This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Global Protect AutoVPN and Windows 10 Login Screen

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect AutoVPN and Windows 10 Login Screen

palomed
L3 Networker

‎01-14-2022 08:42 AM

When I login to my laptop computer - underneath my user name for sign in  SOMETIMES is the status

message: GlobalProtect Status: Connected (and under it the name of the GP portal/gateway.)

 

But at other times I see no such message or "sign in options". If sign on options are there one 

includes the GP logo w check on it. 

A third issue now I've seen is where the status message "GlobalProtect Status:Connected" is

misleading. If I open the gateway/users on the PAN I can see that in fact that my laptop was

not connected. 

 

So two questions: 
1) What governs when the GlobalProtect Status appears on the Windows 10 login page?
2) What might cause the GlobalProtect status to say Connected when in fact it is not?

Bonus question: How to approach troubleshooting issue 2 since the false Connected message

is occurring prior to login?

 

0 Likes Likes
7 REPLIES 7

nikoolayy1
Cyber Elite
Cyber Elite

‎01-14-2022 12:50 PM - edited ‎01-14-2022 12:52 PM

Have you configured pre-logon tunnel?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

 

 

Also if you enabled the windows reg keys for before logon then the Globalprotect will log with Windows boot logon credentials to the VPN and also if you are just using Windows SSO then maybe when the computers boots it logs into the VPN really fast: 

 

 

Connect Before Logon (paloaltonetworks.com)

 

 

 

 

Single Sign-On (paloaltonetworks.com)

 

Always On VPN Configuration (paloaltonetworks.com)

 

 

 

 

 

 

From your description it could the Before Logon option that is dictated by the reg keys change on your PC.

0 Likes Likes

palomed
L3 Networker
In response to nikoolayy1

‎01-14-2022 04:04 PM

Thanks Nikolay. So the pre-logon piece is actually working most of the time. The problems are the inconsistencies 

of the login page display and the occasional inaccurate claim of "Connected" when in fact it's not connected. 

Any thought why sometimes GP Connected/Not Connected status would show but at other times neither

message would show?

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎01-14-2022 10:38 PM

@palomed,

The login provider for GlobalProtect can be inconsistent at times actually being listed. Most of my installations we actually hide the provider so it doesn't show up since the pre-logon tunnel will work properly in the background unless the installation actually requires/makes use of Connect Before Logon. Usually if the installation wants that they simply want pre-logon and a forced VPN tunnel, so the provider doesn't actually matter.

 

As for the Connected message appearing, keep in mind that the login provider is reading the status of PanGPS (the GlobalProtect Service) separately from the PanGPA (the agent). As the agent actually fires up upon login, you can see a delay in it showing connected as it reads information from PanGPS causing it to show disconnected while the tunnel is in fact online. 

0 Likes Likes

palomed
L3 Networker
In response to BPry

‎01-14-2022 11:10 PM - edited ‎01-14-2022 11:43 PM

Hi BPry. You may be going a little over my head here. Can you give an example of what you mean by a provider? I don't think I've seen that problem. But maybe you're rephrasing something I've asked about - or correcting some term. 

Now as for Connected message - when you say "login provider is reading the status of PanGPS" - are you referring to Microsoft? The login page is the same login page Windows 10 presents to anyone. Except that since we installed GP w pre-login, if you client Sign-in options you'll see [GP][FIDO Sec Key][PIN][Password].   ..so what I'm not getting is that sometimes if I go to that login page it says just "Sign-in options". But other times it's showing the status. If I go into Task Manager I see background process GlobalProtect client and Global Protect service both running. Are you saying perhaps one of these is not running at the time I hit the login screen and that could be making the difference as to whether connection status is displayed?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks