Palo Alto Networks – Global Protect Switcher (Take 2)

June 10, 2016
/ / /

Palo Alto Networks – Global Protect Switcher (Take 2)

June 10, 2016
/ / /

In a previous post, I outlined some shortcomings with the Palo Alto Networks Firewall “Global Protect” VPN Client. Have a read over the article for some information and a bit of background, but the long and short of it is that the Global Protect client has no native support for the use of multiple profiles/multiple saved connections, and if you are someone like me who is constantly changing between customer Global Protect gateways it’s a right-royal pain in the behind to have to retype your credentials and a hostname into the client all the time.

Oh, and let’s face it, the Global Protect Client isn’t exactly the nicest, prettiest thing to navigate your way around, so it’s even more infuriating when you have to deal with the oddities of the user interface.

In that post, I also released an app which let you save multiple profiles for Global Protect. This went down well (we use it internally at the office), and I had a bit of feedback from some various users that they would love a couple of enhancements (command line switches), as well as for me to chime in on the Palo Alto Networks community forums topics about this subject (here and here).

I’m pleased to say that I’ve just updated this app, and you can download it here:

https://www.boofis.com/product/global-protect-switcher-1-0/

It also now supports command line arguments. These command line arguments are as follows:

  • -loadprofile <profile name> : Load a captured profile
  • -stopservice : Stop the Global Protect Service
  • -startservice : Start the Global Protect Service
  • -restartservice : Restart the Global Protect Service

Unfortunately (because I know this question will be asked), I haven’t yet discovered a way to trigger the Global Protect Client to automatically connect once a profile has been loaded. Obviously, if the saved gateway profile that you load is configured as always-on, it will connect automatically. If anyone has a registry key that can ‘force’ always on on the client side, let me know (I just had a thought – it’s probably a registry key that an ‘always-on’ portal configuration enforces via the client when they first connect).

I’ve tested this app on versions of the Global Protect Client from versions 2.x through to 3.x, and it appears to work on these. The latest 2.x branch I tested was 2.3.3 (from memory), and the latest 3.x branch was 3.0.2-9.

As always, if you have any comments or questions about this app, or any bug reports/feature requests, don’t hesitate to reach out and contact me through the comments below or by sending an email boof@boofis.com. I get a lot of email, and sometimes I miss them (and I can also be a little slack) – so if I don’t reply first up, maybe send me another “gentle reminder” 😉

 

About Author

About Justin McGee

IT Manager in Brisbane, Australia who gets a kick out of all things IT, be it software, scripts, new technologies or anything else that interests me!

10 Comments

  1. Dave August 1, 2017 6:14 pm

    I just loaded the Trial and noted that the switch doesn’t appear to load the “switched to” portal name, although it does make it editable. Specfically, I switch from vpn.companyA.com to vpn.companyB.com, click on GP “Connect”, and the portal still shows “vpn.companyA.com”, although I can now change it to anything I want. Does the license version correct this?

    Reply
    • Justin McGee August 4, 2017 1:26 pm

      Hi Dave,

      That’s strange – did you capture the profile correctly? As in, did you open up Global Protect, connect to the portal, capture it, switch to the second portal, connect, and capture again?

      What OS and GP Client Version?

      Thanks,
      Justin

      Reply
      • Justin McGee August 4, 2017 1:39 pm

        Just a followup, I spoke to Dave and he sorted his issue out. All good!

        Reply
  2. Neil February 13, 2017 1:57 pm

    I support software used by around two hundred councils in the UK. Many use VPN connections to allow secure external connections to the servers our software is on. Last year one started using Palo Alto / Global Protect – it’s fine and one of the least bothersome VPN methods. However this year a second council started using it.

    The Global Protect client version installed for the first site is: 2.3.0-28. And the Portal is greyed out (I can’t edit it via the client) – I think they locked that option out.

    When I connect to the second site it wants me to uninstall that and install a new version (3.1.5-9). I don’t want to have to do a complete uninstall/re-install every time I conect to one of them.

    I could cope with just typing in a different portal, it’s not that I have to connect to these sites regularly. But as I said, it’s not editable in the earlier client. I can see the value in the registry.

    Will your switcher allow me to connect to these two sites?

    Do you know if the later PaloAlto client is compatable with the earlier one?

    If I connect to the first site with the later software will it lock out the option to change the portal again?

    For info I use Windows 10 64-bit but have the various VPN software types installed on virtual PCs (Hyper-V) because they tend to get in each other’s way. The two virtual PCs I use one is Win7 32-bit and the other is Win10 32-bit. There is Citrix listener, Cisco AnyConnect, Cisco VPN, Tight VNC, Real VNC, Check Point, Virtual USB Hub, Teamviewer and now Palo Alto.

    Reply
    • Justin McGee February 13, 2017 8:06 pm

      Hey mate,

      It should – the settings to disable changing are in the registry and the switcher will override that. As long as you capture the profile in GPSwitch that doesn’t lock you out first in you should be ok.

      The client is backwards and forwards compatible in most cases, I get downgrade or upgrade warnings all the time.

      Try the demo out and see if it works!

      Reply
  3. agharta September 6, 2016 7:18 am

    Really, a 32 bit/windows xp version would be amazing!
    Thanks,
    Agharta

    Reply
    • Justin McGee September 6, 2016 9:22 am

      I’m install an XP VM as we speak, and will hopefully just be able to re-target for an older version of .NET and then we’ll be OK.

      Stay tuned

      Reply
      • Justin McGee September 6, 2016 10:41 am

        Just as an update to that, I’ve investigated the ability to rebuild the application in 32-bit for XP, but unfortunately it just doesn’t work, and I don’t want to re-engineer the application for Windows XP.

        Sorry about that. Maybe have a crack at Windows 7 🙂

        Reply
  4. Bob bob July 7, 2016 10:33 pm

    Any chance you have a version of this that runs on XP?

    Reply
    • Justin McGee July 8, 2016 3:45 am

      Not handy, no. I’d have to target for an older .NET Framework and recompile and test. Is there a particular reason you need an XP Version? Can’t update the OS to 7 (not being a smart-ass, btw!) 🙂

      Reply

Post a Comment

Your email address will not be published. Required fields are marked *

*