GlobalProtect Client Startup Windows 10

Reply
L1 Bithead

GlobalProtect Client Startup Windows 10

GlobalProtect Version 4.1.0-98

PAN OS 8.0.10

Login mode: on-demand

 

Hi there, 

we've roll-out the GP-Software on everyone's PCs.

Everytime a Windows (10) Client is rebooting the "GlobalProtect" pop-up Gui is showing up. Is there a way to stop loading the "GlobalProtect" pop-up Gui after rebooting Windows? 

 

Thank you.

L7 Applicator

Re: GlobalProtect Client Startup Windows 10

@Hodor,

GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation. 

L1 Bithead

Re: GlobalProtect Client Startup Windows 10

This is an incredible annoyance for our users, the App is set to On-demand yet the portal pops up continuosly for logon credentials even though the app is clearly displaying "OnDemand mode" as it does so! I thought the whole point of "OnDemand" was that the user could initiate it when required, not a continuous spamming of the user for credentials to initiate a VPN connection they are not interested in.

 

The article detailing how to fix this appears to have been pulled by PA. Both the link above and this (from Google's cache) are inacessible:

 

https://live.paloaltonetworks.com/t5/SME-GlobalProtect-Articles/How-to-Stop-GlobalProtect-from-Loadi...

 

Any suggestions?

L7 Applicator

Re: GlobalProtect Client Startup Windows 10

@mshattock,

You can always simply turn the GlobalProtect client so that it doesn't launch on startup. 

L1 Bithead

Re: GlobalProtect Client Startup Windows 10

Thanks, but I'm trying to configure the behaviour globally for hundreds of users, not just swat away the symptoms on one machine manually. Additionally, if it's not running, there's no systray icon to click on, and that's how users have been trained.

Perhaps my Google-fu is weak, but I'm aware that there's a bug with Globalprotect that, even if it's configured in On-demand mode, behaves as if its in SSO mode.

Ideally, it autostarts in on-demand mode, and actually respects that on-demand setting, sitting there in the system tray until user-interaction.

 

If the 'on-demand still running in SSO mode' bug doesn't have an easy fix, disabling autostart globally is a worse, but acceptable option.

 

Hope that makes sense.....

Highlighted
L7 Applicator

Re: GlobalProtect Client Startup Windows 10

@mshattock,

This isn't a bug, it's a design decision with how SSO functions within GlobalProtect. Once you restart the GP client gets set to default mode, which means that on-demand isn't setup and it defaults to SSO. The client them does a discovery on the portal to determine if it's setup with on-demand or SSO. Since you are in on-demand mode, the notification that pops up should simply be the "connect" option. 

I won't argue that PAN should include some savable registry key or something of the sort to stop this functionality and default to true on-demand, but it isn't setup like that as is. In the current implimentation this functionality would break SSO; there was hope that during the redesign of the agent they were going to make some backend code changes to allow for this feature request to finally be fullfilled, but that simply wasn't the case.

 

As it sits now if you wish to supress to message right off the bat you would need to NOT start GP on startup and train the user to actually launch it like they would a normal application. 

L1 Bithead

Re: GlobalProtect Client Startup Windows 10

Understood, that's a very disappointing design choice by PA. It's certainly working as intended, it's just infuriating and causing a lot of hatred within our company (and also hurting the reputation of GlobalProtect across the wider web community).

 

With 'true' On-demand being an unusable and broken mess, our only option is to prevent Globalprotect from autostarting and retraining users to launch it manually before they want to connect.

 

Since the article detailing this has been pulled (at least, neither Google's cache nor my login are permitted to view it) would you be kind enough to detail how I could configure Globalprotect not to autostart globally? This is something that needs to be configured at the portal end, since our group policy doesn't have any influence on machines outside our domain (and used by BYOD staff and those working from home).

 

Thanks.

L7 Applicator

Re: GlobalProtect Client Startup Windows 10

@mshattock,

You're going to hate my answer to this .... you can't stop the 'start on logon' for the GlobalProtect app from the firewall, it needs to be done on the end users machine. Since you don't control the end-device you also can't do this any other way since you wouldn't have the rights to modify registry keys or anything like that. The article in question essentially simply walked users through removing the start on logon functionality on their machines, nothing more. 

The application install by default adds itself to startup items. 

 

It's possibly something you could/can manually modify through something like InstEd and simply remove the functionality and rebuild the msi file. However that's questionably legal when it comes to redistributing the file or telling someone they could/can modify the MSI to get the behavior to function as they wish. You probably could/can do something like that, maybe, and get it functional. If someone were to do this they might want to look at the Registry and Component table, they might be able to modify those locations to stop GP from automatically being included in the statup directory. But who knows, I'm certenatly not telling you it's possible ;-) 

L1 Bithead

Re: GlobalProtect Client Startup Windows 10

Ah okay, sounds like the best course of action is for me to submit a feature request, or a bug report.

 

 

Having GP reset itself to default mode means that the "on-demand" setting is being ignored. That's a bug, in my opinion but if PA have a reason for this weird behaviour they should at least add an option to workaround this behaviour for those that actually want an on-demand VPN client, or simply remove the on-demand option altogether because it's not usuable as one.

 

Thanks for the assistance.

L0 Member

Re: GlobalProtect Client Startup Windows 10

I get an "Access Denied" message when i click the link. Anyone know why? Im new to the Live Community

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!