GlobalProtect Client Startup Windows 10

This is an incredible annoyance for our users, the App is set to On-demand yet the portal pops up continuosly for logon credentials even though the app is clearly displaying "OnDemand mode" as it does so! I thought the whole point of "OnDemand" was that the user could initiate it when required, not a continuous spamming of the user for credentials to initiate a VPN connection they are not interested in.

The article detailing how to fix this appears to have been pulled by PA. Both the link above and this (from Google's cache) are inacessible:

https://live.paloaltonetworks.com/t5/SME-GlobalProtect-Articles/How-to-Stop-GlobalProtect-from-Loadi...

Any suggestions?

@mshattock,

You can always simply turn the GlobalProtect client so that it doesn't launch on startup. 

Thanks, but I'm trying to configure the behaviour globally for hundreds of users, not just swat away the symptoms on one machine manually. Additionally, if it's not running, there's no systray icon to click on, and that's how users have been trained.

Perhaps my Google-fu is weak, but I'm aware that there's a bug with Globalprotect that, even if it's configured in On-demand mode, behaves as if its in SSO mode.

Ideally, it autostarts in on-demand mode, and actually respects that on-demand setting, sitting there in the system tray until user-interaction.

If the 'on-demand still running in SSO mode' bug doesn't have an easy fix, disabling autostart globally is a worse, but acceptable option.

Hope that makes sense.....

@mshattock,

This isn't a bug, it's a design decision with how SSO functions within GlobalProtect. Once you restart the GP client gets set to default mode, which means that on-demand isn't setup and it defaults to SSO. The client them does a discovery on the portal to determine if it's setup with on-demand or SSO. Since you are in on-demand mode, the notification that pops up should simply be the "connect" option. 

I won't argue that PAN should include some savable registry key or something of the sort to stop this functionality and default to true on-demand, but it isn't setup like that as is. In the current implimentation this functionality would break SSO; there was hope that during the redesign of the agent they were going to make some backend code changes to allow for this feature request to finally be fullfilled, but that simply wasn't the case.

As it sits now if you wish to supress to message right off the bat you would need to NOT start GP on startup and train the user to actually launch it like they would a normal application. 

Understood, that's a very disappointing design choice by PA. It's certainly working as intended, it's just infuriating and causing a lot of hatred within our company (and also hurting the reputation of GlobalProtect across the wider web community).

With 'true' On-demand being an unusable and broken mess, our only option is to prevent Globalprotect from autostarting and retraining users to launch it manually before they want to connect.

Since the article detailing this has been pulled (at least, neither Google's cache nor my login are permitted to view it) would you be kind enough to detail how I could configure Globalprotect not to autostart globally? This is something that needs to be configured at the portal end, since our group policy doesn't have any influence on machines outside our domain (and used by BYOD staff and those working from home).

Thanks.

@mshattock,

You're going to hate my answer to this .... you can't stop the 'start on logon' for the GlobalProtect app from the firewall, it needs to be done on the end users machine. Since you don't control the end-device you also can't do this any other way since you wouldn't have the rights to modify registry keys or anything like that. The article in question essentially simply walked users through removing the start on logon functionality on their machines, nothing more. 

The application install by default adds itself to startup items. 

It's possibly something you could/can manually modify through something like InstEd and simply remove the functionality and rebuild the msi file. However that's questionably legal when it comes to redistributing the file or telling someone they could/can modify the MSI to get the behavior to function as they wish. You probably could/can do something like that, maybe, and get it functional. If someone were to do this they might want to look at the Registry and Component table, they might be able to modify those locations to stop GP from automatically being included in the statup directory. But who knows, I'm certenatly not telling you it's possible ;-) 

Ah okay, sounds like the best course of action is for me to submit a feature request, or a bug report.

Having GP reset itself to default mode means that the "on-demand" setting is being ignored. That's a bug, in my opinion but if PA have a reason for this weird behaviour they should at least add an option to workaround this behaviour for those that actually want an on-demand VPN client, or simply remove the on-demand option altogether because it's not usuable as one.

Thanks for the assistance.

I get an "Access Denied" message when i click the link. Anyone know why? Im new to the Live Community