GlobalProtect: PanGPS or/and GlobalProtect processes not starting on macOS (OR launchctl is not able to load pangps or pangpa)

After the GP App installation/upgrade OR a macOS upgrade, a user sees any of the symptoms:

• GP App User Interface (UI) not running OR
• PanGPS and/or GlobalProtect process not running OR
• netstat output using "netstat -an | grep 4767" does not show LISTEN socket for TCP 4767 port
• launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist and/or launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist command does not load pangps or pangpa OR
• launchctl load command shows error: Load failed
• PanGPInstall.log file shows /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist: Service is disabled or /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist: Service is disabled

• Supported GlobalProtect App versions
• macOS clients

This could happen for multiple reasons:

• GP App is not properly/completely installed
• Some of the GP files are missing, for example, any or all of the following files is missing:

• The macOS launched or launchctl is not able to load the pangps or pangpa
• The pangps service and/or pangpa agent are disabled by the system or user
• The pangps service and/or pangpa agent are not disabled and launchctl is able to load them without any errors
• Even with the above, PanGPS and/or GlobalProtect processes are still not running

A user can follow the steps to troubleshoot and fix the problem:

Step#1: The following command does not show PanGPS or/and GlobalProtect processes running

ps -ef | grep -i globalprotect

Step#2: Make sure the GP installation installed the following files:

ls -lth /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
ls -lth /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
ls -lth /Applications/GlobalProtect.app/Contents/Resources/PanGPS
ls -lth /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect

If any file is missing, uninstall and re-install the GP App and verify Step#1

Step#3: Find the User ID (UID) that would be used in following steps:

id -u
501

Step#4: With the following command, verify the pangp service and agent are not disabled

launchctl print-disabled user/501 | grep pangp
"com.paloaltonetworks.gp.pangps" => false
"com.paloaltonetworks.gp.pangpa" => false

The output should be blank OR the value in the output should be false for both the com.paloaltonetworks.gp.pangps and com.paloaltonetworks.gp.pangpa, 

Just run the following commands to load the pangp service and agent:

launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist

Step#5: If the value in the output is true for one or both of them, it means it's/they're disabled and need to be enabled, run the following commands to enable and load them:

launchctl load -w /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
launchctl load -w /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist

Step#6: Verify the disabled list should have a false value now:

launchctl print-disabled user/501 | grep pangp
"com.paloaltonetworks.gp.pangps" => false
"com.paloaltonetworks.gp.pangpa" => false

Step#7: The PanGPS & GlobalProtect processes should be running now, verify with the command:

ps -ef | grep -i globalprotect
root <output-abridged> /Applications/GlobalProtect.app/Contents/Resources/PanGPS
user <output-abridged> /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect

Step#8: If the above steps does not resolve the issue, check macOS Security Settings to ensure no security setting is restricting the services.

Step#9: GP App UI should now be accessible.

Step#10: If there is any issue in connecting with the GP Portal or Gateway, that's a different issue and would need connection troubleshooting methodology.