>
    Strata Copilot
    CLI Launcher for GlobalProtect
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Desktops
    6. CLI Launcher for GlobalProtect
    Download PDF
    GlobalProtect

    CLI Launcher for GlobalProtect

    Table of Contents

    CLI Launcher for GlobalProtect

    Launch GlobalProtect with CLI commands
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect endpoints running on Windows 10 or Windows 11
    The GlobalProtect CLI launcher provides a way to initiate connections, disconnect, and perform other functions without using the graphical user interface (GUI). This is particularly useful for:
    • Automating connections using scripts.
    • Integrating GlobalProtect into third-party applications.
    The GlobalProtect CLI executable pangpcli.exe is located in C:\Program Files\Palo Alto Networks\GlobalProtect. The executable is installed as part of the GlobalProtect MSI installation.
    Logs for pangpcli.exe are stored in PanGpCli.log within the /User/AppData/Local/Palo Alto Networks/GlobalProtect/ folder. For logs related to overall GlobalProtect functionalities, refer to GlobalProtect Monitoring and Troubleshooting.
    You can use the CLI launcher for the following features:
    • IPSec VPN and SSL VPN
    • On-demand and always-on mode
    • NGFW Gateways, Prisma Access: MU, EP gateways
    • Client certificate authentication, SAML, Local authentication
    • IPv4 and IPv6 addressing
    • Split Tunnel and Full tunnel
    • HIP Reports and HIP notifications

    Prerequisites

    GlobalProtect must be installed in your environment using the MSI file.

    Syntax

    pangpcli.exe [-help] [-status] [-start {-portal <portal>|-gateway <gateway>}] [-start -clientcert <cert_name>] [-disconnect] | [-disconnect -passcode <disconnect_passcode>] [-logs -level <dump|debug>]
    NameRequirementDescription
    pangpcli.exeMandatoryLaunches the GlobalProtect CLI. Displays help when used on its own.
    [-help]OptionalDisplays command usage options.
    [-start {-portal <portal>|-gateway <gateway>}]OptionalConnects to the specified GlobalProtect portal and/gateway.
    [-start -clientcert <cert_name>]OptionalSelects the specified certificate during the http connection. If an incorrect certificate name is provided, GlobalProtect prompts the user for certificate selection. This command must be used in combination with the portal and gateway commands. If the certificate name includes a space, provide the cert_name in “ “.
    [-status]OptionalDisplays the status of the GlobalProtect agent connection. The status can be connected, disconnected or not running.
    [-logs -level <dump|debug>]OptionalSets the GlobalProtect log level.
    [-pangpcli -logs]Collects the GLobalProtect log bundle.
    [-disconnect]OptionalDisconnects the GlobalProtect session.
    -disconnect -passcode <disconnect_passcode>OptionalDisconnects the GlobalProtect session. This parameter is used when GlobalProtect is configured to need a separate passcode to allow end users to disconnect.
    [-signout]OptionalSigns out of GlobalProtect.

    © 2025 Palo Alto Networks, Inc. All rights reserved.