About blwallace

I'm having trouble finding the correct administrative installation process.  I have several field reps that do not have administrative rights to their laptops.  I need to install GlobalProtect for them and have it pre-configured with proper certificates, portal addresses, etc.  My certificates are self-generated by the firewalls, so are not trusted by a third-party such as goDaddy.  My installation process is: login with a proper administrative account install the proper certificates into local computer and local user stores install the agent using msiexec /i globalprotect.msi POSTVPNCONNECTCOMMAND=\\server\path\logon.bat PORTAL=vpn.domain.us /quiet This sets up the first portal, but I have two portals.  I've tried importing registry files for the second portal and it works for user that ran the install, but not for any other user on the system.  All other users only have the portal created by the msiexec install.  So how do I install the agent with two portals?   When the user first logs in, they are asked to accept the certificate of the portal, even though the cert is previously installed.  This acceptance is only required the first time the user logs in.  How do I have the agent accept this certificate so not to ask the end user? ... View more

Running PanOS 8.1.1 & GlobalProtect Agent 5.1.0 & connect method Pre-logon (Always On)   When connected and authenticated to my VPN from an external network - all is good.  I can restart with a connection to my internal WiFi and my VPN connection shows Internal (because I have Internal Host Detection configured).  If I then open the GP app and select Sign Out, my  VPN client will then give me an error: No Network Connectivity and will not connect.  Looking at the logs within the client, I see a "ConnectSSL: Failed to connect..." error.  The only way to get connected to my VPN at this point is to connect and authentication using an external network.     As long as I don't Sign Out (and I know I can remove this button from end users) through the app, things work as expected going from public to internal to public networks.  But I want to understand all possible scenarios and this is one I can't figure out.   What is happening when Sign Out is selected and why does this cause the VPN client to think there is no network connectivity?   error log snippet . . . (T5116)Debug(6217): 02/28/20 11:18:22:221 Pre-login...,verifyportalcert=yes (T5116)Debug(10082): 02/28/20 11:18:22:221 Check cert of server ***.***.***.*** (T5116)Debug( 777): 02/28/20 11:18:22:221 SSL connecting to ***.***.***.*** (T5116)Debug( 550): 02/28/20 11:18:22:236 Network is reachable (T1660)Debug( 550): 02/28/20 11:18:24:190 Network is reachable . . . (T5116)Debug( 599): 02/28/20 11:18:27:143 Failed to connect to ***.***.***.*** on 443 with return value -1 and socket error 0(0) (T5116)Debug( 781): 02/28/20 11:18:27:143 do_tcp_connect() failed (T5116)Error(10128): 02/28/20 11:18:27:143 ConnectSSL: Failed to connect to '***.***.***.***:443'. Disconnect ssl. (T5116)Debug(10141): 02/28/20 11:18:27:143 Cannot get server cert of ***.***.***.***   ... View more