01-14-2022 08:42 AM
When I login to my laptop computer - underneath my user name for sign in SOMETIMES is the status
message: GlobalProtect Status: Connected (and under it the name of the GP portal/gateway.)
But at other times I see no such message or "sign in options". If sign on options are there one
includes the GP logo w check on it.
A third issue now I've seen is where the status message "GlobalProtect Status:Connected" is
misleading. If I open the gateway/users on the PAN I can see that in fact that my laptop was
not connected.
So two questions:
1) What governs when the GlobalProtect Status appears on the Windows 10 login page?
2) What might cause the GlobalProtect status to say Connected when in fact it is not?
Bonus question: How to approach troubleshooting issue 2 since the false Connected message
is occurring prior to login?
01-14-2022 12:50 PM - edited 01-14-2022 12:52 PM
Have you configured pre-logon tunnel?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
Also if you enabled the windows reg keys for before logon then the Globalprotect will log with Windows boot logon credentials to the VPN and also if you are just using Windows SSO then maybe when the computers boots it logs into the VPN really fast:
Connect Before Logon (paloaltonetworks.com)
Single Sign-On (paloaltonetworks.com)
Always On VPN Configuration (paloaltonetworks.com)
From your description it could the Before Logon option that is dictated by the reg keys change on your PC.
01-14-2022 04:04 PM
Thanks Nikolay. So the pre-logon piece is actually working most of the time. The problems are the inconsistencies
of the login page display and the occasional inaccurate claim of "Connected" when in fact it's not connected.
Any thought why sometimes GP Connected/Not Connected status would show but at other times neither
message would show?
01-14-2022 10:38 PM
The login provider for GlobalProtect can be inconsistent at times actually being listed. Most of my installations we actually hide the provider so it doesn't show up since the pre-logon tunnel will work properly in the background unless the installation actually requires/makes use of Connect Before Logon. Usually if the installation wants that they simply want pre-logon and a forced VPN tunnel, so the provider doesn't actually matter.
As for the Connected message appearing, keep in mind that the login provider is reading the status of PanGPS (the GlobalProtect Service) separately from the PanGPA (the agent). As the agent actually fires up upon login, you can see a delay in it showing connected as it reads information from PanGPS causing it to show disconnected while the tunnel is in fact online.
01-14-2022 11:10 PM - edited 01-14-2022 11:43 PM
Hi BPry. You may be going a little over my head here. Can you give an example of what you mean by a provider? I don't think I've seen that problem. But maybe you're rephrasing something I've asked about - or correcting some term.
Now as for Connected message - when you say "login provider is reading the status of PanGPS" - are you referring to Microsoft? The login page is the same login page Windows 10 presents to anyone. Except that since we installed GP w pre-login, if you client Sign-in options you'll see [GP][FIDO Sec Key][PIN][Password]. ..so what I'm not getting is that sometimes if I go to that login page it says just "Sign-in options". But other times it's showing the status. If I go into Task Manager I see background process GlobalProtect client and Global Protect service both running. Are you saying perhaps one of these is not running at the time I hit the login screen and that could be making the difference as to whether connection status is displayed?
01-17-2022 01:15 AM - edited 01-17-2022 01:30 AM
If you have enabled pre-logon then check if also the windows reg keys are not changed for before logon as prelogon and before logon can't work together:
''''
The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
'''
Connect Before Logon (paloaltonetworks.com)
The Before logon is a new option that Windows 10 has for vpn agents like globalprotect called in windows "providers" where when you logon to your computer you also logon with the same credentials at the same time to the VPN agent and it is just a simple change of windows reg keys and to have globalprotect 5.2 or newer:
Deploy Connect Before Logon Settings in the Windows Registry (paloaltonetworks.com)
As I mentioned you either go with before logon or prelogon as to allow the computer for example to connect to an active directory server for some scripts during boot up and for prelogon it is for the best to be with machine certificates that are always on the device. Also the prelogon option is seen on the windows credentials provider screen not only the "Before logon" shows up:
"""""""""'
The GlobalProtect Credential Provider logon screen for Windows 7 and Windows 10 endpoints also displays the pre-logon connection status prior to user login, which allows end users to determine whether they can access network resources upon login. If the GlobalProtect app detects an endpoint as internal, the logon screen displays the
pre-logon connection status. If the Globalprotect app detects an endpoint as external, the logon screen displays the
or
"""""""""""""""""""'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
Remote Access VPN with Pre-Logon (paloaltonetworks.com)
01-18-2022 08:48 AM
I checked the registry CBL as shown in the first site and that does not exist.
.
I do however see
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
Prelogon REG_SEZ 1
Portal REG_SZ gp.acme.com
CurrentVersion REG_SZ 5.2.5-66
01-19-2022 01:06 AM
I have prelogon on my PC and it is similar to yours only that my "LogonState" is "0x00000001" but I can't say specifically about this variable. With me when the prelogon happens my Globalprotect shows the VPN tunnel as established and then after couple of seconds the globalprotect agent becomes gray as if it disconnected itself and I am asked for credentials as to establish a rea tunnel.
Better to check your PanGPS and PanGPA logs why the prelogon fails :
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK
I suggest also to update your agent to the latest software and to check the connectivity between your computer and the gateway that is used for the prelogon. Also again check your configuration and if the machine certificate for the prelogon authentication is on your PC and check the Globalprotect logs in the GUI that may help discover why the prelogon does not happen (before the System logs were having this info but now there are separate log in the gui)
Basic GlobalProtect Configuration with Pre-logon - Knowledge Base - Palo Alto Networks
If nothing helps check for known bugs for palo alto and globalprotect versions and raise a TAC case if needed. For example:
GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)
Known Issues (paloaltonetworks.com)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
