Script Deployment Options

The following table displays options that enable GlobalProtect to initiate scripts before and after establishing a VPN tunnel and before disconnecting a VPN tunnel. Because these options are not available in the portal, you must define the values for the relevant key—either pre-vpn-connect, post-vpn-connect, or pre-vpn-disconnect—from the Windows registry or Mac plist. For detailed steps to deploy scripts, see Deploy Scripts Using the Windows Registry, Deploy Scripts Using Msiexec, or Deploy Scripts Using the Mac Plist.
Table: Customizable Script Deployment Options
Portal Agent Configuration
Windows Registry/ Mac Plist
Msiexec Parameter
Default
Execute the script specified in the command setting (including any parameters passed to the script).
Environmental variables are supported.
Specify the full path in commands.
command <parameter1> <parameter2> [...]
Windows example:
command %userprofile%\vpn_script.bat c: test_user
Mac example:
command $HOME/vpn_script.sh /Users/test_user test_user
PREVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
POSTVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
PREVPNDISCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
n/a
(Optional) Specify the privileges under which the command(s) can run (default is user: if you do not specify the context, the command runs as the current active user).
context admin | user
PREVPNCONNECTCONTEXT= ”admin | user”
POSTVPNCONNECTCONTEXT= ”admin | user”
PREVPNDISCONNECTCONTEXT= ”admin | user”
user
(Optional) Specify the number of seconds the GlobalProtect client waits for the command to execute (range is 0-120). If the command does not complete before the timeout, the client proceeds to establish or disconnect from the VPN tunnel. A value of 0 (the default) means the client will not wait to execute the command.
Not supported for post-vpn-connect.
timeout <value>
Example:
timeout 60
PREVPNCONNECTTIMEOUT= ”<value>
POSTVPNCONNECTTIMEOUT= ”<value>
PREVPNDISCONNECTTIMEOUT= ”<value>
0
(Optional) Specify the full path of a file used in a command. The GlobalProtect client will verify the integrity of the file by checking it against the value specified in the checksum key.
Environmental variables are supported.
file <path_file>
PREVPNCONNECTFILE= ”<path_file>
POSTVPNCONNECTFILE= ”<path_file>
PREVPNDISCONNECTFILE= ”<path_file>
n/a
(Optional) Specify the sha256 checksum of the file referred to in the file key. If the checksum is specified, the GlobalProtect client executes the command(s) only if the checksum generated by the GlobalProtect client matches the checksum value specified here.
checksum <value>
PREVPNCONNECTCHECKSUM= ”<value>
POSTVPNCONNECTCHECKSUM= ”<value>
PREVPNDISCONNECTCHECKSUM =”<value>
n/a
(Optional) Specify an error message to inform the user that the command(s) cannot execute or if the command(s) exited with a non-zero return code.
The message must be 1,024 or fewer ANSI characters.
error-msg <message>
Example:
error-msg Failed executing pre-vpn-connect action!
PREVPNCONNECTERRORMSG= ”<message>
POSTVPNCONNECTERRORMSG= ”<message>
PREVPNDISCONNECTERRORMSG =”<message>
n/a

Related Documentation