Set a new GlobalProtect VPN portal to prisma for 1000+ devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Set a new GlobalProtect VPN portal to prisma for 1000+ devices

L1 Bithead

Hi, I've been asked to roll out a new VPN portal and automatically switch users over to it in a phased approach. I don't think this is possible via Palo Alto (as it will set it for all users immediately) and Group Policy has some limitations around phased approaches so we are using SCCM. I have a script which i am testing but getting mixed results. From what I've read, all I need to do is:

 

  1. Stop the PanGPS Service
  2. Set HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\LastUrtl to 'NewAddressHere'
  3. Set HKEY_LOCAL-MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\Portal to 'NewAddressHere'
  4. Restart the PanGPSService

 

Is this correct? Does this cover all the registry entries that need to be changed? Currently when doing this the system tray item for GP VPN connection will take a few minutes and then fail to connect. If I then manually click Connect to will connect successfully within about 10 seconds

3 REPLIES 3

Cyber Elite
Cyber Elite

@AJP_UK,

####################
## Variables List ##
####################
$TargetPortal = 'YourPortal'
##################
## Start Script ##
##################
# Regex pattern for SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
 
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 
    Select-Object  @{name="SID";expression={$_.PSChildName}}, 
            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 
            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
 
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | Where-Object {$_.PSChildname -match $PatternSID} | Select-Object @{name="SID";expression={$_.PSChildName}}
 
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select-Object @{name="SID";expression={$_.InputObject}}, UserHive, Username
 
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
    # Load User ntuser.dat if it's not already loaded
    IF ($item.SID -in $UnloadedHives.SID) {
        reg load HKU\$($Item.SID) $($Item.UserHive)
    }
    #####################################################################
    # This is where you can read/modify a users portion of the registry 
    # Grab the LastUrl String
    "{0}" -f $($item.Username) | Write-Output 
    $ItemPath = "registry::HKEY_USERS\" + $item.SID + "\Software\Palo Alto Networks\GlobalProtect\Settings"
    if (Test-Path $ItemPath){
        $LastUrl = Get-ItemPropertyValue $ItemPath -Name LastUrl 
        if (-NOT ($LastUrl -eq $TargetPortal)){
            New-ItemProperty -Path $ItemPath -Name LastUrl -Value $TargetPortal -PropertyType String -Force 
        }
        else {
            Write-Host "$(item.Username) : LastUrl value matches $TargetPortal"
        }
    }
    #####################################################################
 
    # Unload ntuser.dat        
    IF ($item.SID -in $UnloadedHives.SID) {
        ### Garbage collection and closing of ntuser.dat ###
        [gc]::Collect()
        reg unload HKU\$($Item.SID) | Out-Null
    }
}

# Update Machine Strings #
$PanSetup = "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup"
$PanSettings = "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings"
if (Test-Path $PanSetup){
    $Portal = Get-ItemPropertyValue $PanSetup -Name Portal
    if (-NOT ($Portal -eq $TargetPortal)){
        New-ItemProperty -Path $PanSetup -Name Portal -Value $TargetPortal -PropertyType String -Force
    }
} 
if (Test-Path $PanSettings){
    $LastUrl = Get-ItemPropertyValue $PanSettings -Name LastUrl
    if (-NOT ($LastUrl -eq $TargetPortal)){
        New-ItemProperty -Path $PanSettings -Name LastUrl -Value $TargetPortal -PropertyType String -Force
    }
}

L1 Bithead

Thanks for the script, I found something similar which also sets the Portal registry and starts/stops the service but the connection doesn't always restart so I need to force a reboot with the script rollout.

L1 Bithead
  • 1709 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!