| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:globalprotect [2021/10/03 20:49] – [Portal Client Certificates] bstafford | paloaltonetworks:configuration:globalprotect [2025/09/11 08:00] (current) – [Cookies] bstafford |
|---|
| ====== GlobalProtect ====== | ====== GlobalProtect ====== |
| | ===== SAML for GlobalProtect ===== |
| | [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE|This page]] is a good guide. |
| ===== Licence Requirements ===== | ===== Licence Requirements ===== |
| Palo Alto Networks list the licence requirements [[https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html|here]]. | Palo Alto Networks list the licence requirements [[https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html|here]]. |
| <code>Computer\HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\LastUrl</code> | <code>Computer\HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\LastUrl</code> |
| ===== Cookies ===== | ===== Cookies ===== |
| | User related cookies are stored in the following folders. |
| |
| For Windows, user related cookies are stored in: | First line is for user cookies. |
| | Second line is for pre-logon cookies (not tied to a particular user, but to a machine) |
| |
| <code>C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect\</code> | **For Windows** |
| |
| filenames have this format: | <code>C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect\ |
| <code>PanPUAC_17c2deb6776739fbe2e40a988c921b8.dat</code> | C:\Program Files\Palo Alto Networks\GlobalProtect\</code> |
| |
| | **For MacOS** |
| |
| For pre-logon cookies (not tied to a particular user, but to a machine), cookies can be found in: | <code>/Users/$USER/Library/Application Support/PaloAltoNetworks/GlobalProtect/ |
| <code>C:\Program Files\Palo Alto Networks\GlobalProtect\</code> | /Library/Application Support/PaloAltoNetworks/GlobalProtect/</code> |
| |
| filenames have this format: | **For Linux** |
| | <code>~/.GlobalProtect/ |
| | /opt/paloaltonetworks/globalprotect/</code> |
| | |
| | **Naming** |
| | User cookie filenames have this format: |
| | <code>PanPUAC_17c2deb6776739fbe2e40a988c921b8.dat</code> |
| | |
| | Pre-Login cookie filenames have this format: |
| <code>PanPPAC_811c13bcd3d719c3cdf84fac1ceab29.dat</code> | <code>PanPPAC_811c13bcd3d719c3cdf84fac1ceab29.dat</code> |
| | |
| | To delete the cookies in Windows |
| | <code>del /F /Q "%LOCALAPPDATA%\Palo Alto Networks\GlobalProtect\*.dat"</code> |
| | |
| | or Powershell: |
| | <code>$Verzeichnis = "$env:LOCALAPPDATA\Palo Alto Networks\GlobalProtect" Get-ChildItem -Path $Verzeichnis -Filter *.dat -File | Remove-Item -Force</code> |
| ===== Portal Client Certificates ===== | ===== Portal Client Certificates ===== |
| When you go to a GlobalProtect portal that requires a client certificate be selected, you used to be able to add the site (in Internet Explorer) to the list of 'trusted sites' and the browser would then remember to select the certificate. In the latest version of Edge, it seems that they have changed that. You have to import the "Edge ADMX" and put the following settings in:<code>{"pattern":"https://gpportal","filter":{"ISSUER":{"CN":"ISSUER NAME"}}}</code> | When you go to a GlobalProtect portal that requires a client certificate be selected, you used to be able to add the site (in Internet Explorer) to the list of 'trusted sites' and the browser would then remember to select the certificate. In the latest version of Edge, it seems that they have changed that. You have to import the "Edge ADMX" and put the following settings in:<code>{"pattern":"https://gpportal","filter":{"ISSUER":{"CN":"ISSUER NAME"}}}</code> |
| Copy the PEM/CRT files to ''/usr/local/share/ca-certificates'' and then run ''sudo update-ca-certificates''. | Copy the PEM/CRT files to ''/usr/local/share/ca-certificates'' and then run ''sudo update-ca-certificates''. |
| |
| | ===== Bypass Uninstall Password ===== |
| | |
| | Edit registry ''Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\portal'' |
| | |
| | Set the ''Uninstall'' REG_DWORD value to 0 to remove this manually. |
| | |
| | Restart the agent services or restart the machine to read the new value. |
| | |
| | ===== Unauthenticated Downloads===== |
| | <code>https://vpn.example.com/global-protect/getmsi.esp</code> |
| | <code>https://vpn.example.com/global-protect/getsoftwarepage.esp</code> |
| | If you want to create an inbound URL blocker |
| | <code> *.example.com/global-protect/getsoftwarepage.esp |
| | *.example.com/global-protect/getmsi.esp</code> |
| | |
| | <code>https://vpn.example.com/global-protect/getmsi.esp?version=32&platform=windows |
| | https://vpn.example.com/global-protect/getmsi.esp?version=64&platform=windows |
| | https://vpn.example.com/global-protect/getmsi.esp?version=none&platform=mac |
| | |
| | https://vpn.example.com/global-protect/msi/GlobalProtect32.msi |
| | https://vpn.example.com/global-protect/msi/GlobalProtect64.msi |
| | https://vpn.example.com/global-protect/msi/GlobalProtect.pkg |
| | </code> |
| | |
| | To force authentication, you can redirect users to another server (of your creation and choosing) |
| | <code>set global-protect redirect location <path of the external server repository of the file> |
| | set global-protect redirect on</code> |
| | If this other server doesn't force them to authenticate, you can create an authentication policy (outside>outside) to enforce this. |
| | |
| | ===== Dynamic DNS ===== |
| | PAN-OS doesn't use external DHCP for GlobalProtect clients. If you want Dynamic DNS and don't want to use the clients, you can use syslog or HTTP using GlobalProtect events. |
| | |
| | ( stage eq connected ) or ( stage eq logout ) and put $private_ip and $srcuser and $device_name as payload. Update Dynamic DNS using $deivce_name (possibly $hostname?) and $private_ip. Maybe add $srcuser as tag? Add timestamp as tag? |
