Logon script for Global Protect

baldiesrt · March 9, 2025, 5:44pm

We are just starting to test GP with a logon script to map drives and the post vpn connect doesnt work. We followed this site, https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/deploy-app-settings-to-windows-endpoints/deploy-scripts-using-the-windows-registry.html and it doesnt seem to call the script. I opened a ticket with Palo and they said maybe the script is too complex.

I created a simple batch file on the local desktop, echo hello pause, and that doesnt work to prove to the palo rep is not the complexity that is causing it.

In the registry, I have this key,

HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect

Then I added string value command and the data was c:\users\guest\desktop\test.bat

Does anyone know how to get GP to run a script AFTER vpn is connected?

Thanks

kcornet · March 9, 2025, 5:44pm

I’m going to guess that you need to use “cmd.exe /c c:\users\guest\desktop\test.bat”

rgarciaSP · March 9, 2025, 5:44pm

Hi,

Did you finally make it work?

Regards

SubstancePositive386 · March 9, 2025, 5:44pm

What did you do to make it work?

eN-t · March 9, 2025, 5:44pm

Not OP, but it shouldn’t be complicated to make it work. The tricky parts can be making sure that the command path is correct and if it contains spaces, to use quotation marks, and to run it under the correct context.

Here’s our registry entries for both pre-connect and post-connect. We use pre-connect to map drives, so this is run in the user context - the script itself starts with a ping command that waits until a connection to our file server is established. That’s because the post-connect does other things that absolutely need admin privileges and the connection to already be established. So both scripts need an active GP connection, but one of them is forced to use that ping workaround.

Registry entries:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect]
"command"="\"C:\\Program Files\\Palo Alto Networks\\post_vpn_connect.bat\""
"context"="admin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect]
"command"="\"C:\\Program Files\\Palo Alto Networks\\pre_vpn_connect.bat\""
"context"="user"

The entries look “normal” in the registry, no double backslashes or anything. Basically like this:
“C:\Program Files\Palo Alto Networks\post_vpn_connect.bat”