime a Windows (10) Client is rebooting the "GlobalProtect" pop-up Gui is showing up. Is there a way to stop loading the "GlobalProtect" pop-up Gui after rebooting Windows?
Solved! Go to Solution.
GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation.
This is an incredible annoyance for our users, the App is set to On-demand yet the portal pops up continuosly for logon credentials even though the app is clearly displaying "OnDemand mode" as it does so! I thought the whole point of "OnDemand" was that the user could initiate it when required, not a continuous spamming of the user for credentials to initiate a VPN connection they are not interested in.
The article detailing how to fix this appears to have been pulled by PA. Both the link above and this (from Google's cache) are inacessible:
Thanks, but I'm trying to configure the behaviour globally for hundreds of users, not just swat away the symptoms on one machine manually. Additionally, if it's not running, there's no systray icon to click on, and that's how users have been trained.
Perhaps my Google-fu is weak, but I'm aware that there's a bug with Globalprotect that, even if it's configured in On-demand mode, behaves as if its in SSO mode.
Ideally, it autostarts in on-demand mode, and actually respects that on-demand setting, sitting there in the system tray until user-interaction.
If the 'on-demand still running in SSO mode' bug doesn't have an easy fix, disabling autostart globally is a worse, but acceptable option.
Hope that makes sense.....
This isn't a bug, it's a design decision with how SSO functions within GlobalProtect. Once you restart the GP client gets set to default mode, which means that on-demand isn't setup and it defaults to SSO. The client them does a discovery on the portal to determine if it's setup with on-demand or SSO. Since you are in on-demand mode, the notification that pops up should simply be the "connect" option.
I won't argue that PAN should include some savable registry key or something of the sort to stop this functionality and default to true on-demand, but it isn't setup like that as is. In the current implimentation this functionality would break SSO; there was hope that during the redesign of the agent they were going to make some backend code changes to allow for this feature request to finally be fullfilled, but that simply wasn't the case.
As it sits now if you wish to supress to message right off the bat you would need to NOT start GP on startup and train the user to actually launch it like they would a normal application.
Understood, that's a very disappointing design choice by PA. It's certainly working as intended, it's just infuriating and causing a lot of hatred within our company (and also hurting the reputation of GlobalProtect across the wider web community).
With 'true' On-demand being an unusable and broken mess, our only option is to prevent Globalprotect from autostarting and retraining users to launch it manually before they want to connect.
Since the article detailing this has been pulled (at least, neither Google's cache nor my login are permitted to view it) would you be kind enough to detail how I could configure Globalprotect not to autostart globally? This is something that needs to be configured at the portal end, since our group policy doesn't have any influence on machines outside our domain (and used by BYOD staff and those working from home).
You're going to hate my answer to this .... you can't stop the 'start on logon' for the GlobalProtect app from the firewall, it needs to be done on the end users machine. Since you don't control the end-device you also can't do this any other way since you wouldn't have the rights to modify registry keys or anything like that. The article in question essentially simply walked users through removing the start on logon functionality on their machines, nothing more.
The application install by default adds itself to startup items.
It's possibly something you could/can manually modify through something like InstEd and simply remove the functionality and rebuild the msi file. However that's questionably legal when it comes to redistributing the file or telling someone they could/can modify the MSI to get the behavior to function as they wish. You probably could/can do something like that, maybe, and get it functional. If someone were to do this they might want to look at the Registry and Component table, they might be able to modify those locations to stop GP from automatically being included in the statup directory. But who knows, I'm certenatly not telling you it's possible ;-)
Ah okay, sounds like the best course of action is for me to submit a feature request, or a bug report.
Having GP reset itself to default mode means that the "on-demand" setting is being ignored. That's a bug, in my opinion but if PA have a reason for this weird behaviour they should at least add an option to workaround this behaviour for those that actually want an on-demand VPN client, or simply remove the on-demand option altogether because it's not usuable as one.
Thanks for the assistance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!