End-of-Life (EoL)

Known Issues

The following list describes known issues in the GlobalProtect app 4.0 release:
Issue ID
Description
GPC-5879
On T-Mobile LTE networks, iOS endpoints running iOS 10.12 or a later release cannot connect to GlobalProtect gateways that are configured with only IPv4 addresses because T-Mobile now assigns only IPv6 addresses to those endpoints.
Workaround
: Configure your GlobalProtect gateway with FQDNs instead of IPv4 addresses (
Network
GlobalProtect
Gateways
<gateway>
).
GPC-5416
On Windows 10 endpoints, the GlobalProtect app removes DNS suffixes due to an error in the read/rewrite function that directly modifies the DNS suffix search list in the Windows registry key.
PAN-48660
When you configure GlobalProtect to run a custom script before or after establishing a connection or before disconnecting, environment variables for command and file registry keys used in those scripts are resolved to incorrect paths. This occurs after you upgrade from one GlobalProtect 2.3 agent release to another or to a GlobalProtect agent 3.0 or 3.1 release.
GPC-4850
GlobalProtect app 4.0.2 and 4.0.3 are unable to start on Windows endpoints when the endpoint uses the Visual C++ Redistributable Package (x64 or x86) version 12.0.2xxxx or earlier for Visual Studio 2013.
Workaround
: Uninstall the Visual C++ 2013 Redistributable Package version 12.0.2xxxx or earlier, and then install the Visual C++ 2013 Redistributable Package (x64 or x86) version 12.0.3xxxx from the
C:\Program Files\Palo Alto Networks\GlobalProtect
folder (
vcredist_x64.exe
or
vcredist_x86.exe
).
GPC-4413
Because the SecureAuth IdP Credential Provider does not support GlobalProtect SSO wrapping, users cannot authenticate to GlobalProtect by leveraging the same login used to authenticate through the SecureAuth IdP Credential Provider.
Workaround
: To authenticate to GlobalProtect, users must manually enter their username and password in the GlobalProtect app.
GPC-4382
On Windows 10 phones (and other Windows UWP endpoints), the GlobalProtect app does not clear tunnel settings when the gateway is unreachable. When this occurs, the GlobalProtect app status displays as connected despite the app losing the connection with the gateway.
Workaround
: If you lose connection with a gateway and cannot access resources, disconnect and connect again from the
NETWORK & INTERNET
VPN
settings page.
GPC-3999
This issue is now resolved. See GlobalProtect App 4.0.2 Addressed Issues.
When a user tries to establish an RDP connection to (or switches Windows users on) an endpoint that has an active GlobalProtect tunnel, the GlobalProtect tunnel on the remote machine is disconnected even if you have configured a positive User Switch Tunnel Rename Timeout value (
Network
GlobalProtect
Portal
<portal_conf>
Agent
App
).
Workaround
: If you are using this feature, do not upgrade to GlobalProtect app 4.0. Continue to use GlobalProtect agent 3.1, which does not have this issue.
GPC-3962
Proxies are disabled after you establish the GlobalProtect connection on macOS endpoints because proxy settings are not copied from the physical network adapter of the endpoint to the virtual network adapter of the endpoint, and the virtual network adapter becomes the primary adapter from which the macOS endpoint receives proxy settings.
GPC-3959
GlobalProtect gateway hostname resolution for proxied endpoints does not work as expected, which prevents successful connections between proxied endpoints and GlobalProtect gateways.
GPC-3909
This issue is now resolved. See GlobalProtect App 4.0.2 Addressed Issues.
The GlobalProtect app is unable to use a client-side certificate stored on the Gemalto SafeNet eToken for client certificate authentication.
GPC-3903
GlobalProtect app 4.0 on Windows endpoints does not reconnect to the GlobalProtect gateway after a Windows update if you configure endpoints to Update DNS Settings at Connect (
Network
GlobalProtect
Portals
<GlobalProtect-portal-config>
Agent
<agent-config>
App
App Configurations
). This issue occurs because the app does not restore the automatic DNS configuration.
If you do not require your Windows endpoints to Update DNS Settings at Connect, we recommend you disable this setting in your GlobalProtect configuration. If this update is required, then we recommend you do not use GlobalProtect app 4.0.
GPC-3889
Internal Host Detection does not work if you configure Pre-logon then On-demand as the connect method (
Network
GlobalProtect
Portals
<GlobalProtect-portal-config>
Agent
<agent-config>
App
App Configurations
).
GPC-3884
This issue is now resolved. See GlobalProtect App 4.0.2 Addressed Issues.
Single sign-on (SSO) on Windows 8.1 experiences delays that cause endpoint users to click multiple times on the GlobalProtect app sign-in icon before they can select it and log in.
GPC-3860
A corrupt tray-icon cache In Microsoft Windows sometimes causes Windows Explorer to crash when the GlobalProtect icon changes, such as from connected to disconnected. This is a known issue for the Windows operating system.
Workaround
: To clean up the tray icon cache, create a batch file with the following commands and then run the batch file at your Windows command line:
taskkill /im explorer.exe /f
reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v IconStreams /f
reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v PastIconsStream /f
start "Shell Restarter" /d "%systemroot%" /i /normal explorer.exe
GPC-3857
This issue is now resolved. See GlobalProtect App 4.0.2 Addressed Issues.
If you Enforce GlobalProtect for Network Access in the GlobalProtect portal configuration (
Network
GlobalProtect
Portals
<GlobalProtect-portal-config>
Agent
<agent-config>
App
App Configurations
), the GlobalProtect agent blocks re-transmission of client DHCP requests (those with the same Transaction ID as the initial request, such as when re-transmitting the request after failing to receive a response from the server to the initial request). This issue is encountered only in unstable and other environments that require more than one DHCP request before receiving a response from the server.
GPC-3827
When authenticating to GlobalProtect on a Mac endpoint, the Authentication dialog does not respond to keyboard inputs if you open the GlobalProtect tab while the Authentication dialog is displayed on the screen.
Workaround
: Move the Authentication dialog or double-click GlobalProtect Login at the top of the authentication prompt. Alternatively, select
Cancel
and relaunch the authentication attempt.
GPC-3794
When a user first logs in to a GlobalProtect VPN that uses SAML authentication with pre-logon enabled, the tunnel rename (from pre-logon to user logon) fails, the pre-logon tunnel is disconnected, and the user is prompted to re-authenticate.
GPC-3605
On Windows 10 UWP endpoints, the wrong button name appears when a VPN tunnel is established between the endpoint and a firewall gateway:
NETWORK & INTERNET
VPNs
shows
Remove
instead of
Disconnect
.
Workaround
: Select
Remove
to disconnect the tunnel.
GPC-3604
Windows 10 UWP endpoints do not support UDP connections. You cannot use IPSec to secure VPN tunnels between UWP endpoints and firewall gateways.
Workaround
: Use SSL to secure the VPN tunnels.
GPC-3591
Clicking
Check Version
when the GlobalProtect agent is restarting can cause portal authentication to fail.
Workaround
: Click
Connect
and make you have a valid connection first before selecting Check Version.
GPC-3431
This issue is now resolved. See GlobalProtect App 4.0.2 Addressed Issues.
The GlobalProtect agent on Windows endpoints does not reconnect to the GlobalProtect gateway after the endpoint experiences a crash or hard reboot if you require Windows endpoints to
Update DNS Settings on Connect
(
Network
GlobalProtect
Portals
<GlobalProtect-portal-config>
Agent
<agent-config>
App
App Configurations
). This issue occurs because the agent does not restore the automatic DNS configuration.
If you require Windows endpoints to Update DNS Settings on Connect, do not upgrade to GlobalProtect agent 4.0.
GPC-3410
For split tunnel configurations, traffic for both IPv4 and IPv6 on Windows 10 UWP endpoints is routed automatically through the tunnel by default, even though only IPv4 traffic should be passed.
Workaround
: On the GlobalProtect Gateway configuration, use
Agent
Client Settings
Split Tunnel
to configure the tunnel traffic and to Include IPv4 traffic only.
GPC-3369
On Windows 10 UWP endpoints, after a user successfully connects to the GlobalProtect portal for the first time, subsequent attempts to connect fail with error code 602. This issue occurs when you configure the GlobalProtect app to Save Username Only as the Save User Credentials option in a GlobalProtect portal agent configuration (
Network
GlobalProtect
Portals
<globalprotect-portal-config>
Agent
<agent-config>
Authentication
).
GPC-3321
On Windows 10 UWP endpoints, when you configure the gateway with a WINS server IP address (
Network
GlobalProtect
Gateways
<gateway-configuration>
General
), the GlobalProtect app connects to the gateway but fails to install the server address on the endpoint. This issue occurs because the Windows UWP framework does not support WINS servers.
Workaround
: Configure the gateway to use only a DNS server IP address.
GPC-3317
On Windows 10 UWP endpoints, app sharing can stop working when a VPN tunnel connection is active. This disables the GlobalProtect Email Logs feature and prevents users from automatically collecting log flies to send in email.
Workaround
: Disconnect the VPN tunnel (
NETWORK & INTERNET
VPNs
) and restart the GlobalProtect application.
GPC-3303
The GlobalProtect app for Windows 10 UWP fails to establish a connection to gateways that use RSA server certificates with 512 bits. This occurs because Microsoft no longer supports MD5 for server authentication and blocks RSA keys smaller than 1,024 bits.
Workaround
: Use RSA server certificates with 1,024, 2,048, or 3,074 bits and SHA256.
GPC-3274
For GlobalProtect apps running on iOS endpoints, stopping the app does not disconnect the VPN tunnel.
Workaround
: (
On Demand only
) Select Disconnect from the GlobalProtect app menu.
GPC-3238
In GlobalProtect portal and gateway configurations, the Save User Credentials setting for GlobalProtect agents does not work for SAML authentication.
Workaround
: Users must enter their login credentials again to reconnect.
GPC-3067
If you Enforce GlobalProtect for Network_Access and you specify the On-demand connect method in a GlobalProtect portal agent configuration, the agent will not display the traffic blocking notification message until after users connect to the portal. To ensure that the GlobalProtect agent displays the traffic blocking notification as soon as a user logs in to the endpoint, use the User-logon or a Pre-logon connect method instead of the On-demand method.
GPC-2994
If you Enforce GlobalProtect for Network_Access in a GlobalProtect portal agent configuration and then you downgrade from a GlobalProtect agent 3.1 or later release to GlobalProtect agent 3.0 or an earlier release on Mac endpoints, the enforcement configuration is not removed and continues to block all traffic. To avoid this issue, Palo Alto Networks recommends that you uninstall the GlobalProtect agent completely and then install the appropriate older GlobalProtect agent release.
GPC-2874
When you
Disconnect
from GlobalProtect on a Windows 10 UWP endpoint, the
Connect
button becomes active immediately; however, GlobalProtect fails to establish a new connection if you attempt to connect within 10 seconds of the previous disconnection.
Workaround
: To prevent connection issues, wait at least 10 seconds after you disconnect from GlobalProtect before you attempt to reconnect.
GPC-2481
Modified app data restriction configuration values are not pushed to GlobalProtect agents when running in the Android for Work environment if modifying and pushing the configuration from an AirWatch MDM server.
Workaround
: On the MDM server, delete the app data restriction you need to modify and then add it back in with the new value.
GPC-2380
When you configure GlobalProtect to run a custom script after establishing a connection and display a notification message when an error occurs, the notification errors do not clear as expected when GlobalProtect switches from an external gateway to an internal gateway. As a result, users must manually dismiss the notification each time they switch between gateways.
GPC-2133
On Android 5.0, when you uninstall and reinstall the GlobalProtect app on a device, the app fails to establish a VPN tunnel during the initial attempt to connect to the external gateway. This issue occurs even after the user gives consent to trust the app to create VPN connections.
Workaround
: Reboot the device, launch the GlobalProtect app, and accept the request for user’s consent when prompted to trust the app and allow it to establish a VPN tunnel to the gateway.
GPC-1737
By default, the GlobalProtect app adds a route on iOS mobile devices that causes traffic to the GP-100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel.
Workaround
: To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP-100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway (In PAN-OS 7.0:
Network
GlobalProtect
Gateways
Client Configuration
Network Settings
Access Route
; or, in PAN-OS 7.1:
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-settings-config>
Network Settings
Access Route
):
  • Add
    0.0.0.0/0
    as an access route.
  • Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route.

Recommended For You