Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Force user GlobalProtect client refresh

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Force user GlobalProtect client refresh

Cyber Elite
Cyber Elite

Piggy backing off of this earlier thread (LIVEcommunity - Force GlobalProtect Portal refresh of connected clients? - LIVEcommunity - 514881 (p...). It there a way whether by registry or whatever, to force the client to grab its new config. We are switching over from on-demand to always-on and want to have users connect without them having to interact. Is there a way to do this? 

1 accepted solution

Accepted Solutions

We found the issue and it ended up being how the PanGPA exe was running as it didnt have application to read the registry, no nothing I was entering was even mattering.

View solution in original post

10 REPLIES 10

L6 Presenter

@Claw4609 wrote:

Piggy backing off of this earlier thread (LIVEcommunity - Force GlobalProtect Portal refresh of connected clients? - LIVEcommunity - 514881 (p...). It there a way whether by registry or whatever, to force the client to grab its new config. We are switching over from on-demand to always-on and want to have users connect without them having to interact. Is there a way to do this? 


Why not just adjust this value down to 1 hour, then after a day or however long it take to get everyone connected up and received the new setting you can adjust the check-in interval back to whatever your standard is.  Trying to force the client to check in through a registry/GPO change is probably going to be more effort than worth the result given you can just change the below setting.

Brandon_Wertz_0-1706027801609.png

 

This would only apply to people that connect to Globalprotect correct? The main issue we have is the people who just dont connect to GP at all or havent in months. We have some internal gateways spun up in non-tunnel mode for the purpose of user-id/hip and I would like to begin retrieving this information via globalprotect from all clients.

Cyber Elite
Cyber Elite

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

 

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

 

But Im not sure why it keeps thinking its on-demand

 

Is there a cli/powershell command we could run to tell the clients globalprotect to connect? 


@Claw4609 wrote:

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

 

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

 

But Im not sure why it keeps thinking its on-demand

 

Is there a cli/powershell command we could run to tell the clients globalprotect to connect? 


How are you connecting to these remote devices to make these registry changes if their VPN isn't enabled?  I'm not certain what the potential CLI/PS command would be to force this.


@Claw4609 wrote:

This would only apply to people that connect to Globalprotect correct? The main issue we have is the people who just dont connect to GP at all or havent in months. We have some internal gateways spun up in non-tunnel mode for the purpose of user-id/hip and I would like to begin retrieving this information via globalprotect from all clients.


Yes, this setting would require the users needing to first connect to get that update.

Im able to replicate the scenario on my machine, I connect myself to an on-demand config, flip the portal configs around so Ill hit the an always-on config the next time I connect. So the issue Im having is getting clients to connect to where they get the always-on config. But yes we've tried changing various registry settings but even with connect method set to user-logon and on-demand set to no, the client isnt auto connecting.


@Claw4609 wrote:

Ive tried editing registries under here Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. Specifically trying adding connect-method either pre-logon or userlogon and flipped the on-demand key to no but no combination so far has gotten GP to initiate a connection. And I have restarted after each of these changes.

 

In the debug logs Im seeing: "on-demand mode, should try retrive cache again without make connection"

 

But Im not sure why it keeps thinking its on-demand

 

Is there a cli/powershell command we could run to tell the clients globalprotect to connect? 


I think the settings you're looking for are defined here:

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-apps/deploy-ap...

 

If the endpoints are connected/managed from SCCM you can create a package to uninstall and reinstall the GP client coupled with a reboot.  When the client reboots the OS will automatically try to connect to it's defined portal to get the app config.  When it does this the machines will get the config updates you're wanting them to have.

Cyber Elite
Cyber Elite

@Claw4609,

What registry changes are you making at the moment exactly, and are you trying to get them to utilize a new portal or simply update the connection method on an existing portal without having them connect?

 

Can't say that I've ever encountered any issues changing this as we go with clients. Set the registry values properly, restart PanGPS to get it to read everything, and you're good to go. 

@Brandon_Wertz We do actually use SCCM and we tried something similar with some success, but this seemed to only work on about half of our roughly 100 person test group. We actually pushed it out with /norestart so wonder it that caused some issues? We also pushed it out with CONNECTMETHOD="user-logon". The half it didnt work on it did actually install the new version fine, they just didnt auto connect, and looking through some of their GP client debug logs it still thinks its on-demand connect method.

 

@BPry We're using the same portal. Even if the users dont normally connect to GP I want to initiate connections on existing users as we have some internal gateways in non-tunnel mode where I want to start obtaining user-id/hip information from these clients.

 

I've tried various things at this point but of the two things I though would work was: I added string "connect-method" with a value of pre-logon (I also tried it with user-logon) as well as I flipped the "on-demand" string to "no". With both of them being located here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

We found the issue and it ended up being how the PanGPA exe was running as it didnt have application to read the registry, no nothing I was entering was even mattering.

  • 1 accepted solution
  • 3913 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!