GlobalProtect users sometimes succeed in disabling the GlobalProtect app with a passcode and sometimes fail after restarting PC

GlobalProtect users sometimes succeed in disabling the GlobalProtect app with a passcode and sometimes fail after restarting PC

9875
Created On 08/10/22 03:54 AM - Last Modified 08/05/25 02:48 AM


Symptom


  • Intermittent failure to disable GlobalProtect App with Passcode after system restart.
  • GlobalProtect users sometimes succeed in disabling the GlobalProtect app with a passcode and sometimes fail after restarting the PC.
  • Looking at the GlobalProtect App log (PanGPS.log and PanGPA.log), it appears that disabling the GlobalProtect app with passcodes fails only at the disable attempt sent before the GlobalProtect app connects to the portal.
Failure case: 
07/31/22 11:49:46 ####################### Start PanGPS service (ver: 5.2.8-23) #######################
07/31/22 11:53:03 CDisableDialog::CheckPasscode - passcode mismatch, deny disabling
07/31/22 11:53:03 CDisableDialog::OnBnClickedOk - CheckPasscode failed
07/31/22 11:54:51 portal status is Connected. <<<< !!!

Successful case: 
07/31/22 11:58:32 ####################### Start PanGPS service (ver: 5.2.8-23) #######################
07/31/22 11:59:08 portal status is Connected. <<<< !!!
07/31/22 11:00:39 CDisableDialog::CheckPasscode - passcode matched, ok to disable
 

Environment


  • GlobalProtect
  • Prisma Access for Users
  • GlobalProtect App

Cause


  • This is the expected behavior.
  • GlobalProtect app receives the passcode from the portal configuration to compare it with the one received from the users' input. This process can only happen after portal login.
  • With the current design, the GlobalProtect app does not save a passcode. If the user reboots the machine, the passcode function will depend on the GlobalProtect's state after the user logs in again post reboot. 
  • If the GlobalProtect app is not connected to the portal, and "disable" attempt is made, it fails because portal connection is not yet successful.
  • The GlobalProtect app does load cached portal config (when the cached config is for the same user who is trying to login now) when the portal is unreachable and at that time, the passcode will work (assuming the cached config had the passcode )
  • If the GlobalProtect app has connectivity to the portal but the authentication fails (for whatever reason), the GP app will Not use the cached portal config, hence the disable passcode will not work now.

Resolution


  • Wait for the portal connection to be successful before disabling the GlobalProtect App.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cr8NCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language