After upgrading to GlobalProtect 6.2.3 SAML sign-in page blank/your network access is blocked

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

After upgrading to GlobalProtect 6.2.3 SAML sign-in page blank/your network access is blocked

L1 Bithead

We're upgrading clients from 6.2.2 manually to test the stability of 6.2.3 (it is supposed to resolve the TLS and Hibernate wake issues) and we've had major issues after upgrading to 6.2.3.

 

Agent config: is AO VPN, EntraID SAML, Embedded Browser, Enforce GlobalProtect Connection for Network Access.

 

The software upgrades fine. When GP attempts to connect the SAML page opens and says your network access is being blocked. No matter how many times you close and let it reopen or use refresh connection it never loads the SAML page again. Only way to resolve this was to uninstall 6.2.3 then install it fresh and it all works. So using transparent upgrades from the FW is not going to be an option nor is uninstalling and installing on 750 clients.

 

I have also started to see problems after running 6.2.3 for a few weeks where after I wake my computer from hibernate or sleep mode, the embedded browser SAML window opens but the page is blank. I can close, let it reopen, refresh connection and after around 5 minutes the SMAL page loads.

 

I have a support case open with Palo, provide a screen recording on this problem, I can create this on any laptop of fresh out the box VM client. Just wondering if others are seeing these issues too?

6 REPLIES 6

L2 Linker

We had similar issues using Azure Ad/Entra Saml 2.0.  We just disable the enforce mode.  The amount of ipv4 and probably ipv6 whitelisting that I was going to have to do, wasn't worth it.  I don't know why the gp built in browser was requesting so many ip addresses, and not using the domain names.  But I could see it doing this in wireshark.  At the same time everything seems to work properly in edge.  I had all the urls and such whitelisted for enforced mode. To this day I don't know if this is a palo problem or azure problem.  But I doubt we will ever turn enforced mode back on again.

L1 Bithead

We found using the default browser and enforce mode was not an option, it just did not work, too many URL's to whitelist. Using it with the embedded browser, it does work fine.

 

We want the enforce mode to ensure protection for our endpoints at all times. The config does work, most of the time. Upgrading to 6.2.3 does not work and we are see these new issues with reconnecting and being presented with a blank web site. It fixes problems in 6.2.2 with TLS and wake from hibernate/sleep, but it now has problems that were more impactful than those in 6.2.2.

L2 Linker

Our was acting in a similar fashion as you describe.  It nearly killed global protect roll out for my company, as some important people couldn't sign on after getting upgraded to 6.2.3. That compounded with the previous 6.2.2 hibernation/sleep bug showing connected when it wasn't.

 

Enforced mode is the ideal way to go, but you can set it to retry logons intervals, and not allow disconnect. I guess the user could just ignore that too.

L1 Bithead

Palo engineering have found the problem upgrading to 6.2.3. I am testing a beta version of 6.2.4 and I have not been able to recreate the issue.

 

My rollout has stalled for one entire region because of the issues we had with 6.2.1. Really need a stable version!

 

FYI. The new 6.3 does not include the fixes in 6.2.4. 

L0 Member

When will 6.2.4 be released. We have the problem with 6.2.3 and 6.3.0 in a test environment. Our production release that works is 6.2.2.

I don't know when 6.2.4 will be released, it is still in beta as far as I know.

 

It has fixed upgrade issues that we saw when going from 6.2.2 to 6.2.3. It has fixed issues where the SAML page would not load after, switching between networks, hibernate wake etc.

 

New problem we have seen with 6/10 of our staff testing 6.2.4 relates to internal host detection. We use always-on with network enforcer. When clients are running 6.2.4 connected to the corporate LAN over cable or Wi-Fi GlobalProtect is flipping between "you are connected to the corporate LAN" and an external gateway. This is causing clients to briefly lose connection to the network so is unusable.

  • 2965 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!