New Global Protect 3.0 is not good enough

Reply
Palo Alto Networks Guru

Re: New Global Protect 3.0 is not good enough

 

GlobalProtect Agent 3.1 is released and incorporates some of the UI functional feedback.

Snippet from the Release Notes , 

Changes to Default Behavior

When you configure the connect method as on‐demand, the options that are available from the

GlobalProtect home panel on Windows and Mac endpoints are now consistent with the options in the

notification area (system tray). GlobalProtect now displays the Connect option until the tunnel is fully

established and, after successfully connecting, displays the option to Disconnect the tunnel. Previously,

you could not toggle between the two options regardless of the connection state. This change does not

apply if the connect method is user‐logon or pre‐logon.

To prevent Windows and Mac users from inadvertently locking their accounts by repeatedly clicking

Connect from the agent home screen (such as when not seeing an immediate response to their request),

after a user initiates a connection request, GlobalProtect now deactivates the button. The button remains

grayed‐out until GlobalProtect establishes the connection or identifies a disconnection or connection

failure (such as a failure to authenticate). If the connection request is unsuccessful or GlobalProtect does

not receive a valid status, the button returns to an active state after 30 seconds. The Rediscover Network

option, which is available from the agent menu in the notification area (system tray), also exhibits the

same behavior.

On Windows and Mac endpoints, the configuration of the Enable Advanced View option now determines

whether the Status and Show Panel options are enabled or disabled (grayed out) in the notification‐area

menu for the agent. When Enable Advanced View is set to Yes, GlobalProtect disables the Status option and

enables the Show Panel option. When Enable Advanced View is set to No, GlobalProtect enables the Status

option and disables the Show Panel option.

 

When the Show Advanced View option is enabled for Windows and Mac endpoints and a user launches

GlobalProtect from either the Start menu (Windows only) or notification area (system tray), the agent

now always opens to the Home tab. Previously, the agent could open up to a different tab. This change

ensures users always have the same experience every time they launch the app.

pmc
L2 Linker

Re: New Global Protect 3.0 is not good enough

Great, thanks for the update jmenon. It's good to know that the community's voice is being listened to and positive changes are being made. I will test this out shortly. 

L3 Networker

Re: New Global Protect 3.0 is not good enough

Thanks, we are still hoping for a UI graphical uplift, but some of the minor changes and consistency is nice.

L1 Bithead

Re: New Global Protect 3.0 is not good enough

Is there any way to add the auto reconnect funcationality that anyconnect has.  It has happened to me a few times where I have dropped connection on global protect for whatever reason, and the client will still show as connected even though I can no longer reach the remote network.  My local network is still ok and can surf the web.  The anyconnect client on the other hand will reconnect when this happens, and also recognize when it can no longer reach the remote network.  If it happens to me, it will happen to end users.

Palo Alto Networks Guru

Re: New Global Protect 3.0 is not good enough


@K12PaloAlto wrote:

Is there any way to add the auto reconnect funcationality that anyconnect has.  It has happened to me a few times where I have dropped connection on global protect for whatever reason, and the client will still show as connected even though I can no longer reach the remote network.  My local network is still ok and can surf the web.  The anyconnect client on the other hand will reconnect when this happens, and also recognize when it can no longer reach the remote network.  If it happens to me, it will happen to end users.


If you set the connect method to user-logon the client will auto reconnect. if the connect method is set to on-demand the client will not auto reconnect for most part. However if the client is still showing as connected even though it is not you will want to open a support case with us and allow our support engineer to investigate the source of disconnect and wrong status

L7 Applicator

Re: New Global Protect 3.0 is not good enough

@jmenon I've seen this same issue even with Palo Alto IPSEC site-to-site tunnels and after opening a case with TAC they never actually gave me a firm answer to anything. Just that it was a bug and would be fixed, but I haven't actually seen anything in recent release notes to indicate that the issue was ever addressed.

L1 Bithead

Re: New Global Protect 3.0 is not good enough


@jmenon wrote:

@K12PaloAlto wrote:

Is there any way to add the auto reconnect funcationality that anyconnect has.  It has happened to me a few times where I have dropped connection on global protect for whatever reason, and the client will still show as connected even though I can no longer reach the remote network.  My local network is still ok and can surf the web.  The anyconnect client on the other hand will reconnect when this happens, and also recognize when it can no longer reach the remote network.  If it happens to me, it will happen to end users.


If you set the connect method to user-logon the client will auto reconnect. if the connect method is set to on-demand the client will not auto reconnect for most part. However if the client is still showing as connected even though it is not you will want to open a support case with us and allow our support engineer to investigate the source of disconnect and wrong status


 

I am using the on-demand option for connection with split tunnel.  I was not able to replicate a local wireless disconnect without the new client (3.1.0) detecting it.  That said, there still seems to be an issue if drops are occuring after the laptop.  I simulated a AP failure where another AP picked up connection.  GP client still showed connected during this time.  I am able to ping local router, but unable to ping over VPN tunnel.  The first time it did not recover, and I disconnected and reconnected.  The second time I tested runing a constant ping of a destination over the VPN, and it did recover.  YMMV  I used the AP's as an example to introduce slight packet loss.  When users are connecting from residential internet connections...  I need something reliable and easy for the end user.

 

A quick search on google found this page from a university. (not affiliated)
http://www.northeastern.edu/its/howto/globalprotect-windows-issues/

 

"Sometimes on Windows, a dropped network connection will not fully disconnect the GlobalProtect client – the client will keep trying to connect without success, even once the network connection is back."

 

@jmenon  This VPN client is the one thing holding me back from decommissioning our ASA.  If we can get the client where it is at least equivalent to Anyconnect, I will be a happy camper.  If there is an avenue that would be better for me to offer suggestions, please let me know.

 

L7 Applicator

Re: New Global Protect 3.0 is not good enough

@K12PaloAlto personally we chose to continue to use the ASA simply as a VPN gateway and moved all firewall functions over the the Palo Alto. If you already have the equipment maintaining the AnyConnect license (if it isn't perpetual) is very cheap to do; and if your ASA is only going to provide VPN then you can get away with a much smaller unit.

The GlobalProtect client for most of our users was 'good enough', however those that did complain brought up valid reasons to continue to use AnyConnect. 

L1 Bithead

Re: New Global Protect 3.0 is not good enough


@BPry wrote:

@K12PaloAlto personally we chose to continue to use the ASA simply as a VPN gateway and moved all firewall functions over the the Palo Alto. If you already have the equipment maintaining the AnyConnect license (if it isn't perpetual) is very cheap to do; and if your ASA is only going to provide VPN then you can get away with a much smaller unit.

The GlobalProtect client for most of our users was 'good enough', however those that did complain brought up valid reasons to continue to use AnyConnect. 


 @BPry  Thank you for your comment.  We are also using a similar approach currently, but I guess I'm just disapointed that we have to entertain that option for reliable VPN.

L3 Networker

Re: New Global Protect 3.0 is not good enough

We are in the same boat, we moved from ASA to GP, but I wish I made a stand to stick with AnyConnect. Our ASAs are aging, would have to justify buying new ones, but I could probably argue it and use their new 4.x client which is waves ahead of GlobalProtect.

 

If and when the user population complains more and some function or feature isnt there that Anyconnect has, we'll switch back.

 

Palo Alto also doesn't support VPN Phones such as Avaya, cisco of course does. Fantastic isnt it?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!