GlobalProtect
Troubleshoot Clientless VPN
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Troubleshoot Clientless VPN
Because this feature involves dynamic re-writing of
HTML applications, the HTML content for some applications may not
re-write correctly and break the application. If issues occur, use
the commands in the following table to help you identify the likely
cause:
Action | Command |
|---|---|
CLI Commands | |
List the version of Clientless VPN dynamic
content being used You can also view the dynamic update version
from the DeviceDynamic UpdatesGlobalProtect Clientless VPN. | show system setting ssl-decrypt memory
proxy uses shared allocator
SSL certificate cache:
Current Entries: 1
Allocated 1, Freed 0
Current CRE (61-62) : 3456 KB (Actual 3343 KB)
Last CRE (60-47) : 3328 KB (Actual 3283 KB)In
this example, the current dynamic update is version 61-62, and the
last installed dynamic update is version 60-47. |
List active (current) users of Clientless
VPN | show global-protect-portal current-user portal GPClientlessPortal filter-user all-users
GlobalProtect Portal : GPClientlessPortal
Vsys-Id : 1
User : paloaltonetworks.com\johndoe
Session-id : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP : 5.5.5.5
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1750
Login Lifetime : 10800
Seconds before login lifetime : 10748
Total number of user sessions: 1 |
Show DNS resolution results This can
be useful to determine if there are DNS issues. If there is a DNS issue,
you will notice querying against an FQDN that was not resolvable
in the CLI output. | show system setting ssl-decrypt dns-cache
Total DNS cache entries: 89
Site IP Expire(secs) Interface
bugzilla.panw.local 10.0.2.15 querying 0
www.google.com 216.58.216.4 Expired 0
stats.g.doubleclick.net 74.125.199.154 Expired 0 |
Show all Clientless VPN user sessions and
cookies stored | show
system setting ssl-decrypt gp-cookie-cache
User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0,
Client-ip: 199.167.55.50 |
Show rewrite-stats This is useful
to identify the health of the Clientless VPN rewrite engine. Refer
to Troubleshoot Clientless VPN for
information on rewrite statistics and their meaning or purpose. | show system setting ssl-decrypt rewrite-stats
Rewrite Statistics
initiate_connection : 11938
setup_connection : 11909
session_notify_mismatch : 1
reuse_connection : 37
file_end : 4719
packet : 174257
packet_mismatch_session : 1
peer_queue_update_rcvd : 167305
peer_queue_update_sent : 167305
peer_queue_update_rcvd_failure: 66
setup_connection_r : 11910
packet_mismatch_session_r : 22
pkt_no_dest : 23
cookie_suspend : 2826
cookie_resume : 2826
decompress : 26
decompress_freed : 26
dns_resolve_timeout : 27
stop_openend_response : 43
received_fin_for_pending_req : 26
Destination Statistics
To mp : 4015
To site : 12018
To dp : 17276
Return Codes Statistics
ABORT : 18
RESET : 30
PROTOCOL_UNSUPPORTED : 7
DEST_UNKNOWN : 10
CODE_DONE : 52656
DATA_GONE : 120359
SWITCH_PARSER : 48
INSERT_PARSER : 591
SUSPEND : 2826
Total Rewrite Bytes : 611111955
Total Rewrite Useconds : 6902825
Total Rewrite Calls : 176545 |
Debug Commands | |
Enable debug logs on the firewall running
Clientless VPN Portal | debug dataplane packet-diag set log feature ssl all debug dataplane packet-diag set log feature misc all debug dataplane packet-diag set log feature proxy all debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on |
Enable packet capture on the
firewall running the Clientless VPN Portal | debug dataplane packet-diag set capture username <portal-username> debug dataplane packet-diag set capture stage clientless-vpn-client file <clientless-vpn-client-file> debug dataplane packet-diag set capture stage clientless-vpn-server file <clientless-vpn-server-file> debug dataplane packet-diag set capture stage firewall file <firewall-file> debug dataplane packet-diag set capture stage receive file <receive-file> debug dataplane packet-diag set capture stage transmit file <transmit-file> debug dataplane packet-diag set capture on When
you execute packet capture commands, a consent page appears after
end users log in to the Clientless VPN portal, informing them that
the packets captured during their user session will contain unencrypted
(clear-text) data. If users consent to the packet capture session,
they then proceed to the applications landing page, where packet
capture begins. If users do not consent to the packet capture session,
they are logged out of the Clientless VPN portal and must contact
an administrator to proceed with a regular user session (without packet
capture). If you execute packet capture commands for user
sessions that are already in progress, those users are automatically
logged out of the Clientless VPN portal and must log back in to
accept or decline the packet capture session. |
Show packet capture files | debug dataplane packet-diag show setting
----------------------------------------------------------
Packet diagnosis setting:
----------------------------------------------------------
Packet filter
Enabled: no
Match pre-parsed packet: no
----------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
----------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Username: test1
Stage clientless-vpn-client: file client.pcap
Captured: packets - 3558 bytes - 11366322
Maximum: packets - 0 bytes - 0
Stage clientless-vpn-server: file server.pcap
Captured: packets - 1779 bytes - 5651923
Maximum: packets - 0 bytes - 0
---------------------------------------------------------- |
Export packet capture files to a Secure
Copy (SCP) server | scp export filter-pcap + remote-port SSH port number on remote host + source-ip Set source address to specified interface address * from from * to Destination (username@host:path) scp export filter-pcap from <source-file> to <scp-server> Destination (username@host:path) |
Statistic | Description |
|---|---|
initiate_connection_failure | Connection initiation failed to back-end
host |
setup_connection_failure | Connection setup failed |
setup_connection_duplicate | Duplicate peer session exists |
session_notify_mismatch | Mostly invalid session |
packet_mismatch_session | Failed to find right session for incoming
packet |
peer_queue_update_rcvd_failure | Session was invalid when packet update received
by peer |
peer_queue_update_sent_failure | Failed to send packet updates to peer or
failed to send packet queue length updates to peer |
exceed_pkt_queue_limit | Too many packets queued |
proxy_connection_failure | Proxy connection failed |
setup_connection_r | Installing the peer session to the application
server. This value should match the values for initiate_connection and setup_connection. |
setup_connection_duplicate_r | Duplicate sessions already in proxy |
setup_connection_failure_r | Failed to set up the peer session |
session_notify_mismatch_r | Peer session not found |
packet_mismatch_session_r | Peer session not found when trying to get
the packet |
exceed_pkt_queue_limit_r | Too many packets held |
unknown_dest | Failed to find destination host |
pkt_no_dest | No destination for this packet |
cookie_suspend | Suspended session to fetch cookies |
cookie_resume | Received response from MP with updated cookies.
This value generally matches the value of cookie_suspend. |
decompress_failure | Failed to decompress |
memory_alloc_failure | Failed to allocate memory |
wait_for_dns_resolve | Suspended session to resolve DNS requests |
dns_resolve_reschedule | Rescheduled DNS query due to no response
(retry before timeout) |
dns_resolve_timeout | DNS query timeout |
setup_site_conn_failure | Failed to setup connection to site (proxy,
DNS) |
site_dns_invalid | DNS resolve failed |
multiple_multipart | Multi-part content-type processed |
site_from_referer | Received the back-end host from referrer.
This can indicate failed rewrite links from flash or other content
which Clientless VPN does not rewrite. |
received_fin_for_pending_req | Received FIN from server for pending request
from client |
unmatched_http_state | Unexpected HTTP content. This can indicate
an issue parsing the http headers or body. |