GlobalProtect - "Refresh Connection" API call via DLL/etc

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect - "Refresh Connection" API call via DLL/etc

L1 Bithead

Is there an API or any documentation on how to call the GlobalProtect "Refresh Connection" function from external code? I want to be able to call this function from custom external code.  The reason why is to fix a connection issue we are having through automation since we don't want to have to ask users to manually click that option.

 

If no external API call is possible, is there a command-line option to call "Refresh Connection"?

 

Why isn't Global Protect smart enough to call Refresh Connection on its own when an always on VPN connection breaks?  There should be a way to monitor public IP addresses for reachability and automatically refresh the connection if can't access the public IPs...  Our AOVPN breaks frequently when machines go to sleep and wake up, screen is unlocked, etc.

17 REPLIES 17

L7 Applicator

I don't expect such a poor user experience to be expected behavior ... but I don't know how this is seen by TAC (in the past I also had some very "special" situations where it absolutely did not make sense what the gp agent was doing - but it still was "expected behavior" by paloalto)

May I ask, if you have a global protect subscription on that firewall?

There's been some progress on the TAC case, however not sure why those changes would effect reconnections in a good way when disconnecting and reconnecting on the same WAN IP. Anyway the changes made were:

1) Under the Gateway Connection Settings, ticked "Restrict Authentication Cookie Usage(for Automatic Restoration of VPN tunnel or Authentication Override)" and chose "The original Source IP for which the authentication cookie was issued".

2) Exempted "https://vpn.<domain>" from the corporate proxy .pac file.

 

@Remo yes, totally agree that poor user experience can be what a vendor deems expected behavior. Do you think user experience has improved from v5.0.2 to v5.2.7?

 

Can I find out why whether we have a GP subscription or not is useful information to you? 

L7 Applicator

The user experiance definately has improved between 5.0.2 and 5.2.7. Actually there were huge steps between these versions. The problem here is - as everywhere - with new features there are new issues/special situations/edge cases ...

 

The question for the GP subscription was because then you could try to add the hostnames for the SAML login to split tunneling fqdn exclusions. Currently I am experimenting with that as I had not only a few situations where the connection to login.microsoftonline.com was blocked because it was sent through the vpn tunnel and there I have a policy that allowed internet access only for real users. So when my user-id agents were not able to provide the username early enough to the firewall, the gp login was not possibile. In your reconnect situations I imagine it could be a similar situation.

  • 10884 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!