Global Protect application blank screen

Hello BPry,

The issue is when I click the global protect app to connect the VPN and it redirects to a blank screen not to the login portal to enter the credentials.

Also, we are using the SAML DUO 2FA for two-factor authentications so it should redirect to the login portal and then enter the 2FA passcode to successfully log in to the VPN on my PC.

The issue is with my PC only and the rest works fine.

the attached is the screenshot which I get after clicking the global protect App.

So i need help to resolve this issue in my PC.

Hello All,

Can anybody support me on the above issue?

Did you ever get a fix to this issue?

I have a user getting this exact behavior, if I use my username it works fine. If I use his username I get a screen just like yours.

That means this cannot be a pc issue. as both are on the same windows session.

Thanks 

---

@cosmith8000 wrote:

Did you ever get a fix to this issue?

I have a user getting this exact behavior, if I use my username it works fine. If I use his username I get a screen just like yours.

That means this cannot be a pc issue. as both are on the same windows session.

 

Thanks 

 

---

I'm not 100% sure this is the exact cause of your issue and the OP's, @SamiPTfA , but we had an issue using SAML auth and using the "embedded browser" for authentication.  GP client versions before 6.0.10, 6.1.5 and 6.2.3 do not support TLS1.3 for authentication, as the software called the Windows OS component called "Webview."  Webview calls the legacy Internet Explorer browser.  Since IE doesn't support TLS1.3 the GP client calling this component the SAML auth intermittently fails.  So the GP client cannnot broker the TLS1.3 SAML authentication to the external provider. 

We had users that intermittently receive a similar GP client pop-up.  With the GP software release of 6.0.10+, 6.1.5+ and 6.2.3+ the software support "Webview2" which uses the "Edge" version of the Windows OS browser.  Because the GP client is calling edge, via Webview2, TLS1.3 is supported.  

Once we migrated clients to GP version 6.0.10 users no longer failed to authenticate or receive the GP window popup.

--edit-- 

If using the "default browser" for authentication the SAML auth request is handed off to whatever the Windows OS default browser is.  In this case Edge or Chrome installed in a Windows 10/11 machine of course support TLS1.3 and clients never get stuck in this auth failure.

This could also be masked by the local machine having TLS1.3 disabled in the advanced settings of Internet properties.  With TLS1.3 disabled on the local machine earlier GP client software versions can't call TLS1.3 and therefore the use of the legacy Webview works with "embedded browser" selected as your authentication method.

The setting is in the Portal app config.  With "no" it's using the embedded browser within the GP client.  If yes, the SAML auth is offloaded to the Windows OS

---

@jbusby wrote:

Hi , I've seen a similar issue , it related to some Internet Explorer Group Policy setting applying to the affected machine .  Are you a windows user, do you perhaps as an admin have a different IE config to your users?  I think this was the relevant post for me - https://www.reddit.com/r/paloaltonetworks/comments/qqbrcp/win10_msft_sec_baseline_conflict_w_gp_embe...

---

I think your comment months ago was probably spot on.  Sad part is with this reddit thread being as old as it was, Palo was doing nothing to fix the calling of WebView2.  It wasn't until our issue and forcing this with Palo, that they got their development team involved in recoding the GP client to call Webview2.  It wasn't something that was even on their radar, to my knowledge, of integrating into their software.

Where do you make this settings adjustment, please?

"Other way to fix this under Agent config say do not use default browser and instead use Embedded browser."

We do not have an Agent Config option in our version.