Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Always connect on logon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Always connect on logon

L1 Bithead

Hello,

 

we changed from Cisco AnyConnect to Globalprotect in the last few weeks. Basically everything works as expected, but one thing we miss. Globaprotect is configured to connect automatically when the user signs into Windows. But our users are allowed to disconnect their VPN. If they disconnect it and turn of, log off or reboot their PC, Globalprotect does not reconnect automatically after login. With AnyConnect this was working. We found a setting where we could set a auto reconnect after x hours, but that does not do the trick.

 

We also found the registry keys where Globalprotect stores the reconnect behaviour, but when we try to set them via logoff script or something like this, it does not work. Setting them manually by hand works, but this must be fool-proof for our users...

 

Is there a configuration setting we missed where we could achieve this? If not, is there a way to request such a behavior as feature request?

 

Thanks a lot for your help!

 

Brgds Deas

16 REPLIES 16

L1 Bithead

Sorry, but is this a dead community?!? Anybody must be able to say something about my question. At least somebody from PA...

 

Brgds Deas

Cyber Elite
Cyber Elite

Are you saying that if user disconnects GlobalProtect and reboots computer then GlobalProtect does not re-connect?

Is user disconnecting or disabling GlobalProtect?

Portal setting, App tab, "Disconnect Timeout (min)" setting don't work?

Also if you do any config changes then by default GlobalProtect app will check config updates every 24 hours.

You can choose "Refresh connection" in GlobalProtect App hamburger menu to force config update to test changes applied.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Yes, if a user disconnects GP VPN and reboots the PC, GP doest NOT re-connect automatically after login. The user is disconnecting and not disabling GP - our users are not able to disable GP. After the reboot the GP icon says not connected and nothing happens. Only if I connect once manual, connection is established again afer reboot.

 

And we also have Disconnect Timeout set to 120 minutes. But...

 

When I login to Windows and disconnect the first time, nothing is shown about the 120 minutes reconnect timer! Only when I connect and disconnect again, the 120 minutes timer is shown.

 

First disconnect:

Deas73_0-1677408046091.png

 

 

Second disconnect:

Deas73_0-1677407470979.png

 

Just try it yourself...

 

But what we really want is the following: disable the Disconnect Timeout and make GP reconnect on every reboot automatically. Is there a way to request this as a feature? Would be nice if anybody from PA could join here...

 

We use 6.0.5-30 at the moment.

 

Brgds Deas

L1 Bithead

Is this a dead community or what is this???? Is there nobody from PA who is willing to help? Unbelievable... 😞

 

To go on with the question: When GlobalProtect makes auto connect on reboot, those two registry keys are set to 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS]
"disable-globalprotect"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
"disable-globalprotect"=dword:00000000

 

When I disconnect manually, they change to 1 and after a reboot nothing happens. Only when I reconnect once manually (which sets them back to 0) or set those two keys by hand to 0 again, auto re-connect is working again.

 

Brgds Deas

L0 Member

We have ran into this same exact issue,  we are using always on,  but if user clicks disconnect and then reboots it stays in disconnected state.   Has anyone found a work around?  

L0 Member

Same issue. A manual connect is required after a reboot when an end user manually disconnects GlobalProtect - even if the app config is set to always-on. Seems silly to me that the default behavior is not to connect after a reboot when "always-on" is in use regardless of the disconnect setting in the app config.

L1 Bithead

Sorry - I was not able to find a solution for this so far and unfortunately nobody from PA is able or willing to say anything about this. As you said - always on means always connect for me, even if the end user does a manual disconnect.

 

@D.Nevens staff - hello? somebody here?

L1 Bithead

I am also troubleshooting this same issue. If I figure anything out I'll post it here but hopefully, someone has an answer in the meantime.

L1 Bithead

As written in my second post - I know the registry keys that control it, but there is no "official" way from PA to make always on really always on.

 

Is there really nobody from PA in this forum?!? I can´t believe it... 😞

L1 Bithead

Hi ,

 

The disconnect option is same as Disable in the previous version.

 

You could set a disable timeout for the Global protect under app settings. 

Disconnect the GP and shutdown the machine. If you boot the computer again after the timer ( Timeout mentioned in the previous setting), it will connect automatically.

 

Please note that this is a global settings for all the users connecting to this profile. So the setting will be applicable for all the users on the profile.

 

The option is Global protect < portal < agents < agent profile < app < "Disconnect Timeout (min)"

 

Here are some references.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VCOCA2

https://www.youtube.com/watch?v=2NngxjjwyQM

 

L1 Bithead

I've been working with Palo Alto support who has been working with the product team, and they said that this will be fixed in the upcoming Global Protect version (6.2.1).

Thanks for the info! Did they tell you anything when 6.2.1 should be GA?

I was told the release date would be in the second half of September. That's obviously not happening since it's 9/29 today, but I would assume it will be released soon.

Hi @dmertz , do you mind sharing the bug number, Case number or Jira ID where support informed you of this.

  • 12644 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!