01-14-2022 08:42 AM
When I login to my laptop computer - underneath my user name for sign in SOMETIMES is the status
message: GlobalProtect Status: Connected (and under it the name of the GP portal/gateway.)
But at other times I see no such message or "sign in options". If sign on options are there one
includes the GP logo w check on it.
A third issue now I've seen is where the status message "GlobalProtect Status:Connected" is
misleading. If I open the gateway/users on the PAN I can see that in fact that my laptop was
not connected.
So two questions:
1) What governs when the GlobalProtect Status appears on the Windows 10 login page?
2) What might cause the GlobalProtect status to say Connected when in fact it is not?
Bonus question: How to approach troubleshooting issue 2 since the false Connected message
is occurring prior to login?
01-14-2022 12:50 PM - edited 01-14-2022 12:52 PM
Have you configured pre-logon tunnel?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
Also if you enabled the windows reg keys for before logon then the Globalprotect will log with Windows boot logon credentials to the VPN and also if you are just using Windows SSO then maybe when the computers boots it logs into the VPN really fast:
Connect Before Logon (paloaltonetworks.com)
Single Sign-On (paloaltonetworks.com)
Always On VPN Configuration (paloaltonetworks.com)
From your description it could the Before Logon option that is dictated by the reg keys change on your PC.
01-14-2022 04:04 PM
Thanks Nikolay. So the pre-logon piece is actually working most of the time. The problems are the inconsistencies
of the login page display and the occasional inaccurate claim of "Connected" when in fact it's not connected.
Any thought why sometimes GP Connected/Not Connected status would show but at other times neither
message would show?
01-14-2022 10:38 PM
The login provider for GlobalProtect can be inconsistent at times actually being listed. Most of my installations we actually hide the provider so it doesn't show up since the pre-logon tunnel will work properly in the background unless the installation actually requires/makes use of Connect Before Logon. Usually if the installation wants that they simply want pre-logon and a forced VPN tunnel, so the provider doesn't actually matter.
As for the Connected message appearing, keep in mind that the login provider is reading the status of PanGPS (the GlobalProtect Service) separately from the PanGPA (the agent). As the agent actually fires up upon login, you can see a delay in it showing connected as it reads information from PanGPS causing it to show disconnected while the tunnel is in fact online.
01-14-2022 11:10 PM - edited 01-14-2022 11:43 PM
Hi BPry. You may be going a little over my head here. Can you give an example of what you mean by a provider? I don't think I've seen that problem. But maybe you're rephrasing something I've asked about - or correcting some term.
Now as for Connected message - when you say "login provider is reading the status of PanGPS" - are you referring to Microsoft? The login page is the same login page Windows 10 presents to anyone. Except that since we installed GP w pre-login, if you client Sign-in options you'll see [GP][FIDO Sec Key][PIN][Password]. ..so what I'm not getting is that sometimes if I go to that login page it says just "Sign-in options". But other times it's showing the status. If I go into Task Manager I see background process GlobalProtect client and Global Protect service both running. Are you saying perhaps one of these is not running at the time I hit the login screen and that could be making the difference as to whether connection status is displayed?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!