GlobalProtect: PanGPS or/and GlobalProtect processes not starting on macOS (OR launchctl is not able to load pangps or pangpa)
Symptom
After the GP App installation/upgrade OR a macOS upgrade, a user sees any of the symptoms:
- GP App User Interface (UI) not running OR
- PanGPS and/or GlobalProtect process not running OR
- netstat output does not show LISTEN socket for TCP 4767 port
- launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist and/or launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist command does not load pangps or pangpa OR
- launchctl load command shows error: Load failed
- PanGPInstall.log file shows /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist: Service is disabled or /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist: Service is disabled
Environment
GlobalProtect App on macOS
macOS
Cause
This could happen for multiple reasons:
- GP App is not properly/completely installed
- Some of the GP files are missing, for example, any or all of the following files is missing:
/Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
/Applications/GlobalProtect.app/Contents/Resources/PanGPS
/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
- The macOS launched or launchctl is not able to load the pangps or pangpa
- The pangps service and/or pangpa agent are disabled by the system or user
- The pangps service and/or pangpa agent are not disabled and launchctl is able to load them without any errors but PanGPS and/or GlobalProtect processes are still not running
Resolution
A user can follow the steps to troubleshoot and fix the problem:
Step#1: The following command does not show PanGPS or/and GlobalProtect processes running
ps -ef | grep -i globalprotect
Step#2: Make sure the GP installation installed the following files:
ls -lth /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ls -lth /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist ls -lth /Applications/GlobalProtect.app/Contents/Resources/PanGPS ls -lth /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
If any file is missing, uninstall and re-install the GP App and verify Step#1
Step#3: Find the User ID (UID) that would be used in following steps:
id -u 501
Step#4: With the following command, verify the pangp service and agent are not disabled
launchctl print-disabled user/501 | grep pangp "com.paloaltonetworks.gp.pangps" => false "com.paloaltonetworks.gp.pangpa" => false
The output should be blank OR the value in the output should be false for both the com.paloaltonetworks.gp.pangps and com.paloaltonetworks.gp.pangpa,
Just run the following commands to load the pangp service and agent:
launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
Step#5: If the value in the output is true for one or both of them, it means it's/they're disabled and need to be enabled, run the following commands to enable and load them:
launchctl load -w /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist launchctl load -w /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
Step#6: Verify the disabled list should have a false value now:
launchctl print-disabled user/501 | grep pangp "com.paloaltonetworks.gp.pangps" => false "com.paloaltonetworks.gp.pangpa" => false
Step#7: The PanGPS & GlobalProtect processes should be running now, verify with the command:
ps -ef | grep -i globalprotect root <output-abridged> /Applications/GlobalProtect.app/Contents/Resources/PanGPS user <output-abridged> /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
Step#7: GP App UI should be accessible
If there is any issue in connecting with the GP Portal or Gateway, that's a different issue and would need connection troubleshooting methodology