This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect Always-On Being Blocked by WDAC (AppLocker)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Always-On Being Blocked by WDAC (AppLocker)

L.Dyson
L0 Member

‎03-11-2025 08:19 AM

We are using always-on VPN prelogon SAML and it works fine. However, after deploying a WDAC (Windows Defender Application Control) policy to lock down a device to select apps, Global Protect prelogon no longer works on that endpoint. It works if we remove the WDAC lockdown policy so it's definitely being blocked, but the following locations have been approved to run so I need to understand what other dependencies the always-on VPN relies on.

C:\Program Files\Palo Alto Networks\GlobalProtect\*
C:\Users\*\AppData\Local\Palo Alto Networks\GlobalProtect\*

What else does, especially .exe's does GlobalProtect Always-On rely on?

Manually connecting the GlobalProtect VPN works, so it's not the PanGPA.exe or PanGPS.exe's. It's just not showing the prelogon icon on the lock screen under sign-in options. Any help would be much appreciated!

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎03-13-2025 03:14 PM

@L.Dyson,

Assuming that your AppLocker policy is configured to log attempts, you can view the logs of blocked activity by simply looking in the Event Viewer on one of the affected machines. That's where I would start since it'll tell you exactly what needs to be allowed.

 

Secondly are you for sure using path exceptions for your AppLocker exceptions? I would not recommend doing that unless absolutely necessary. Any user on the machine can read your AppLocker rules, and if I can access into your machine it's an extremely quick way of telling me exactly where I need to place files to run on the machine. If that's truly your exception, I could place a file called C:\Users\ImABadDude\Local\Palo Alto Networks\GlobalProtect\RIPYourComputer.exe and your AppLocker policy will happily run it. 

 

There's nothing in the AppData location that you need to exclude, I would have that location immediately removed from your policy. If you're limiting Program Files you'll need to setup a publisher exception for PAN but also one for OPSWAT for the wa_3rd_party_host_32 and wa_3rd_party_host_64 executable. I'd also see if you've got the default exceptions for the \Windows\ directory as that would certainly break things if not fully excluded.

  • 287 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks