Time for my annual 'GlobalProtect UI is not good enough' post

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Time for my annual 'GlobalProtect UI is not good enough' post

L2 Linker

I've been complaining about GlobalProtect's lackluster UI for years now. 


Here's my post from 2016 complaining about the issue:




Here's my post from 2015 complaining about the exact same problem:




In summary the company I work for is still using Cisco's Anyconnect for our client SSL VPNs, while we use Palo Alto for everything else. We're too embarassed to install Globalprotect on our C-level exec's machines. You would think Palo Alto would add a bit of shine to the ONE thing that the end user ever sees. Especially when those end users are the ones paying the bills...


I was hoping that once GlobalProtect 4 was released we would get a facelift but nope, the same old dated UI from the early 2000's. 


See you all next year!


Cyber Elite
Cyber Elite


I always kind of look forward to this post to be honest. It's not like PA did a bad job with functionality of the GlobalProtect client at all, in fact I like it more than AnyConnect from a customization standpoint as you can really dive down and control things that the user has access to. The big issue really is the interface, even with 4.0 it's pretty awful and some of the most annoying things about the client still aren't fixed. 

I'll continue to run my 5525-Xs for solely VPN access until the time that GlobalProtect is actually usable and does everything that I want/need it to do in a way that I don't feel like I would hinder staff from understanding what is going on. The GlobalProtect client is just such a step backwards from AnyConnect that I can't really justify the effort in switching everybody over, and AnyConnect is cheap enough that I don't really care either, it's not a big hit on the budget and it's actually cheaper for licensing than the GlobalProtect licensing to allow mobile devices to connect. 


Over everything that this firewall can do I feel like the VPN client is where they really should be spending time. They gave the GUI a fresh coat of paint in 7.1 and 8.0 but they can't seem to update something that actually matters to end-users. I spend the vast majority of my time in the CLI anyways, I don't need a shiny GUI over a functional GlobalProtect Client. 

I'll add to this.


It isn't just that the UI is bad, there are at least some ways around that like just telling the users to use the "right-click connect" option that pops up the small box which more closely mimics AnyConnect.  No, it is also that if the user does have to open up the full panel to access something it is buggy.  Entering your username/password and then waiting for a connection sometimes causes entire parts of the GUI form to disappear.


If the goal was to make this stuff inaccessible because the credentials have been submitted then that is fine, just lock the controls (i.e. grey them out) instead but unlock them again if it is an unsuccessful login.


I like that the client is configurable, being able to lock out some tabs and changing the client behavoir remotely is nice.  However, the client forgets its config a lot.  For example, turning off the Windows notifcations works for a while, until it forgets and suddenly I have 5 or 6 Windows notifications, one after another, when I log in to Windows telling me I'm not connected to the VPN.  If a user account is configured to have access to multiple gateways it also forgets about them sometimes until the next time you connect which can result in a situation where you have to connect, disconnect, and then reconnect to the proper gateway (we thankfully don't use this for most users... it is mainly another layer of security for us to have a management gateway that gives our IT more access).


I don't feel like the UI needs to really be anything fancy, although some graphical customization like adding a company logo would be nice.  What I do feel like is that it needs to look and feel consistent and not buggy.


Also, I'm not crazy about the licensing for the mobile users.  I would love to have the HIP check functionality but, for starters, we just want allow Apple and Android devices to be able to connect.  They really need to break that license pack up so that mobile app connectivity can be allowed at a reduced cost.  We've been considering hooking up an old ASA just to provide AnyConnect connectivity again which is something I really don't want to have to do.


I've ran into the full panel issue where the form disappears as well, but if it was designed to be a 'feature' it's inconsistent as I can get it to show up perfectly fine as I would expect it's designed probably 80% of the time; the remaining 20% it'll randomly go buggy where the fields are dropped and I don't have anything to actually select from on the panel. 

  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!