Global Protect

Unfortunately this forum is more of a "customers helping customers" with some PaloAlto dudes (and dudettes 😉 showing up every now and then.

For a real or urgent problem you are adviced to contact your sales rep / sales engineer to setup a proper support case.

Dunno why it is this way, would save some time if forum threads could be automagically taken care of by the support dudes/dudettes aswell...

I'm using all the last release, i've opened a ticket at suport team.

I've asked for a feature to deny the unblock vpn and you say to uninstal?

Rod, what is it about GlobalProtect that makes it so aweful? Sure, every product has issues, but we get pretty good feedback from other customers. I'd like to understand how we could help to make sure you have a better product experience too.

I don't quite understand why it is awful?  We have been using it for over a year and after everything was configured properly it works flawlessly!  I love how when products don't work exactly how someone envisions them to that they are immediately awful.  PA tech support was great when we needed help setting up GP.

If the option to disconnect with a ticket is unavailable or doesn't work with on demand mode... it's not explained on the document available to configure Globalprotect nor a banner or a warning message says... attention that features doesn't work with on demand features... It isn't a little bit stupid? For other things te PA says if there is something wrong.

So my cases to support is opened and they hasn't said me nothing about that. I will see if there are news and i'll update you about that.

Bye

Khamis, I resent your post. By having an opinion about something does not equate to giving out idiotic advice. You will notice that Im the only one to offer a solution to this problem which is or hasn't been documented property. I spent 3 days trying to remove this client from a test mac - hardly the operation of an easy to use client. Or do you think removing an application is beyond the remit of one's intelligence. While we are on the point I didnt notice you giving any sort of constructive advice. I suggest you engage your brain before trying to be awkward to a fellow poster I'm the future.

Re GP and my awful statement I have these feelings because of my experience with GP,

1. There is no(documented) way to uninstall it from a mac, as this poster had highlighted

2. The documentation and configuration scenario examples are vague

3. The client doesn't have some of the functionality of other VPN Clients

4. I don't like the fact that it installs and runs automatically

5. The automatic remember me function caused me lots issues before the latest version was released

6. It intermittently doesnt work when authentication to external RADIUS servers

I'm still testing this and are not confident about GP capabilities as a basic VPN client. I love the PA and some of its functions, but  feel when PA moved from net connect to GP they made something that was really simple and worked into something that didn't need to be complicated and full of bugs.

Rod

Hi djrodb ,

why you have uninstalled this "trick" and not with the feature in the pkg file used to install the global protect?

I admit it's not exactly intuitive to select "Install" on an uninstall routine, but you can simply launch the .pkg file to uninstall GlobalProtect. I know we should maybe document this better, though it is the standard way of uninstalling software on the Mac.

GlobalProtect doesn't provide the list of features other VPN clients might have. But we felt that we should focus on what's really needed and make the user experience our highest priority. The goal of GlobalProtect is to keep you connected to a Palo Alto Networks Next Generation Firewall at all times to ensure that mobile user experience the same level of protection they get on the campus network. With that, it is important in my opinion to be as non-intrusive as possible, which is why it runs and connects automatically (which you can change btw).

The issues you are experiencing with RADIUS based authentication should be investigated a little bit further. RADIUS is a very common authentication scheme used by many of our customers, especially in conjunction with GlobalProtect.

Hi mwalter

just to follow on re the GP testing and my comments regarding it.

I've configured the portal to use kerberos authenticaiton and can authenticate with my AD account no problems. I have the GP portal configured for on demand and I have single sign off disabled. When I log into my PC GP authenticates with my kerberos account ok. I then proceed to click on connect and this is when I find problems with the GP client.

For example in the attached image you can see my RSA real time monitor log - the pink entry is when I click on connect - The GP client automatically tries to authenticate with the RSA server? I don't know what it's trying to authenticate with as the single sign off is disabled and I haven't yet been prompted to enter a password from the gateway side of the GP authentication feature.

Next the GP gateway element asks me to enter a password - i proceed to enter my password and the GP connects ok. This is represented in the attached image with the white entry showing a successful login.

Now consider this - I have a RSA policy that locks out accounts after 3 failed attempts within a 60 minute period. Our users aren't the most technically savvy bunch of people and I would expect that there would be quite a lot of login attempts at the GP client due to users not following documentation or having connection issues....

Like some other posters have indicated there is every chance some third party RADIUS authentication systems will lock out accounts unknowengly...

My question is this - why does GP try and authenticate with our external RSA system before I get the chance / are prompted to put in my password / passcode ? Surely the client should wait until the credentials are entered?

Thanks

Rod