Anyone deployed Palo Alto GlobalProtect?

stevehahn
Contributor

My searches have turned up nothing. Just looking for gotchas, do's and don'ts, etc.

108 REPLIES 108

ImAMacGuy
Valued Contributor II

I went a slightly different route, I crated a package with just the settings plist that put it in the plist in right place, then the Global Protect installer.

copied both to

private/tmp

Then packaged both files up into another package that run the post install script of...

#!/bin/sh
## postinstall

installer -pkg /private/tmp/GlobalProtect.pkg -target /
sleep 15
installer -pkg /private/tmp/GP_settings_plist.pkg -target /
sleep 5

rm -rf /private/tmp/GlobalProtect.pkg 
rm -rf /private/tmp/GP_settings_plist.pkg


exit 0      ## Success
exit 1      ## Failure

I'm sure there's a more eloquent way of doing it, but this works.

**Edit: updated path

lordnik0n
New Contributor

I know this is an old post, but I am trying to deploy PAN GP 5.0.2. When it deploys to a machine, everything seems to match up correctly (plist, etc) but when you launch it gets stuck in a connecting loop, it never ask for the username and password. Anyone have any ideas?

Tfinn
New Contributor

We are running into the same issue as @VictoriousLoser Can't seem to figure out a way around it.

simon_brown
New Contributor III

@VictoriousLoser @Tfinn am getting the same problem as well.. Haven't found a solution apart from reinstalling it.

8a26ce73c7994ebdbdd9956930c47410

lordnik0n
New Contributor

@simon.brown Currently the work around I have going is to push the installer as a package, then push the .plist file as a .dmg file after. That has gotten me back to seeing the user login screen, but I am not 100% happy with the way it works - it seems that there should be an easier and cleaner way to do it.

Tfinn
New Contributor

@VictoriousLoser That appears to be working for us right now. Thanks for the tidbit

nikjamf
New Contributor III

Hello @VictoriousLoser, did you push both package and dmg file on the same policy or separate? My one has blocked by Privacy&Security which is grey out for users? Thank you for your share.

lordnik0n
New Contributor

@nikjamf sorry I am just now getting to this, what OS are you running? I started to see this same issue on Mojave computers and had to create a separate policy to allow changes by Palo Alto Networks.

leeskade
New Contributor III

Ran in to the same issues, for me it appeared the apps launchd wasn't loading.

adding:

launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist

to the end of the script seemed to fix the issue.

nikjamf
New Contributor III

We running OS Mojave and few High Sierra, and both cannot bypass the Security prompt, and the configuration file with kext extension and Team ID pushed to the system. I'm still working on modifying the .plst file.

leeskade
New Contributor III

To be honest, we're having issues just having the package install via Jamf, without any config attached. Seems it doesn't like being installed as root via Jamf.

nikjamf
New Contributor III

Hello, is anybody else can post it how the edit .plist file should look like and any working workflow f to deployed. I follow up on the @jwojda steps and end up with the packages installed on /private/tmp folder without the script to execute them. Also, the current Team ID and .kext can not bypass the installer Security prompt. I appreciate any help thanks for your efforts and time. Global Protect 5.0.4 version.

coaty_obrien
New Contributor II

After a little bit of digging I was able to figure out how to deploy the portal(s) via configuration profile. I noticed after a fresh install of Global Protect under ~/Library/Preferences, there was a plist called com.paloaltonetworks.GlobalProtect. When I opened it up, it contained a key for Pan Portal List that was set to type array. I added our two portals to the array list & saved the plist. To test, I created a new configuration profile with the custom settings payload configured. Used com.paloaltonetworks.GlobalProtect as the preference domain and then uploaded the plist that I edited. To test, I removed Global Protect, then pushed the configuration profile to my machine ahead of time. Re-installed Global Protect, and as soon as it launched, both of our portals were now pre-populated. Seems that Palo Alto need to update their documentation.

Heres what the general structure of the plist needs to look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>PanPortalList</key> <array> <string>palo.portal1.com</string> <string>palo.portal2.com</string> </array>
</dict>
</plist>

Hopefully this helps!

nikjamf
New Contributor III

Thank you very much coaty.obrien for your responds and efforts, my question here is what option you used when creating the configuration profile with the custom settings, could you give us more details?
And thanks again for your help.

To bypass the security&privacy prompt for latest agent 5.0.5.28 I use; Team ID PXPZ95SK77

Bundle ID kext :
com.paloaltonetworks.kext.pangpd ; com.paloaltonetworks.GlobalProtect.gpsplit ;
com.paloaltonetworks.GlobalProtect.gplock

sintichn
New Contributor III

I am stuck in the connecting loop... I've got the portal to load correctly via but now when it opens it is just stuck in the connecting loop. I've tried pushing the launch d with launchctl which used to work but I can't get it to work anymore... Can anyone shed some light onto this?

techjason
Contributor

@sintichn we had a similar issue with the new version on Mojave and the then Catalina. I am thinking you are in a security check loop. If you go to System Preferences and then Security and Privacy on one of the machines with the issue, you should see a security confirmation dialogue. This is similar to the non-certified App installation dialogue.

The way we got around this was a Kernel Extension with the following info:
Display Name: Palo Alto Networks
Bundle ID: PXPZ95SK77

miler
New Contributor

Deploy globalprotect but software is using the administrator credentials to connect instead of using the user credentials to connect.

sintichn
New Contributor III

So I finally got this to work in my environment. I kept running into the issue of the connecting loop. This is what I did...
- I started to build a DMG for GlobalProtect in composer by way of a normal snapshot
- Next before building the DMG I edited the two launch agent plist files in /Library/LaunchAgents com.paloaltonetworks.gp.pangps.plist, com.paloaltonetworks.gp.pangpa.plist Taking out the LimitLoadToSessionType key and string Aqua in both plist files. (https://www.jamf.com/jamf-nation/discussions/29172/installing-globalprotect-4-1-3-vpn-client)
- Then in /Users/currentuser/Library/Preferences I put the portal address in the com.paloaltonetworks.GlobalProtect.plist.

<key>PanPortalList</key><array><string>yourportalhere</string></array>

- Then I built the DMG uploaded it to jamf admin and checked FUT and FEU
- When creating a policy I added two scripts, one to run before the DMG is installed and one after. The before script is just to stop the GlobalProtect process if it's running.

#!/bin/sh
killall GlobalProtect

The the one that runs after is...

#!/bin/sh
# Finds the logged on user
USER_NAME=$(printf '%s' "${SUDO_USER:-$USER}")
# Opens the updated GlobalProtect app
 open /Applications/GlobalProtect.app
# Waits 5 seconds
 sleep 5
# Uses the logged in user to load the LaunchDaemon via launchctl
sudo -u $USER_NAME launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
echo "done"

(This doesn't work unless the launchctl line is run as the current logged in user, thus the $USER_NAME parameter.)

And finally, it works!

cbrewer
Valued Contributor II

@sintichn

You could just deploy your plist settings at a system level with a script and then push out the native GlobalProtect package. This is what we're doing and seems a little cleaner than a custom package with FUT and FEU.

Here is an example setup script based on what I've been doing. GlobalProtect doesn't appear to respect these settings if deployed with a Configuration Profile so a script is required from what I've seen.

#!/bin/bash

plistBuddy='/usr/libexec/PlistBuddy'
GPplistFile='/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist'

if [[ -f ${GPplistFile} ]]; then
  echo "Removing existing GlobalProtect prefs file"
  rm -f ${GPplistFile}
fi

${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}

${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}

sudoErase
New Contributor III

Thank you @cbrewer!

Question: how do you go about adding more than one string portal IP?

${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</dict>
</dict>
</dict>
</dict>
</plist>

========

How do you go about adding the extra string portal addresses?

franton
Valued Contributor III

Your XML is malformed. It should look more like this:

<key>Portal</key>
<array>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</array>

sudoErase
New Contributor III

How do you do the above using the script?

${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}


I tried this but it didnt create correctly: I must be mis-using "array"

${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' array" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example2.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example3.com'" ${GPplistFile}

 

 

sintichn
New Contributor III

@cbrewer Thanks so much, this works well!

jkryklywec
New Contributor III

Anyone have a EA to get the VPN IP address the client is on when connected via GP?

awueschinski
New Contributor II

@cbrewer We just switched to GlobalProtect and this worked like a charm. Thanks!

ncottle
New Contributor III

I am fully stuck on this one. I have deployed the pkg and plist as recommended by @cbrewer and that part works like a champ. I still get stuck at the connecting loop. I've deployed the kext multiple times multiple ways with no luck. The latest is shown below. I took it and deployed it via JAMF but with those settings. That is directly from their website. Any help would be much appreciated!
1651840dcc5a46f28ec92696065d7586

jtrant
Valued Contributor

@ncottle ,

We have this all the time and it has been a continuous issue. Most of the time, killing the client and allowing it to relaunch automatically gets around this. What happens when you run the below in Terminal:

sudo killall GlobalProtect

On a related note, has anyone gotten GlobalProtect v5 working in Catalina? This is the officially supported version and we are continuously seeing a (false) "Cannot connect to gateway" error, even though the client connects just fine.

I know v4 is not officially supported in Catalina but it seems to work fine, and to me is a better solution than deploying a broken client. Has anyone validated 4.1.13 in Catalina?

Thanks,
Justin.

cbrewer
Valued Contributor II

5.1.1 working fine in Catalina here.

Anytime you do things with command line or scripts related to GlobalProtect, you want to be aware of which user you are running that task as. GlobalProtect has both a system LaunchDaemon as well as user level LaunchAgents. Here is the script I use to make sure GlobalProtect is started correctly for the logged in user. I run this after installation.

#!/bin/bash

# Make sure GP is installed
if [[ ! -d /Applications/GlobalProtect.app ]]; then
  echo "GlobalProtect not installed"
  exit 0
fi

# Get logged in user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Stop GlobalProtect Services
if [[ -n ${loggedInUser} ]]; then
  if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ]]; then
    echo "Attempting to stop com.paloaltonetworks.gp.pangpa"
    su -l $loggedInUser -c "/bin/launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist"
  fi
  if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist ]]; then
    echo "Attempting to stop com.paloaltonetworks.gp.pangps"
    su -l $loggedInUser -c "/bin/launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist"
  fi
fi

if [[ -f /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist ]]; then
  echo "Attempting to stop com.paloaltonetworks.gp.pangpsd"
  /bin/launchctl unload /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
fi

sleep 3

# Start GlobalProtect Services
if [[ -f /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist ]]; then
  echo "Attempting to start com.paloaltonetworks.gp.pangpsd"
  /bin/launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
fi

if [[ -n ${loggedInUser} ]]; then
  if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist ]]; then
    echo "Attempting to start com.paloaltonetworks.gp.pangps"
    su -l $loggedInUser -c "/bin/launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist"
  fi

  if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ]]; then
    echo "Attempting to start com.paloaltonetworks.gp.pangpa"
    su -l $loggedInUser -c "/bin/launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist"
  fi
fi

jtrant
Valued Contributor

@cbrewer ,

Thanks for this. Our issue appears to be related to the encryption/decryption of cookies at appliance level.

Regarding the logged in user, we avoided this whole situation by not touching the installer package and adding our pre-configuration as a separate package in the same policy.

We found that modifying the package in any way resulted in a failed installation, so the above makes total sense.

Thanks,
Justin.

ncottle
New Contributor III

Thanks for the updates everyone. I've tried it all and still no luck. I think I've narrowed it down to either a firewall or a kext issue. Attempting to work without network team to address that side of it now.

jtrant
Valued Contributor

Try enabling debug logging under Settings > Troubleshooting. That will get you a complete dump of all applicable logs and make it easier to identify the issue.

jared_f
Valued Contributor

I anybody just doing a wipe and pave for updates?

karlmikaeloskar
New Contributor II

@cbrewer Thanks! This product is a nightmare to deploy!

JoshRouthier
Contributor

I am in the same boat as @jared_f and curious how people are handling GlobalProtect updates.

selleos
New Contributor II

We recently deployed Global Protect, how often are updates pushed?

As for our deployment I pushed the KEXT a few days prior and then began the software deployment. We haven't seen any issues deploying. We also did not push a .plist with the portal url baked in.

cbrewer
Valued Contributor II

GlobalProtect 5.1.2 appears to have resolved some of the issues around starting the services as the currently logged in user when deployed from Jamf.

Fixed an issue in GlobalProtect for macOS endpoints where installing or upgrading the package using a Mobile Device Management (MDM) solution such as JAMF Pro resulted in a GlobalProtect app initialization failure.

mchiquete
New Contributor

We were having the Connecting Loop issue while trying to deploy GlobalProtect 5.1.3. I ended up having to use composer to package placing the installer in a Jamf folder I created in the Root Library. I then used a script to run the installer followed up by @cbrewer script above to create a plist with our portal and it worked perfectly. Now for updates I just need to update the installer.

smpotter
New Contributor III

I had been fighting several issues with versions 5.1.2 and 5.1.3. Finally they released version 5.1.4 and it appears most of the issues have been resolved, production rollout it is...

danlaw777
Contributor III

@smpotter just a regular package created with 5.1.4?

smpotter
New Contributor III

Yes that is correct...