Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:globalprotect [2020/11/11 10:27] – [GlobalProtect SSO Use Login Credentials] bstafford
+++ paloaltonetworks:configuration:globalprotect [2025/09/11 08:00] (current) – [Cookies] bstafford
@@ Line 1: / Line 1: @@
 ====== GlobalProtect ======
+===== SAML for GlobalProtect =====
+[[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE|This page]] is a good guide.
 ===== Licence Requirements =====
 Palo Alto Networks list the licence requirements [[https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html|here]].
@@ Line 120: / Line 122: @@
 [HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect]
 "SetGPCPDefault"=dword:00000001</code>
+If you are installing with MSI, you can use the following install command to ensure that SSO is enabled.
+<code>msiexec.exe /i c:\users\username\Desktop\GlobalProtect.msi /quiet PORTAL="vpn.example.com" CONNECTMETHOD="always-on" USESSO="yes"</code>
 ===== Dual ISP Resiliency =====
 If you have two active ISP links to a firewall, you can have resilient GlobalProtect.
@@ Line 134: / Line 139: @@
 <code>Computer\HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\LastUrl</code>
 ===== Cookies =====
+User related cookies are stored in the following folders.
-For Windows, user related cookies are stored in:
+First line is for user cookies.
+Second line is for pre-logon cookies (not tied to a particular user, but to a machine)
-<code>C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect\</code>
+**For Windows**
-filenames have this format:
+<code>C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect\
-<code>PanPUAC_17c2deb6776739fbe2e40a988c921b8.dat</code>
+C:\Program Files\Palo Alto Networks\GlobalProtect\</code>
+**For MacOS**
-For pre-logon cookies (not tied to a particular user, but to a machine), cookies can be found in:
+<code>/Users/$USER/Library/Application Support/PaloAltoNetworks/GlobalProtect/
-<code>C:\Program Files\Palo Alto Networks\GlobalProtect\</code>
+/Library/Application Support/PaloAltoNetworks/GlobalProtect/</code>
-filenames have this format:
+**For Linux**
+<code>~/.GlobalProtect/
+/opt/paloaltonetworks/globalprotect/</code>
+**Naming**
+User cookie filenames have this format:
+<code>PanPUAC_17c2deb6776739fbe2e40a988c921b8.dat</code>
+Pre-Login cookie filenames have this format:
 <code>PanPPAC_811c13bcd3d719c3cdf84fac1ceab29.dat</code>
+To delete the cookies in Windows
+<code>del /F /Q "%LOCALAPPDATA%\Palo Alto Networks\GlobalProtect\*.dat"</code>
+or Powershell:
+<code>$Verzeichnis = "$env:LOCALAPPDATA\Palo Alto Networks\GlobalProtect" Get-ChildItem -Path $Verzeichnis -Filter *.dat -File | Remove-Item -Force</code>
+===== Portal Client Certificates =====
+When you go to a GlobalProtect portal that requires a client certificate be selected, you used to be able to add the site (in Internet Explorer) to the list of 'trusted sites' and the browser would then remember to select the certificate. In the latest version of Edge, it seems that they have changed that. You have to import the "Edge ADMX" and put the following settings in:<code>{"pattern":"https://gpportal","filter":{"ISSUER":{"CN":"ISSUER NAME"}}}</code>
+ADMX is group policy for Edge.
+===== Linux Mint Certificates =====
+On Linux Mint, you may need to install the certificate being used by the GlobalProtect portal.
+Copy the PEM/CRT files to ''/usr/local/share/ca-certificates'' and then run ''sudo update-ca-certificates''.
+===== Bypass Uninstall Password =====
+Edit registry ''Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\portal''
+Set the ''Uninstall'' REG_DWORD value to 0 to remove this manually.
+Restart the agent services or restart the machine to read the new value.
+===== Unauthenticated Downloads=====
+<code>https://vpn.example.com/global-protect/getmsi.esp</code>
+<code>https://vpn.example.com/global-protect/getsoftwarepage.esp</code>
+If you want to create an inbound URL blocker
+<code> *.example.com/global-protect/getsoftwarepage.esp
+ *.example.com/global-protect/getmsi.esp</code>
+<code>https://vpn.example.com/global-protect/getmsi.esp?version=32&platform=windows
+https://vpn.example.com/global-protect/getmsi.esp?version=64&platform=windows
+https://vpn.example.com/global-protect/getmsi.esp?version=none&platform=mac
+https://vpn.example.com/global-protect/msi/GlobalProtect32.msi
+https://vpn.example.com/global-protect/msi/GlobalProtect64.msi
+https://vpn.example.com/global-protect/msi/GlobalProtect.pkg
+</code>
+To force authentication, you can redirect users to another server (of your creation and choosing)
+<code>set global-protect redirect location <path of the external server repository of the file>
+set global-protect redirect on</code>
+If this other server doesn't force them to authenticate, you can create an authentication policy (outside>outside) to enforce this.
+===== Dynamic DNS =====
+PAN-OS doesn't use external DHCP for GlobalProtect clients. If you want Dynamic DNS and don't want to use the clients, you can use syslog or HTTP using GlobalProtect events.
+( stage eq connected ) or ( stage eq logout ) and put $private_ip and $srcuser and $device_name as payload. Update Dynamic DNS using $deivce_name (possibly $hostname?) and $private_ip. Maybe add $srcuser as tag? Add timestamp as tag?