A solution for Global Protect Connection Issues on MacOS Clients

P1316-T36895 Nov 30 15:02:57:67700 Error( 119): Error sending 64 bytes to server (-1 bytes sent): Broken pipe
P1316-T36895 Nov 30 15:02:57:67702 Error( 838): Send failed with error: 32
P1316-T36895 Nov 30 15:02:57:567743 Info ( 211): InitConnection ...
P1316-T36895 Nov 30 15:02:57:567759 Debug( 55): fd still open before connect
P1316-T36895 Nov 30 15:02:57:567855 Error( 76): Failed to connect to server at port:4767
P1316-T36895 Nov 30 15:02:57:567862 Error( 215): Cannot connect to service, error: 61

• Mac OS High Sierra 10.13.
• Global Protect  Agent 5.0 and above.
• Any PAN-OS.

MacOS High Sierra 10.13 introduced a new feature that requires user approval before loading newly-installed third-party kernel extensions or KEXTs, for short. When a request is made to load a KEXT that has not been approved, the load request is denied.

NOTE: Approval is automatically granted to third-party KEXTs that were already installed before transitioning to macOS High Sierra.

The KEXT associated with Global Protect has not been approved and so cannot be run. This in turn prevents the Agent from connecting to the service. 

To resolve this, the KEXT needs to be approved. 

When a request is made to load a KEXT that has not been approved, the load request is denied and macOS presents the alert below:

This directs the user to approve the KEXT in System Preferences > Security & Privacy:

This approval will only be present for 30 minutes after the alert. Until approval, future load attempts will cause the approval UI to reappear but will not trigger another alert.

The approval request should show 'Palo Alto Networks' as the developer. Click "Allow" and that should give the necessary permissions for Global Protect.