GlobalProtect Version 5.1.6 has Browsing Issues on MacOS 10.15.6/7!

Snir_Gavriel · ‎10-12-2020

Last week I updated GP on our 5250 firewall from 5.0.4 to 5.1.6, which according to this website is the recommended version to use.

After MacOS users updated their GP adapter on their laptop, many of them started to have connectivity & surfing/browsing issues!

Until now, I know for sure that this problem affects MacOS versions 10.15.6 & 10.15.7 (which is the latest version)!

I asked one of them to try version 5.2.2, but it didn't solve the problem.

Then, I asked them to install version 5.0.10, & all the problems disappeared!

As you may know, starting version 5.1.4 on MacOS version 10.15.4 & up, GP is using NE (Network Extensions), instead of KEXT (Kernel Extensions), so my guess would be it's the root cause of the problem!
I just don't understand how a company in this scale releases a new version(s) without thoroughly testing it first on all platforms...

BPry · ‎10-12-2020

@Snir_Gavriel,

Well so here's the deal, I can guarantee that 5.1.6 and 5.2.2, and 5.2.3 all work without issue on macOS 10.15.6 and 10.15.7. So to say it's not tested and that nobody can use GlobalProtect agents above 5.0 is just not correct. Now if you look at one of the machines that have stopped working, you'll likely find under the user's security preferences that macOS has stopped the new system extension from being loaded, and the user simply need to allow it for the first time to get things to function properly again.

While this could be smother for the user, Apple doesn't make that as easy as you would think to actually prompt the user that additional permissions are required during the upgrade process. That's either something you manage from the MDM side, or communicate to users as you deploy the update if you don't manage those endpoints. It's an annoyance, but it's one that really falls under Apple.

I have plenty of macOS users deployed throughout the 5.1 and 5.2 releases without issue, and PAN themselves have a very large fleet of macOS devices all running GlobalProtect. The agent when properly configured and granted the proper permissions works perfectly fine.

Snir_Gavriel · ‎10-19-2020

Sorry, but I think I didn't explain myself correctly.

I'm already aware that starting from MacOS version 10.13, you have to allow the usage of the GP app in Security & Privacy (or during its installation), as described in the below link (in section # 8), but this is not the case here!
https://kstate.service-now.com/kb_view.do?sysparm_article=KB14182
The GP adapter can establish a connection to the firewall, but although we're using a Split Tunnel, some users have issues reaching the Internet, while others can't reach some internal resources we configured in Domain Split Tunnel.

I've asked our MacOS users to check in Security & Privacy whether there's another option to allow the new extensions, but there's nothing there!

bartlettj · ‎10-20-2020

I am also experiencing this issue on 5.1.6 after upgrading from 5.1.5. Browsing will randomly stop or take a long time to load. Speed tests are also affected. I plan to open a case with TAC. It’s only happening on Apple computers.

Snir_Gavriel · ‎10-22-2020

Update (22.10.2020):

So far, I noticed this issue in MacOS versions 10.15.3, 10.15.5, 10.15.6, & 10.15.7.

The users get the notifications to allow the NE (Network Extensions), they allow them, but it doesn't help!

The only time it helped was when I instructed a user with version 10.15.3 to update to 10.15.7.

During the update the notifications appeared, he allowed them, & then the problem was fixed.

bartlettj · ‎10-22-2020

Reinstalling GP 5.1.6 without the System Extensions option checked seems to have fixed my issue I was having.

Snir_Gavriel · ‎10-23-2020

Update (23.10.2020😞

Just tested the new 5.1.7 GP version, which was released last night, & unfortunately, the results are the same - the MacOS user gets the below error:
Connection was closed before we received a valid response from endpoint URL: "https://secretsmanager.eu-west-1.amazonaws.com/"

Snir_Gavriel · ‎10-23-2020

That's weird (& not solving the problem), as the whole intention of the new versions (starting GP version 5.1.4), is to use the new extensions instead of the old ones!

Once users will upgrade their Mac OS to version 11, the old extensions won't work anymore!

bartlettj · ‎10-23-2020

Just to clarify, what appears to have resolved the issue was installing it again with only GlobalProtect checked in the install. Leaving GlobalProtect System Extensions unchecked.

The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4 or later does not use kernel extensions and will use system extensions.
The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4 or later will not use the kernel extensions (
com.paloaltonetworks.kext.pangpd
) and instead will use any of the available utun interfaces provided by macOS as the virtual adapter.
If you are upgrading from an earlier release to the GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4 or later, kernel extensions are no longer needed. After the upgrade, the
System Extension Blocked
notification message displays on the GlobalProtect app, prompting users to enable and allow the system extensions in macOS that was blocked from loading. By default, the app will not install system extensions and the same default settings are applied.

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-f...

bartlettj · ‎10-30-2020

Do you have SSL decryption enabled? I came across this post on Reddit that sounds very similar to what we are facing. https://www.reddit.com/r/paloaltonetworks/comments/jjusvf/ssl_decryption_issue_with_macs/

Network Security

Cloud Security

Security Operations

GlobalProtect Version 5.1.6 has Browsing Issues on MacOS 10.15.6/7!

GlobalProtect Version 5.1.6 has Browsing Issues on MacOS 10.15.6/7!

Show your appreciation!