WeakHostSend config on Windows being Enabled for Wifi adapter post connecting to GP

WeakHostSend config on Windows being Enabled for Wifi adapter post connecting to GP

19977
Created On 06/10/20 13:18 PM - Last Modified 03/16/21 02:07 AM


Symptom
  • When GP is connected, WeakHostSend/WeakHostReceive status through the Windows PowerShell is changed from Disabled to Enabled.
  • PowerShell output while GP is disabled:
PS C:\WINDOWS\system32> Get-NetIPInterface | ft interfacealias,weakhostreceive,weakhostsend

interfacealias WeakHostReceive WeakHostSend
-------------- --------------- ------------
Bluetooth Network Connection Disabled Disabled
Local Area Connection* 2 Disabled Disabled
Local Area Connection* 1 Disabled Disabled
Loopback Pseudo-Interface 1 Disabled Disabled
WiFi Disabled Disabled
Bluetooth Network Connection Disabled Disabled
Local Area Connection* 2 Disabled Disabled
Local Area Connection* 1 Disabled Disabled
Loopback Pseudo-Interface 1
Disabled Disabled
WiFi Disabled Disabled
  • PowerShell Output when GP is connected:
PS C:\WINDOWS\system32> Get-NetIPInterface | ft interfacealias,weakhostreceive,weakhostsend

interfacealias WeakHostReceive WeakHostSend
-------------- --------------- ------------
Ethernet 4 Disabled Disabled
Bluetooth Network Connection Disabled Disabled
Local Area Connection* 2 Disabled Disabled
Local Area Connection* 1 Disabled Disabled
Loopback Pseudo-Interface 1 Disabled Disabled
WiFi Disabled Enabled
Ethernet 4 Disabled Disabled
Bluetooth Network Connection Disabled Disabled
Local Area Connection* 2 Disabled Disabled
Local Area Connection* 1 Disabled Disabled
Loopback Pseudo-Interface 1 Disabled Disabled
WiFi Disabled Enabled <======


 


Environment
Global Protect Client 5.0 & 5.1

Cause
When Optimized Split Tunnelling Feature is enabled (i.e. when Domain-Based Split-Tunnelling or Application-based Split-Tunnelling is not enabled), then GP 5.x will enable both "WeakHostSend" and "WeakHostReceive" on all adapters (Physical and Virtual).

Resolution
RECOMMENDED RESOLUTION:
 
  1. With GP 5.0.x and 5.1.x, the administrator may configure a fake Domain-based Split-Tunnelling (to example.org for instance), which will make sure that WeakHost feature is disabled on all adapters
  2. In addition to this, one of the issues caused by enabling WeakHostSend is Delay in DNS Resolution. (Please see Note below)

NOTE:
With DNS Split-Tunnelling feature introduced in GP 5.2, there should be no delay in DNS resolution irrespective of the status WeakHostSend feature.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNoCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language