Windows - Software - Configure Palo Alto GlobalProtect

What the GlobalProtect configuration Worklet does

This Automox Worklet™ deploys and configures Palo Alto GlobalProtect on Windows endpoints. During evaluation, the Worklet checks both the installation status and the portal configuration. If GlobalProtect is not installed, the Worklet installs it using your provided MSI files and automatically configures the portal setting.

If GlobalProtect is already installed, the Worklet verifies that the Portal registry value matches your desired configuration. If the portal setting differs from what is configured, the Worklet updates the registry and restarts the PanGPS service to apply the changes immediately.

The Worklet supports both 32-bit and 64-bit endpoints by checking the system architecture and selecting the appropriate installer. This dual-architecture support ensures you can manage GlobalProtect deployments across heterogeneous Windows environments with a single Worklet.

Why configure GlobalProtect across your network

GlobalProtect provides secure VPN connectivity to your corporate network resources, protecting data in transit and controlling access to sensitive systems. When endpoints have inconsistent or missing GlobalProtect configurations, users may connect through unauthorized portals or lack VPN protection, creating security gaps.

Automating GlobalProtect deployment and configuration through this Worklet ensures every endpoint uses the correct portal URL set by your security team. You reduce support tickets from users with connection issues and eliminate the manual effort required to install and configure GlobalProtect on hundreds or thousands of endpoints.

This Worklet integrates with your existing Automox deployment to maintain compliance with your organization's VPN policies and reduces the attack surface by verifying all endpoints use approved GlobalProtect instances.

How GlobalProtect installation and configuration works

1. Evaluation phase: The Worklet checks the Windows registry in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for GlobalProtect using both 32-bit and 64-bit registry views. If GlobalProtect is found, the Worklet reads the Portal value from HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup and compares it to your configured portal URL. If GlobalProtect is missing or the portal setting does not match, the endpoint is flagged for remediation.

2. Remediation phase: If GlobalProtect is not installed, the Worklet executes the appropriate 32-bit or 64-bit MSI installer with the Portal parameter set to your organization's gateway URL. The installer runs silently and accepts exit codes 0 (success) and 3010 (success with reboot required). If GlobalProtect is already installed but the Portal setting does not match, the Worklet updates the registry key and restarts the PanGPS service to apply the new configuration without requiring an endpoint reboot.

GlobalProtect configuration requirements

• Windows 8 or later (Windows 10, Windows 11, Server 2012 R2 or later)

• PowerShell version 4 or later

• Administrator privileges required for installation and registry modifications

• GlobalProtect MSI installers for both 32-bit and 64-bit architectures uploaded to the Worklet

• Portal URL configured as the $Portal variable value (e.g., mynewportal.test.com)

• Installer filenames specified as $32bitFilename and $64bitFilename variables

• Network connectivity to download installers from the Worklet repository

Expected GlobalProtect endpoint state

After this Worklet successfully remediates an endpoint, GlobalProtect will be installed on Windows workstations and servers, with the PanGPS service running and configured to connect to your organization's portal. Users can launch GlobalProtect from the system tray and will automatically connect to the correct portal without needing to manually enter the gateway address. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

The Portal registry key at HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup will show your configured portal URL, and the PanGPS service will be active. If you later need to change the portal URL, running this Worklet again with an updated portal parameter will update all endpoints that have not yet been configured with the new value, verifying your VPN infrastructure remains synchronized across your entire endpoint fleet.

How to validate configure palo alto globalprotect changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for configure palo alto globalprotect.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ChildItem, Get-ItemProperty, Where-Object.

4. Validate remediation effects from script operations such as Split-Path, Get-ChildItem, Get-ItemProperty, then rerun evaluation for compliance.