GlobalProtect Agent download fails with error "This site can't be reached"
19506
Created On 10/15/19 04:01 AM - Last Modified 03/19/20 23:17 PM
Symptom
- Endpoint clients connect to Global Protect Portal and they are presented with GP agent download options.
- Once the desired agent is selected to be downloaded, it fails with error: This site can't be reached.
Environment
- PAN OS: 7.1.x and above.
- Windows and Mac clients as GlobalProtect (GP) Endpoints.
- Firewall configured with redirect GlobalProtect Host Agent Download to another website.
Cause
Misconfiguration of redirect location in the Firewall to a wrong URL causes this issue.
Resolution
Solution1:
- Verify the configured redirect URL location on the firewall using set global-protect redirect show command.
> set global-protect redirect show
cfg.global-protect.redirect.flag: True
cfg.global-protect.redirect.location: https://gp.paloalto.com => wrongly configured URL.
- Correct the URL location to the site which hosts the GP agent software using command set global-protect redirect location <corrected URL>. Replace the URL below with the correct URL location configured for your site.
> set global-protect redirect location https://redir.gp.paloalto.com
cfg.global-protect.redirect.location: https://redir.gp.paloalto.com => corrected URL location.
Solution2:
- Disable the global-protect redirect by the CLI command set global-protect redirect off. This will set the Host Agent Download back to default settings where the Agent is downloaded from the Global Protect Portal.
> set global-protect redirect off
> set global-protect redirect show
cfg.global-protect.redirect.flag: False
cfg.global-protect.redirect.location: https://redir.gp.paloalto.com
These commands take into effect immediately and will survive a reboot of the firewall. Commit operation is not required.
Additional Information
- Screenshot of Global Protect Agent download Page
- Screenshot of the error message once the software download is selected.