>
    Strata Copilot
    CLI Launcher for GlobalProtect
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Apps
    4. Deploy the GlobalProtect App to End Users
    5. CLI Launcher for GlobalProtect
    Download PDF
    GlobalProtect

    CLI Launcher for GlobalProtect

    Table of Contents

    CLI Launcher for GlobalProtect

    Launch GlobalProtect with CLI commands
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect endpoints running on Windows 10 or Windows 11
    The GlobalProtect CLI launcher provides a way to initiate connections, disconnect, and perform other functions without using the graphical user interface (GUI). This is particularly useful for:
    • Automating connections using scripts.
    • Integrating GlobalProtect into third-party applications.
    The GlobalProtect CLI executable pangpcli.exe is located in C:\Program Files\Palo Alto Networks\GlobalProtect. The executable is installed as part of the GlobalProtect MSI installation.
    Logs for pangpcli.exe, specifically communications between the PanGPA.exe and PanGpCli.exe processes, are stored in PanGpCli.log within the same installation folder. For logs related to overall GlobalProtect functionalities, refer to GlobalProtect App Log Collection for Troubleshooting.
    You can use the CLI launcher for the following features:
    • IPSec VPN and SSL VPN
    • On-demand and always-on mode
    • NGFW Gateways, Prisma Access: MU, EP gateways
    • Client certificate authentication, SAML, Local authentication
    • IPv4 and IPv6 addressing
    • Split Tunnel and Full tunnel
    • HIP Reports and HIP notifications

    Prerequisites

    GlobalProtect must be installed in your environment using the MSI file.

    Syntax

    pangpcli.exe [-help] [-status] [-start {-portal <portal>|-gateway <gateway>}] [-start -clientcert <cert_name>] [-disconnect] [-logs -level <dump|debug>]
    NameRequirementDescription
    pangpcli.exeMandatoryLaunches the GlobalProtect CLI. Displays help when used on its own.
    [-help]OptionalDisplays command usage options.
    [-status]OptionalDisplays the status of the GlobalProtect agent connection. The status can be connected, disconnected or not running.
    [-start {-portal <portal>|-gateway <gateway>}]OptionalConnects to the specified GlobalProtect portal and/gateway.
    [-start -clientcert <cert_name>]OptionalSelects the specified certificate during the http connection. If an incorrect certificate name is provided, GlobalProtect prompts the user for certificate selection. This command must be used in combination with the portal and gateway commands. If the certificate name includes a space, provide the cert_name in “ “.
    [-disconnect]OptionalDisconnects the GlobalProtect agent.
    [-logs -level <dump|debug>]OptionalSets the GlobalProtect log level.

    © 2025 Palo Alto Networks, Inc. All rights reserved.