Cannot install PAN GP VNIC driver

Reply
Highlighted
L1 Bithead

Cannot install PAN GP VNIC driver

I have tried for over a month to install Global Protect and have it work, and can't begin to count on how many installs/uninstalls of Global Protect I have done. Many people have tried to offer suggestions and it seems like the root cause is the PAN GP VNIC driver cannot be installed. When I try to install it manually via the inf, I get an Access Denied error in the UI. I am using an administrator account and have also tried installing with elevated privileges.

 

The latest PanGPS.log says:

Pan GlobalProtect Driver installation failed with error = 2

 

I have searched the web and also in this forum, and have tried every suggestion I could find. Nothing works.

 

The last thing I thought was since I am connected to a dock, perhaps there was something there conflicting. I undocked and went through all the installations again, but no luck.

 

Is there a way to get this driver installed?

Highlighted
L2 Linker

Hello,

 

You can try;

  1. Uninstall all Global Protect installation if there is exist.
  2. Remove all Remainings under;
    1. AppData
    2. C:\Program Files
    3. Under Regedit
      1. HKLU Programs Palo Alto Networks
      2. HKLM Programs Palo Alto Networks
    4. Also Search Regedit because there are entrys for Global Protect Driver and network card entries in the registry.
    5. I mean remove all reaming value about Global Protect from Regedit I created a powershell script I hope it works.You can edit and add desired search location to Bold typed are.
  3. I hope this can be helpful to you, have a nice day.

 

  1.  $RE = 'GlobalProtect'

    $Key = 'HKLM:\SOFTWARE\'

    Get-ChildItem $Key -Rec -EA SilentlyContinue | ForEach-Object {

       $CurrentKey = (Get-ItemProperty -Path $_.PsPath)

       If ($CurrentKey -match $RE){

         $CurrentKey|Remove-Item -Force

       }

    }  

UP
Highlighted
L1 Bithead

Thanks for the reply. I followed all your steps and unfortunately the same thing happens. The PAN GP driver does not get installed so GlobalProtect won't work. When I start GlobalProtect, I never get prompted for my email address in order for it to populate anything in the settings so the Connect button doesn't work.

Highlighted
L2 Linker

Hello,

 

I noticed i forgot to mention, every change in regedit requires reboot.

Second option you can try, 

Uninstall current installation

Remove all Program Files and Appdata Folders to related Palo Alto Networks.

Remove all Regedit entries HKLM and HKCU related to Palo Alto networks.

Reboot

Stop the wmi service. in windows service pane ( you can call it via starting a commad promt as admin rights than type services.msc)

Try installation

Reboot.

Use recommended version I thing 5.1.3 

 

Good Luck.

 

 

UP
Highlighted
L1 Bithead

Thanks for the additional suggestion. Unfortunately that didn't work either. Looks like GlobalProtect just doesn't want to install on my system.

Highlighted
L0 Member

I have encountered the same error and found it to be because the pangpd.inf has had it's software signing certificate revoked. If you look through the Windows Error Reporting log files you will find an entry similar to this:

 

\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd.inf'.

     sto:           {DRIVERSTORE IMPORT VALIDATE} 14:53:01.668

     sig:                {_VERIFY_FILE_SIGNATURE} 14:53:01.717

     sig:                     Key      = pangpd.inf

     sig:                     FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd.inf

     sig:                     Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd64.cat

!    sig:                     Verifying file against specific (valid) catalog failed.

!    sig:                     Error 0x800b010c: A certificate was explicitly revoked by its issuer.

     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b010c)} 14:53:01.717

 

Windows sees the driver as unsigned/untrusted and so will not install the driver for the PAN-GP adapter.

You can prove this by disabling Windows driver signing enforcement although this is not recommended for production systems for obvious reasons. To test the installation with driver signing checks disabled:

1. Disable Secure Boot in the UEFI/BIOS. This may require you to disable BitLocker on your device first

2. From an admin elevated command prompt run "bcdedit /set testsigning on" and then restart your device to disable the Windows driver signing checks and restart your device in Test Mode

3. Install the GP client and verify the PAN GP adapter is installed correctly and the client connects to your infrastructure correctly.

 

Unfortunately this is not a viable production fix so I suggest you raise a support case with Palo Alto TAC including all available logs and request a fix for the pangpd.inf certificate signing revocation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!