How to restart the global protect VPN agent.

CypherCookie
Contributor

So we use the Global Protect client for our vpn. One of the issues we have with this is that the thing seems to loose the ability to reconnect after being constantly suspended or put to sleep by our laptop users.

Its not enough to kill the process to get it running again, you have to unload and reload the daemons to get it running again.

One of the Devops guys (Scott) I work with made this little script to do just that;

!/bin/bash

echo "Stopping GlobalProtect..." launchctl remove com.paloaltonetworks.gp.pangps launchctl remove com.paloaltonetworks.gp.pangpa echo "Done!"

echo "Starting GlobalProtect..." launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist echo "Done!"

exit 0

Hope it helps someone out there.

6 REPLIES 6

franton
Valued Contributor II

Hi,

Just to warn you, this launchctl commands you're using are marked as "legacy" now. They'll work on Sierra currently, but not forever. Have a look at the man page for more details.

CypherCookie
Contributor

Thanks!

Thats always good to know!

I'll be sure to look into the new way apple are gonna make me do this!

skinford
Contributor

@CypherCookie, Good Morning,

We have moved to Global Protect in our college environment. I apologize for asking this but what is the process to download the AD certificate on the mac automatically which in our environment gets switched out on a regular basis? Before this, we were using Cisco VPN and it was just an install that we used for a long time. At this point, they switched off Cisco and I currently have no VPN access but need it to manage our Macs. Currently, I have the MacBook in the AD, the Global Protect software installed on the MacBook and need to figure out how to get the certificate to download from AD regularly.

Thank you for your time in this matter. Have a very great day!

CypherCookie
Contributor

Hi @skinford the certificate is deployed by the SCEP server which we set up before the vpn goes live. To get that working, the certificate was pre-installed via a secure build lan connection which has a direct connection with the JSS & SCEP server.

skinford
Contributor

Thanks @CypherCookie I think we need to install a Casper plugin for that, but before that our servers need to be Windows 2016, we're still on 2012 and not sure they're moving up yet for us, so I'm sort of stuck in stall mode for the time being.

Appreciate the assistance, have a very great day today!

CypherCookie
Contributor

pretty sure there is no plugin to be configured. You just point to the server you want in the config profile and it should do the authentication for the user.

side note : user accounts need to be mdm enabled to get the profiles working as they are a per user profile not device.