Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect

Not applicable

Hi all,

im tryng various option to disable the global protect client on my macbook.

The vpn client works fine, but if i select the disable option with ticket, or with pass code, and try to disconnect from the client it's disconnect without challange or request password. I've also specified to doesn't display the advenced tab and i see the option in grey... disabled, but if i click on show pannel it's also in advanced mode.

The authentication type is local database, on demand.

16 REPLIES 16

Not applicable

No one have an idea for this? There isn't anyone from Palo Alto tech support?

Unfortunately this forum is more of a "customers helping customers" with some PaloAlto dudes (and dudettes 😉 showing up every now and then.

For a real or urgent problem you are adviced to contact your sales rep / sales engineer to setup a proper support case.

Dunno why it is this way, would save some time if forum threads could be automagically taken care of by the support dudes/dudettes aswell...

L3 Networker

What version of GP are you using?  And have you configured the Portal to allow for an override shut down?

I'm using all the last release, i've opened a ticket at suport team.

L3 Networker

This is easy to do. firstly you need app cleaner installed on your mac. open app cleaner and then on a separate window you open up the application folder and select the GP entry - don't do anything yet.

next you you go to utilities > activity monitor and look for the GP service. You need to force the service to stop and before the GP client has the chance to start again, then very quickly you need to copy the GP application from the application folder into app cleaner and then click to remove the application.

It's tricky but after a couple of failed attempts you will master it.

GP is awful, stick to Cisco VPN client until PA can sort out all the bugs.....

Rod

I've asked for a feature to deny the unblock vpn and you say to uninstal?

Palo Alto Networks Guru

The disable option is only used if 'on-demand' is disabled, meaning if GlobalProtect is in a mode where it would automatically connect to the gateway. From your post I believe your in on-demand mode, which is why you see a connect and disconnect option.

Palo Alto Networks Guru

Rod, what is it about GlobalProtect that makes it so aweful? Sure, every product has issues, but we get pretty good feedback from other customers. I'd like to understand how we could help to make sure you have a better product experience too.

I don't quite understand why it is awful?  We have been using it for over a year and after everything was configured properly it works flawlessly!  I love how when products don't work exactly how someone envisions them to that they are immediately awful.  PA tech support was great when we needed help setting up GP.

If the option to disconnect with a ticket is unavailable or doesn't work with on demand mode... it's not explained on the document available to configure Globalprotect nor a banner or a warning message says... attention that features doesn't work with on demand features... It isn't a little bit stupid? For other things te PA says if there is something wrong.

So my cases to support is opened and they hasn't said me nothing about that. I will see if there are news and i'll update you about that.

Bye

Khamis, I resent your post. By having an opinion about something does not equate to giving out idiotic advice. You will notice that Im the only one to offer a solution to this problem which is or hasn't been documented property. I spent 3 days trying to remove this client from a test mac - hardly the operation of an easy to use client. Or do you think removing an application is beyond the remit of one's intelligence. While we are on the point I didnt notice you giving any sort of constructive advice. I suggest you engage your brain before trying to be awkward to a fellow poster I'm the future.

Re GP and my awful statement I have these feelings because of my experience with GP,

1. There is no(documented) way to uninstall it from a mac, as this poster had highlighted

2. The documentation and configuration scenario examples are vague

3. The client doesn't have some of the functionality of other VPN Clients

4. I don't like the fact that it installs and runs automatically

5. The automatic remember me function caused me lots issues before the latest version was released

6. It intermittently doesnt work when authentication to external RADIUS servers

I'm still testing this and are not confident about GP capabilities as a basic VPN client. I love the PA and some of its functions, but  feel when PA moved from net connect to GP they made something that was really simple and worked into something that didn't need to be complicated and full of bugs.

Rod

Hi djrodb ,

why you have uninstalled this "trick" and not with the feature in the pkg file used to install the global protect?

Palo Alto Networks Guru

I admit it's not exactly intuitive to select "Install" on an uninstall routine, but you can simply launch the .pkg file to uninstall GlobalProtect. I know we should maybe document this better, though it is the standard way of uninstalling software on the Mac.

GlobalProtect doesn't provide the list of features other VPN clients might have. But we felt that we should focus on what's really needed and make the user experience our highest priority. The goal of GlobalProtect is to keep you connected to a Palo Alto Networks Next Generation Firewall at all times to ensure that mobile user experience the same level of protection they get on the campus network. With that, it is important in my opinion to be as non-intrusive as possible, which is why it runs and connects automatically (which you can change btw).

The issues you are experiencing with RADIUS based authentication should be investigated a little bit further. RADIUS is a very common authentication scheme used by many of our customers, especially in conjunction with GlobalProtect.

Hi mwalter

just to follow on re the GP testing and my comments regarding it.

I've configured the portal to use kerberos authenticaiton and can authenticate with my AD account no problems. I have the GP portal configured for on demand and I have single sign off disabled. When I log into my PC GP authenticates with my kerberos account ok. I then proceed to click on connect and this is when I find problems with the GP client.

For example in the attached image you can see my RSA real time monitor log - the pink entry is when I click on connect - The GP client automatically tries to authenticate with the RSA server? I don't know what it's trying to authenticate with as the single sign off is disabled and I haven't yet been prompted to enter a password from the gateway side of the GP authentication feature.

Next the GP gateway element asks me to enter a password - i proceed to enter my password and the GP connects ok. This is represented in the attached image with the white entry showing a successful login.

Now consider this - I have a RSA policy that locks out accounts after 3 failed attempts within a 60 minute period. Our users aren't the most technically savvy bunch of people and I would expect that there would be quite a lot of login attempts at the GP client due to users not following documentation or having connection issues....

Like some other posters have indicated there is every chance some third party RADIUS authentication systems will lock out accounts unknowengly...

My question is this - why does GP try and authenticate with our external RSA system before I get the chance / are prompted to put in my password / passcode ? Surely the client should wait until the credentials are entered?

Thanks

Rod

  • 11122 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!