Overview
GlobalProtect and Prisma Access are Palo Alto's remote access solutions โ GlobalProtect for on-premise NGFW-hosted VPN, and Prisma Access for cloud-delivered ZTNA/VPN. Both use the same agent but the infrastructure behind them is fundamentally different. GlobalProtect terminates tunnels on a firewall you manage; Prisma Access terminates on Palo Alto's cloud infrastructure and applies policy through Panorama-managed configuration. When either breaks, the symptoms look the same to the user โ the client connects but traffic doesn't flow, or the client fails to connect at all. This guide covers the architecture, configuration best practices, and a systematic troubleshooting workflow for both platforms.
// GlobalProtect Architecture โ Portal, Gateway, and HIP Flow
Part 1 โ Architecture: Portal vs Gateway
The most common misconception is treating the Portal and Gateway as the same thing. They are separate components with different roles:
- Portal โ the configuration server. The GP agent connects to the portal on TCP 443 first to authenticate and download its configuration (gateway list, tunnel settings, HIP profile definitions, split tunnel rules). The portal does NOT carry user traffic.
- Gateway โ the tunnel termination point. After downloading config from the portal, the agent establishes an IPSec or SSL tunnel to the gateway. All user traffic flows through the gateway. The gateway enforces security policy and HIP checks.
- HIP (Host Information Profile) โ device posture enforcement. The gateway collects HIP data from the agent (AV status, patch level, disk encryption, domain membership) and matches it against HIP profiles to allow or restrict access.
In many deployments the portal and gateway run on the same firewall interface โ but they are configured separately and can fail independently.
Part 2 โ Configuration Best Practices
Portal Configuration
# Key portal settings to verify:
# Network > GlobalProtect > Portals > [portal] > Agent tab
#
# 1. Gateway list โ must include all gateways the agent should try
# Priority: lower number = tried first
# Manual vs Automatic: use Automatic for multi-gateway with load balancing
#
# 2. Authentication profile โ must match what LDAP/RADIUS/SAML returns
# Always test auth profile before deploying GP
#
# 3. Config selection criteria โ controls WHICH config gets pushed to agent
# Use OS type + user group to push different configs per platform
# Windows: full tunnel + HIP
# Mobile: split tunnel + certificate auth only
Gateway Configuration
# Network > GlobalProtect > Gateways > [gateway] > Agent tab
#
# Tunnel settings:
# Tunnel Mode: tunnel (recommended โ full tunnel or split tunnel)
# Enable IPSec: YES โ IPSec is faster than SSL; SSL is fallback only
# Preferred IP family: IPv4
#
# IP pool (client address assignment):
# Assign a dedicated subnet โ never overlap with existing internal subnets
# Size pool for peak concurrent users ร 1.5 (accounts for reconnects)
# Example: /22 supports ~1000 concurrent users with headroom
#
# DNS:
# Assign internal DNS servers โ critical for split-tunnel to resolve internal FQDNs
# Suffix: add corp.com, internal.corp.com
#
# Split tunnel (if used):
# Include routes: internal subnets only (10.0.0.0/8, 172.16.0.0/12)
# Exclude: SaaS app IPs (O365, Zoom) to avoid backhauling cloud traffic
Split Tunnel Design
# Full tunnel: all traffic goes through GP (most secure, most bandwidth)
# Split tunnel: only corporate traffic goes through GP (recommended for performance)
#
# Split tunnel include routes (traffic sent through GP tunnel):
# 10.0.0.0/8 โ all internal RFC1918
# 172.16.0.0/12 โ all internal RFC1918
# 192.168.0.0/16 โ all internal RFC1918
# corp.com โ domain suffix (DNS-based split tunnel)
#
# Split tunnel exclude routes (traffic bypasses GP):
# Microsoft O365 IP ranges (published by Microsoft)
# Zoom / Webex / Teams media IPs
# Note: Palo Alto Prisma Access has built-in SaaS optimization for this
Part 3 โ HIP Profile Best Practices
HIP profiles are the device posture engine. A poorly configured HIP profile will silently block all users who don't meet the criteria.
# Objects > GlobalProtect > HIP Objects
# Build HIP objects first, then combine into HIP profiles
#
# Recommended HIP objects for corporate devices:
# HIP-AV-Current: Anti-malware enabled AND definitions < 3 days old
# HIP-DiskEnc: Disk encryption enabled (FileVault/BitLocker)
# HIP-DomainJoined: Member of corp.com domain (Windows only)
# HIP-PatchLevel: Patch age < 30 days
#
# HIP Profile: CORPORATE-COMPLIANT
# Match if ALL of: HIP-AV-Current AND HIP-DiskEnc AND HIP-DomainJoined
#
# HIP Profile: BYOD
# Match if: HIP-AV-Current (relaxed โ no domain join required)
#
# Security policy referencing HIP:
# Rule 1: from GP-Zone, HIP=CORPORATE-COMPLIANT โ allow full internal access
# Rule 2: from GP-Zone, HIP=BYOD โ allow restricted (DMZ apps only)
# Rule 3: from GP-Zone, HIP=any โ deny + log (non-compliant device)
Part 4 โ Prisma Access Specifics
Prisma Access uses the same GP agent but the gateway is in Palo Alto's cloud. Key differences from on-premise GlobalProtect:
Prisma Access Service Connection
The service connection is the tunnel between Prisma Access cloud and your on-premise data center. Without it, GP users on Prisma can reach the internet but cannot reach internal resources.
# Prisma Access service connection requirements:
# 1. IPSec tunnel from on-prem firewall to Prisma Access infrastructure IP
# 2. BGP session over the tunnel to advertise internal prefixes into Prisma
# 3. Return traffic: Prisma advertises GP client pool IPs to on-prem
#
# On-prem firewall (service connection termination):
# IKE gateway โ Prisma infrastructure IP (provided in SCM/Panorama)
# IPSec tunnel โ pre-shared key or certificate
# BGP: advertise 10.0.0.0/8 (or specific internal subnets) to Prisma
# BGP: receive GP client pool subnet from Prisma (e.g., 100.64.0.0/10)
#
# Common mistake: NAT on the service connection tunnel
# Do NOT NAT traffic going over the service connection
# Internal servers see GP client IPs โ ensure return route exists
Part 5 โ Troubleshooting: Step-by-Step
Step 1 โ Agent Cannot Connect to Portal
# Agent error: "Unable to connect to the portal"
# or: "Portal not responding" / "Certificate error"
#
# Check 1: DNS resolution from client
C:\> nslookup portal.corp.com
# Must resolve to the portal external IP
# Check 2: TCP 443 reachability from client
C:\> Test-NetConnection portal.corp.com -Port 443
# TcpTestSucceeded must be True
# Check 3: Certificate โ GP agent checks portal cert CN/SAN
# Portal cert must match the FQDN the agent is connecting to
# Self-signed certs cause "certificate error" unless pre-trusted by agent
# Check 4: On the firewall โ is the management profile allowing GP?
# Network > Interfaces > [interface] > Advanced > Management Profile
# GlobalProtect must be checked
# Check 5: Firewall logs
admin@FW> show log system direction equal forward | match globalprotect
admin@FW> show log traffic dst-addr equal [portal-IP] proto equal 6 dport equal 443
Step 2 โ Authentication Failures
GlobalProtect Gateway: gw.corp.com
Total current users: 3
Username Domain Computer VPN-IP Tunnel Login-Time
jsmith CORP CORP-LT-0042 10.200.0.14 IPSec 09:14:22
acruz CORP CORP-LT-0019 10.200.0.27 IPSec 08:51:07
blee CORP CORP-LT-0088 10.200.0.31 SSL 10:02:44
admin@FW> show user server-monitor state all
LDAP: ldap.corp.com:636 Status: connected Last-update: 0s ago
RADIUS: 10.10.1.50:1812 Status: connected Last-update: 12s ago
admin@FW> show log system subtype equal globalprotect direction equal backward rows equal 5
2024/11/14 10:01:12 GP auth failed: user=blee reason=HIP check pending gw=gw.corp.com
2024/11/14 10:02:44 GP user login: user=blee ip=10.200.0.31 tunnel=SSL gw=gw.corp.com
# Agent error: "Authentication failed" / "Invalid credentials" / "MFA timeout"
#
# Check 1: Test the auth profile directly on the firewall
admin@FW> test authentication authentication-profile [PROFILE-NAME] username [user] password
# Check 2: LDAP/RADIUS server connectivity
admin@FW> show user server-monitor state all
# All configured auth servers must show "connected"
# Check 3: SAML (if using Azure AD / Okta)
# Verify IdP metadata is current in Device > Server Profiles > SAML Identity Provider
# Check certificate expiry on the IdP metadata
# Verify ACS URL matches exactly: https://portal.corp.com/SAML20/SP/ACS
# Check 4: User-ID mapping (if using domain auth)
admin@FW> show user ip-user-mapping all
admin@FW> show user group-mapping state all
# Check 5: GP system logs
admin@FW> show log system subtype equal globalprotect direction equal backward
Step 3 โ Tunnel Connects but No Traffic Flows
This is the most common issue โ the agent shows "Connected" but users cannot reach internal resources.
# Check 1: Verify tunnel is actually up and IP was assigned
# On client โ check GP agent "Connection Details"
# Should show: virtual IP, gateway name, tunnel type (IPSec preferred)
C:\> ipconfig /all
# Look for "PANGP Virtual Ethernet Adapter" with a valid IP in the GP pool range
# Check 2: Routing โ is traffic actually going into the tunnel?
C:\> route print
# For full tunnel: 0.0.0.0 route should point to GP adapter
# For split tunnel: internal subnets should route via GP adapter
# Check 3: On the firewall โ is the GP session visible?
admin@FW> show globalprotect-gateway current-user
admin@FW> show globalprotect-gateway current-user user [username]
# Check 4: Security policy โ is traffic hitting the right rule?
admin@FW> show log traffic from-zone GP-Zone action equal deny | last 20
# If traffic is being denied โ identify the rule and fix
# Check 5: HIP โ is the device failing posture check?
admin@FW> show globalprotect-gateway current-user | match hip
# HIP-compliant: yes = device passed posture
# HIP-compliant: no = device is being blocked by HIP policy
# Check 6: DNS โ can the client resolve internal names?
C:\> nslookup internal-server.corp.com
# Must use internal DNS server (assigned by gateway)
# If resolving via public DNS โ DNS suffix or DNS proxy config issue
Step 4 โ IPSec vs SSL Fallback Issues
# GP tries IPSec (UDP 4501/4500) first, falls back to SSL (TCP 443) if blocked
# SSL-only connections work but are slower โ identify why IPSec is failing
#
# On client โ check GP connection details for tunnel type
# Tunnel Type: IPSec = good
# Tunnel Type: SSL = IPSec blocked, investigate
#
# Check UDP 4501 from client to gateway
C:\> Test-NetConnection gateway.corp.com -Port 4501
# If TcpTestSucceeded = False: hotel/ISP firewall blocking IPSec
# Solution: ensure SSL fallback is enabled in gateway config
# Or: use IPSec over TCP 443 (IPSec-over-SSL) for captive portal compatibility
Step 5 โ Prisma Access Specific Issues
# Prisma: user connects to cloud but cannot reach internal resources
# Root cause: service connection issue between Prisma cloud and on-prem DC
#
# Check 1: Service connection tunnel status (Panorama / Strata Cloud Manager)
# Prisma Access > Service Connections > [connection name]
# Tunnel should show: Active, BGP: Established
#
# Check 2: On-prem firewall service connection tunnel
admin@FW> show vpn ike-sa gateway [prisma-ike-gw]
admin@FW> show vpn ipsec-sa tunnel [prisma-tunnel]
# Both should show active/established
#
# Check 3: BGP over service connection
admin@FW> show routing protocol bgp peer
# Prisma BGP peer must be Established
# Received prefixes: should include GP client pool (100.64.x.x or configured range)
# Advertised prefixes: should include internal subnets
#
# Check 4: Security policy โ traffic from Prisma GP users
# Source zone: trust (arrives via service connection tunnel)
# Source IP: GP client pool IP (100.64.x.x)
# Ensure policy allows this source to reach internal destinations
Step 6 โ GP Logs and Packet Capture
# Firewall โ GlobalProtect system logs (most useful for auth/connection issues)
admin@FW> show log system subtype equal globalprotect
admin@FW> show log system subtype equal globalprotect severity equal critical
# Active GP users and their stats
admin@FW> show globalprotect-gateway current-user
admin@FW> show globalprotect-portal current-user
# Detailed user info including HIP, IP, tunnel type
admin@FW> show globalprotect-gateway current-user user [username] detail
# Client-side GP logs โ critical for diagnosing connection failures
# Windows: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log
# Mac: /Library/Logs/PaloAltoNetworks/GlobalProtect/PanGPS.log
# Enable debug level: GP agent > Settings > Enable Debug Logging
# Key strings to search: "portal", "gateway", "hip", "ipsec", "error"
# Packet capture on the firewall (if traffic path unclear)
admin@FW> debug dataplane packet-diag set filter match source [client-GP-IP] destination [internal-server]
admin@FW> debug dataplane packet-diag set log on
admin@FW> debug dataplane packet-diag show setting
admin@FW> debug dataplane packet-diag show log
Quick Reference โ Common GP Issues
GlobalProtect / Prisma Hardening Checklist
- Portal and gateway use a valid CA-signed certificate โ not self-signed โ matching the FQDN
- Certificate expiry monitoring in place โ alert at 30 days before expiry
- Authentication uses MFA โ password-only auth is not acceptable for remote access
- HIP profiles enforce minimum AV, patch level, and disk encryption before granting access
- Security policy has an explicit deny + log rule for HIP non-compliant devices (do not rely on implicit deny)
- Split tunnel is configured for SaaS exclusions โ O365, Zoom, Webex bypass the tunnel
- GP IP pool does not overlap with any internal subnet โ overlaps cause silent routing failures
- Internal DNS servers are pushed via gateway โ without this, split tunnel users cannot resolve internal FQDNs
pre-logonis enabled for domain-joined Windows machines โ ensures machine cert auth before user login- Prisma service connection has redundant tunnels โ primary and secondary to different on-prem firewalls
- All GP/Prisma events are forwarded to SIEM โ failed auth, HIP failures, and disconnects are alerting
Part 7 โ Deep Client-Side Troubleshooting
Client-side issues are the hardest to diagnose remotely because you can't run commands on the firewall that directly show what the client is experiencing. This section covers systematic client-side diagnosis across Windows and macOS, log collection, network-level debugging, and common client OS problems.
Client Diagnostic Flow โ Start Here
Before diving into logs, collect these facts from the user:
## Windows โ collect all at once
C:\> ipconfig /all # Check PANGP adapter IP, DNS servers
C:\> route print # Check routing table for GP routes
C:\> nslookup corp-server.corp.com # Does internal DNS resolve?
C:\> ping 10.0.1.1 # Can you reach internal gateway?
C:\> tracert 10.0.1.1 # How many hops? Which interface?
C:\> netstat -an | findstr 4501 # Is IPSec UDP socket open?
C:\> netstat -an | findstr 443 # Is SSL connection active?
## macOS โ equivalent commands
$ ifconfig | grep -A5 utun # GP tunnel interface (utun0, utun1, etc.)
$ netstat -rn # Routing table
$ scutil --dns # DNS resolver configuration
$ ping -c4 10.0.1.1 # Internal reachability
$ traceroute 10.0.1.1 # Path check
Reading the PanGPS Client Log
The GP agent log is the primary diagnostic tool for client-side issues. Know where to find it and what to search for:
## Log locations
# Windows: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log
# macOS: /Library/Logs/PaloAltoNetworks/GlobalProtect/PanGPS.log
# Linux: /var/log/PanGPS.log
## Enable debug logging (do this BEFORE reproducing the issue)
# Windows: GP agent > Settings icon > Enable Debug Logging (checkbox)
# macOS: Same location in GP agent settings
# Note: debug log is verbose โ disable after collection
## Key strings to search in PanGPS.log:
#
# "Portal auth" โ portal authentication attempts and results
# "SSL connection" โ SSL handshake to portal/gateway
# "IKE" โ IPSec IKE negotiation
# "HIP report" โ HIP data collection (what was sent to firewall)
# "HIP match" โ result of HIP profile evaluation
# "Tunnel mode" โ which tunnel type was established (IPSec vs SSL)
# "disconnect" โ why the session ended
# "error" โ any error conditions
# "certificate" โ cert validation results
## Quick grep commands to find the important lines fast:
$ grep -i "error\|fail\|disconnect\|denied" PanGPS.log | tail -50
$ grep -i "hip" PanGPS.log | tail -20
$ grep -i "tunnel\|ipsec\|ssl" PanGPS.log | tail -20
Client Issue: "Connecting..." Spinner That Never Resolves
## This means the agent sent the auth request and is waiting for a response
# Most common causes: MFA timeout, SSO/SAML redirect issue, captive portal
## Check 1: Is a captive portal blocking the initial HTTPS connection?
C:\> curl -v https://portal.corp.com/global-protect/prelogin.esp
# Expected: HTTP 200 with XML response
# If redirected to hotel/airport login page: captive portal is intercepting
# Fix: connect to hotspot login page first, then re-connect GP
# GP has a built-in captive portal detection (opens browser automatically on newer versions)
## Check 2: SAML authentication spinning
# GP opens an embedded browser for SAML โ if IdP is slow or MFA times out, spinner hangs
# PanGPS.log will show: "SAML auth started" but no "SAML auth complete"
# Fix: Check if user completed MFA within the timeout window
# Firewall fix: increase SAML authentication timeout in auth profile
# Network > GlobalProtect > Portals > [portal] > Authentication > Timeout
## Check 3: DNS not resolving the portal FQDN
C:\> nslookup portal.corp.com 8.8.8.8
# If NXDOMAIN or wrong IP: DNS issue (split-DNS, DNS filtering, ISP interference)
# Try: GP agent > Settings > enter portal IP address directly instead of FQDN
Client Issue: "Agent Disconnects After a Few Minutes"
## PanGPS.log will show disconnect reason โ find it first
$ grep -i "disconnect\|reconnect\|keepalive\|DPD\|timeout" PanGPS.log | tail -30
## Cause A: NAT keepalive timeout (most common in hotel/home networks)
# NAT device times out idle UDP 4501 entries after 30โ60 seconds
# Symptom: PanGPS.log shows "DPD timeout", session dies after ~30-60s of inactivity
# Fix on firewall: reduce IPSec keepalive interval
# Network > GlobalProtect > Gateways > [gw] > Agent > Tunnel Settings
# IPSec keepalive: set to 10 seconds (default is 30 โ too long for aggressive NATs)
## Cause B: MTU mismatch causing IPSec tunnel blackhole
# Large packets get dropped silently โ agent reconnects, works briefly, drops again
# Test: ping with large payload through tunnel
C:\> ping 10.0.1.1 -f -l 1400 # -f = don't fragment, -l = size
# If this fails but ping without -f works: MTU issue confirmed
# Fix on firewall: set tunnel MTU to 1350 in gateway config
# Or: enable TCP MSS clamping on the gateway interface
$ ping -c4 -M do -s 1400 10.0.1.1 # macOS/Linux equivalent
## Cause C: SSO token expiry forcing re-auth
# SAML/Kerberos token expires mid-session โ gateway terminates tunnel
# PanGPS.log shows: "authentication cookie expired" or "re-authentication required"
# Fix: increase authentication cookie lifetime in portal config
# Network > GlobalProtect > Portals > [portal] > Agent > Authentication
# Cookie lifetime: 24 hours for corporate devices (default is often 3 hours)
Client Issue: Connected but Can't Access Specific Internal Resources
## This is the most nuanced client-side issue โ isolate layer by layer
## Layer 1: Is the route to the resource in the client routing table?
C:\> route print | findstr 10.10.5 # look for specific subnet
# If missing: resource is in a subnet not covered by GP split tunnel config
# Fix: add missing subnet to gateway split tunnel include routes
## Layer 2: Does DNS resolve the resource hostname?
C:\> nslookup app-server.corp.com
# Should resolve to an internal IP via internal DNS
# If "can't find server" or resolves to public IP: DNS suffix or DNS server issue
# Check what DNS server is in use:
C:\> ipconfig /all | findstr "DNS Servers"
# GP adapter should show internal DNS (e.g., 10.0.0.53)
# If showing 8.8.8.8 or ISP DNS: gateway is not pushing DNS config
## Layer 3: Can you reach the IP directly (bypass DNS)?
C:\> ping 10.10.5.25 # use raw IP of resource
# If ping to IP works but FQDN fails: DNS-only issue (see Layer 2)
# If ping to IP also fails: routing or firewall policy issue
## Layer 4: Traceroute to see where packets stop
C:\> tracert 10.10.5.25
# Hop 1 should be the GP gateway (internal IP in your tunnel))
# If packets stop at gateway: firewall policy blocking traffic
# If packets reach wrong hop: routing issue on firewall or internal network
## Layer 5: On the firewall โ find the actual deny
admin@FW> show log traffic from-zone GP-Zone dst-addr 10.10.5.25 action equal deny
# Identify which rule is blocking and why (zone, HIP, user-group)
Client Issue: HIP Check Failures โ Deep Dive
## The HIP report is what the GP agent sends to the gateway about device health
# View the raw HIP report the agent is sending:
# Windows: C:\Users\{user}\AppData\Local\Temp\hip-report.xml
# macOS: /tmp/hip-report.xml
# This XML shows exactly what AV product, version, definition date, etc. was detected
## Common HIP failure: AV product name mismatch
# The HIP object on the firewall must match the exact product name GP detects
# Check hip-report.xml for the detected AV product name
# Example: Firewall HIP says "Windows Defender" but XML shows "Microsoft Defender Antivirus"
# Fix: match exact product name from XML in the HIP object definition
## Common HIP failure: AV definitions too old
# Check hip-report.xml for: <real-time-protection> and <last-full-update> timestamps
# Compare to HIP object threshold
# Fix: update AV definitions on client, or relax the age threshold in HIP object
## Check HIP match result on the firewall for a specific user
admin@FW> show globalprotect-gateway current-user user jsmith
# Shows: HIP-compliant: yes/no, and which HIP profile matched
## Check what HIP data was received from the client
admin@FW> show globalprotect-gateway hip-report user jsmith
# Full HIP report as received from this specific client
## Windows: Force HIP re-check without reconnecting
# GP agent > Settings > ... > Resubmit Host Profile
# Or: disconnect and reconnect โ HIP is checked at tunnel establishment
## macOS: Force GP restart (clears cached HIP state)
$ sudo launchctl stop com.paloaltonetworks.gp.pangps
$ sudo launchctl start com.paloaltonetworks.gp.pangps
Client Issue: Certificate Errors
## Error: "SSL certificate verification failed" or "Certificate error"
## Cause A: Portal/gateway cert signed by internal CA not trusted by client
# Fix: deploy internal CA root cert via GPO (Windows) or MDM (macOS/mobile)
# The root CA that signed the portal/gateway cert must be in the client's trusted store
## Cause B: Certificate CN/SAN mismatch
# The cert must have a SAN matching exactly what the agent connects to
# Example: agent configured with "vpn.corp.com" but cert only has CN=portal.corp.com
# Fix: reissue cert with correct SAN entry
## Cause C: Expired certificate
# Check cert expiry on Windows:
C:\> certutil -verify -urlfetch portal.corp.com
# Or: open browser to portal URL, click padlock โ Certificate โ Expiry date
# Check cert expiry on macOS:
$ echo | openssl s_client -connect portal.corp.com:443 2>/dev/null | openssl x509 -noout -dates
## Cause D: Machine certificate for pre-logon not found
# Pre-logon uses a machine certificate โ if cert is missing or expired, pre-logon fails
# Windows: check cert store
C:\> certutil -store LocalMachine My | findstr "corp.com"
# Must show a valid machine certificate issued by your internal CA
# If missing: run GPO to re-enroll, or manually re-enroll via certmgr.msc
Client Issue: GP Agent Reinstall / Reset Procedure
When all else fails, a clean reinstall often resolves persistent client-side issues caused by corrupted config, stale certificates, or broken driver state.
## Windows โ clean reinstall procedure
# 1. Disconnect GP and close the agent
# 2. Uninstall GlobalProtect from Add/Remove Programs
# 3. Delete residual files and registry:
C:\> rmdir /s /q "C:\Program Files\Palo Alto Networks\GlobalProtect"
C:\> rmdir /s /q "C:\ProgramData\Palo Alto Networks"
C:\> rmdir /s /q "%APPDATA%\Palo Alto Networks"
# 4. Delete PANGP virtual adapter if still present:
C:\> devmgmt.msc โ Network adapters โ PANGP Virtual Ethernet โ Uninstall
# 5. Reboot, then reinstall GP agent MSI
## macOS โ clean reinstall procedure
$ sudo /Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh
$ sudo rm -rf /Library/Application\ Support/PaloAlto
$ sudo rm -rf /Library/Logs/PaloAltoNetworks
$ sudo rm -rf /var/log/PanGP*
# Reboot, then reinstall from portal download page:
# https://portal.corp.com/global-protect/getmsi.esp (Windows MSI)
# https://portal.corp.com/global-protect/getpkg.esp (macOS PKG)
## Reset GP config only (without reinstall) โ Windows
# Clears saved credentials and config cache
C:\> del /f /q "%APPDATA%\Palo Alto Networks\GlobalProtect\*"
# Then relaunch GP agent โ it will re-download config from portal