- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-19-2018 10:19 PM
GlobalProtect Version 4.1.0-98
PAN OS 8.0.10
Login mode: on-demand
Hi there,
we've roll-out the GP-Software on everyone's PCs.
Everytime a Windows (10) Client is rebooting the "GlobalProtect" pop-up Gui is showing up. Is there a way to stop loading the "GlobalProtect" pop-up Gui after rebooting Windows?
Thank you.
07-20-2018 06:27 AM
GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation.
04-06-2021 02:07 PM
OK,
I will try to help out here a little..
The article was archived.. for many reasons.. which is why no one is able to access the link.
Not only that, it was shared many years ago..
I am very sorry for the inconvenience that this may cause.. but my hands are tied, and cannot re-publish it right now..
But, what I can do, is take some of the content, and share it here..
In order to stop the GlobalProtect client from loading along with other start up applications when the system boots up:
Windows 10:
On Windows 10, this functionality has moved from System Configuration to Task Manager. Because of that there are 2 ways to get to this.
From Start > Run > msconfig, then click on "Startup". Notice the link to start Task Manager.
That was essentially what was in the article..
I hope this helps a little..
-joe
07-20-2018 06:27 AM
GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation.
10-03-2018 07:16 AM
This is an incredible annoyance for our users, the App is set to On-demand yet the portal pops up continuosly for logon credentials even though the app is clearly displaying "OnDemand mode" as it does so! I thought the whole point of "OnDemand" was that the user could initiate it when required, not a continuous spamming of the user for credentials to initiate a VPN connection they are not interested in.
The article detailing how to fix this appears to have been pulled by PA. Both the link above and this (from Google's cache) are inacessible:
Any suggestions?
10-03-2018 07:19 AM
You can always simply turn the GlobalProtect client so that it doesn't launch on startup.
10-03-2018 07:29 AM
Thanks, but I'm trying to configure the behaviour globally for hundreds of users, not just swat away the symptoms on one machine manually. Additionally, if it's not running, there's no systray icon to click on, and that's how users have been trained.
Perhaps my Google-fu is weak, but I'm aware that there's a bug with Globalprotect that, even if it's configured in On-demand mode, behaves as if its in SSO mode.
Ideally, it autostarts in on-demand mode, and actually respects that on-demand setting, sitting there in the system tray until user-interaction.
If the 'on-demand still running in SSO mode' bug doesn't have an easy fix, disabling autostart globally is a worse, but acceptable option.
Hope that makes sense.....
10-03-2018 07:41 AM
This isn't a bug, it's a design decision with how SSO functions within GlobalProtect. Once you restart the GP client gets set to default mode, which means that on-demand isn't setup and it defaults to SSO. The client them does a discovery on the portal to determine if it's setup with on-demand or SSO. Since you are in on-demand mode, the notification that pops up should simply be the "connect" option.
I won't argue that PAN should include some savable registry key or something of the sort to stop this functionality and default to true on-demand, but it isn't setup like that as is. In the current implimentation this functionality would break SSO; there was hope that during the redesign of the agent they were going to make some backend code changes to allow for this feature request to finally be fullfilled, but that simply wasn't the case.
As it sits now if you wish to supress to message right off the bat you would need to NOT start GP on startup and train the user to actually launch it like they would a normal application.
10-03-2018 07:47 AM
Understood, that's a very disappointing design choice by PA. It's certainly working as intended, it's just infuriating and causing a lot of hatred within our company (and also hurting the reputation of GlobalProtect across the wider web community).
With 'true' On-demand being an unusable and broken mess, our only option is to prevent Globalprotect from autostarting and retraining users to launch it manually before they want to connect.
Since the article detailing this has been pulled (at least, neither Google's cache nor my login are permitted to view it) would you be kind enough to detail how I could configure Globalprotect not to autostart globally? This is something that needs to be configured at the portal end, since our group policy doesn't have any influence on machines outside our domain (and used by BYOD staff and those working from home).
Thanks.
10-03-2018 08:28 AM
You're going to hate my answer to this .... you can't stop the 'start on logon' for the GlobalProtect app from the firewall, it needs to be done on the end users machine. Since you don't control the end-device you also can't do this any other way since you wouldn't have the rights to modify registry keys or anything like that. The article in question essentially simply walked users through removing the start on logon functionality on their machines, nothing more.
The application install by default adds itself to startup items.
It's possibly something you could/can manually modify through something like InstEd and simply remove the functionality and rebuild the msi file. However that's questionably legal when it comes to redistributing the file or telling someone they could/can modify the MSI to get the behavior to function as they wish. You probably could/can do something like that, maybe, and get it functional. If someone were to do this they might want to look at the Registry and Component table, they might be able to modify those locations to stop GP from automatically being included in the statup directory. But who knows, I'm certenatly not telling you it's possible 😉
10-03-2018 10:49 AM
Ah okay, sounds like the best course of action is for me to submit a feature request, or a bug report.
Having GP reset itself to default mode means that the "on-demand" setting is being ignored. That's a bug, in my opinion but if PA have a reason for this weird behaviour they should at least add an option to workaround this behaviour for those that actually want an on-demand VPN client, or simply remove the on-demand option altogether because it's not usuable as one.
Thanks for the assistance.
10-18-2019 08:52 AM
I get an "Access Denied" message when i click the link. Anyone know why? Im new to the Live Community
09-08-2020 08:52 AM
I dont know why the link is not accessible. It is really annoying that Palo Alto Live community sharing a link but it is not working.
09-08-2020 09:00 AM
Hi Mshattock,
I completely agree with you that its a bug. I have already spent 15 days with Palo Alto tech support to resolve Pre-Logon then On-demand but unfortunately tech support is still unable to resolve the issue. Even in my case I am losing confidence on Palo Alot tech support. Configuration in the "App configuration" tab is telling one thing but practically it is doing another thing.
If I choose on-demand but GP Login prompt is coming up then what is the purpose of keeping On-Demand option in "App configuration" tab. This is completely unacceptable.
09-18-2020 06:54 AM
Agree, I do not have priv to view the article but I am logged in.
Go figure. Hopefully they will solve soon.
04-01-2021 04:10 PM
Hey Palo Alto, please put the article back up! This would be useful for all sorts of reasons.
04-06-2021 02:07 PM
OK,
I will try to help out here a little..
The article was archived.. for many reasons.. which is why no one is able to access the link.
Not only that, it was shared many years ago..
I am very sorry for the inconvenience that this may cause.. but my hands are tied, and cannot re-publish it right now..
But, what I can do, is take some of the content, and share it here..
In order to stop the GlobalProtect client from loading along with other start up applications when the system boots up:
Windows 10:
On Windows 10, this functionality has moved from System Configuration to Task Manager. Because of that there are 2 ways to get to this.
From Start > Run > msconfig, then click on "Startup". Notice the link to start Task Manager.
That was essentially what was in the article..
I hope this helps a little..
-joe
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!