Ability to fallback to KEXT instead of SE on macOS Catalina 10.... - Knowledge Base - Palo Alto Networks

Ability to fallback to KEXT instead of SE on macOS Catalina 10.15.4+ with GlobalProtect 5.2.5-H1+

11865

Created On 03/17/21 18:11 PM - Last Modified 01/14/25 02:00 AM

GlobalProtect Agent

GlobalProtect App

GlobalProtect Gateway

GlobalProtect Portal

VPNs

5.1

5.2

GlobalProtect

Symptom

Fallback to Kernel Extension option on Catalina Systems 10.15.4 and above :

This article is to provide an option to customer to continue to use kernel extensions in macOS Catalina 10.15.4 and above. Due to either Apple bugs which are fixed in Big Sur or 3rd party app bugs (not adapted to the new Apple framework), customers may want to fallback to using KEXT if they are not able to move to Big Sur or push the vendor of 3rd party apps to adapt to the new framework.

Customers could stay on Catalina but configure GlobalProtect to use KernalExtensions on 5.2.5 HF and above builds , as opposed to GlobalProtect using SystemExtensions by default for customers using Enforce Globalprotect for network access and split-tunneling capabilities.

Environment

GlobalProtect App Version 5.1.4+ upto 5.2.5
Catalina version 10.15.4 +
This Article is not valid for Bigsur version and higher version

PLEASE do not run the command on any other macos version !!!this is only valid for Catalina macos 10.15.x.

Cause

With GP 5.1.4 and later , Globalprotect started to use only System extensions on Catalina 10.15.4 and above ( only catalina) . Many customers are running into issues on split-tunneling and enforcer and other issues like kernal panic when using System Extension.

Please take a look at this link for understanding the side issue when using the system extension and configure exclude domain multiple applications are freezing or erroring out on macOS Catalina 10.15.x.

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA14u000000HBqE

GlobalProtect	SystemExtensions	KernelExtensions	Split-tunnel by domain.	Split-tunnel by app	Split-tunnel by access routes	Comments
5.1.4 and above	✓		Chrome Ⅹ Safari ✓ Firefox ✓ Edge Ⅹ	✓	✓	Note : Chrome works partially with clients often seeing ERR_* messages when redirection is happening (refresh can resolve the issue) https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA14u000000HBqE
5.2.X	✓		Chrome Ⅹ Safari ✓ Firefox ✓ Edge Ⅹ	✓	✓	Note : Chrome works partially with clients often seeing ERR_* messages when redirection is happening (refresh can resolve the issue) https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA14u000000HBqE
5.2.5 HF and above		✓	Chrome ✓ Safari Ⅹ Firefox ✓ Edge ✓	✓	✓	Kernel Extension with Safari Issue. This issue is still under investigation with the Apple team. Note: Only seeing above limitation when we used the split tunnel domain/application ( include or exclude list ) , for full tunnel there is not any limitation. Kernel Panic issues were not observed with use of kernel extensions on 5.2.5 HF on Catalina.

Resolution

Fallback to Kernel Extension option is the suggested resolution if the customer is already on the latest GP version and Catalina and can't upgrade to Big Sur.

In order to fall back to KernalExtension, we need to edit the plist file on Globalprotect application and then upgrade Globalprotect to version 5.2.5Hot fix and later .

Please note that you need to have a root privileges to change the plist.

1. Editing the Plist :

We need to add <key>UseKextAnyway</key> in the pre-deployed .plist file (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).

From terminal you can add the key by following :

> cd /Library/Preferences/
> vi com.paloaltonetworks.GlobalProtect.settings.plist

adding these 2 line under the setting :

<key>UseKextAnyway</key>
<integer>1</integer>

save the changes.

You can run these command for checking the changes:

>defaults read com.paloaltonetworks.GlobalProtect.settings.plist

You can also run this command for changing the plist :

plutil -insert "Palo Alto Networks".GlobalProtect.Settings.UseKextAnyway -integer 1 /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

You can also navigate to Application folder > Globalprotect > Right-click the app and select the ‘Show Package Contents’ option from the context menu.

In the Folder that opens, you will see a Contents folder. Open it and inside, there should be at least one Plist file called info.plist you can right click on it and add the new key inside of the file.
<key>UseKextAnyway</key>
<integer>1</integer>

Here is the example of plist :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Palo Alto Networks</key>
	<dict>
		<key>GlobalProtect</key>
		<dict>
			<key>Settings</key>
			<dict>
				<key>UseKextAnyway</key>
				<integer>1</integer>
			</dict>
		</dict>
	</dict>
</dict>
</plist>

Note: You can also use another option for changing the plist like JAMF and other MACOS management tools.

2. Upgrading to 5.2.5hf and later :

After finish the installation and checking the connection to Globalprotect gateway , You can run these command for checking we are using the Kernal extension:

ser1@user1s-Mac-3 Preferences % kextstat -l | grep 'palo'                     

  158    0 0xffffff7f82c02000 0x4000     0x4000     com.paloaltonetworks.kext.pangpd (5.2.5f84) 6445D143-37E4-3DCD-95DE-62588A81A4D1 <6 5 3 1>

Are there any special considerations while deploying this change to use kernelExtensions instead of SystemExtensions?

The new key must be deployed before installing or upgrading GP.
If already installed and systemExtensions are enabled, then uninstall the GlobalProtect Application, pre-deploy the new key for kext fallback to work. Otherwise, you will see a log in PanGPS.log like

“PanGPS set to explicitly use kext. However system extension is enabled already. Please contact your administrator.”

The new key is only recognized and taken effect in the new GP version (5.2.5 HF+).
It won’t take effect on macOS Big Sur. Meaning if you upgrade macOS to Big Sur later, GP will use System Extension on Big Sur.

Additional Information

How to switch back to use System Extensions later, you need to:

Removing the new key from .plist first
Then restarting GP

Are there any caveats to using kernelExtensions on Catalina (something Apple doesn’t recommend)?

The kext version won’t support FQDN based Enforcer Exceptions and Split DNS features.
If the System Extensions has already been enabled, you must uninstall GP first to use the new key to enable kext. Otherwise, you will see a log in PanGPS.log like “PanGPS set to explicitly use kext. However system extension is enabled already. Please contact your administrator.”

Are there any limitation for domain/app split tunneling feature when we use the kext version ?

Any include/exclude domains accessed through Safari may encounter issues. So, it would be advisable to use other browsers like Chrome. Firefox etc.
app that uses webkit (native macOS framework) may have a problem with kernel extensions (webkit examples, Safari).

Note : If we are using FULL tunnel , there is not any problem for using safari or any other application.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)