This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect Prompting Network Filter on macOS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Prompting Network Filter on macOS

nic.scott
L0 Member

‎02-09-2023 06:46 AM

We're running macOS Ventura clients and deploying GlobalProtect 5.2.12-26

 

We’ve been deploying GlobalProtect for the last year without profiles, No issues. We made a recent change to do HIP checks on endpoints, like verify Jamf is running before you can connect to VPN. We then added an exclusion for a domain and list of IPs to not go through the full tunnel.

 

Users then started getting the prompt to install system extensions. No big deal, I followed the Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro to push a profile to allow ...

 

But as soon as the profile installs, you get a second prompt to install a network filter (guessing this because of the domain exclusion?). If you click "Allow", it requires admin rights, which is a problem for our standard users. I can’t figure out how how to suppress/allow this with a profile. And GlobalProtects documentation doens’t seem to have a solution, that I’ve seen. It’s also showing as a Transparent Proxy and not a content filter in system settings.

 

I've gone through all the documentation here:

Enable System and Network Extensions on macOS Endpoints Using Jamf Pro

Add a Configuration Profile for the GlobalProtect Enforcer Using Jamf Pro 10.26.0

 

 Has anyone else seen this before and know how to create a profile?

 

GlobalProtect 

 

 

GP connects and prompts for network filterGP connects and prompts for network filter

 

Then prompts for admin rightsThen prompts for admin rights

 

 

GP creates a transparent proxy in the network settingsGP creates a transparent proxy in the network settings

 

 

 

 

 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
3 REPLIES 3

TomYoung
Cyber Elite
Cyber Elite

‎02-09-2023 08:06 AM

Hi @nic.scott ,

 

That's strange.  Your 2nd URL has sections for Network Filter Bundle Identifier and Network Filter Designated Requirement.  I guess those didn't work?  Here's another doc that provides more details -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8.  Maybe that has the info you need.  Both docs say they can suppress the popups.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

nic.scott
L0 Member
In response to TomYoung

‎02-09-2023 08:51 AM

When I try the 2ND url in my post and install that profile, it creates a separate "Content Filter" and not a "Transparent Proxy" but then it bricks my GlobalProtect client. I can't connect at all until I uninstall the profile and then restart my computer. I haven't seen anything in official docs about the "Transparent Proxy".

 

I also tried to install the 4 signed profiles at the bottom of this page, doesn't resolve the issue.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8

 

GlobalProtectEN Content Filter InstalledGlobalProtectEN Content Filter Installed

 

After installing the content filter profileAfter installing the content filter profile

 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-09-2023 09:46 AM

Hi @nic.scott ,

 

I have MacOS Ventura, and I installed GP manually.  I enabled system extensions just in case I needed to use those features in the future.  I didn't get the specific Filter Network Content popup like you.  I got a generic System Extension Blocked.  I think this enables all system extensions.  I currently have the GP Transparent Proxy listed under my filters, but no Content Filter.

 

So, the Transparent Proxy looks normal.  It also looks like there is an error in the docs on how to suppress the Filter Network Content even though it specifically says that is what it does.  Both docs are written for Catalina.  Maybe it doesn't work on Ventura.

 

Sorry that I was not able to help.  You may need to open a TAC case.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 4551 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks