WiscVPN - Troubleshooting the PaloAlto GlobalProtect Client (MacOS)

How to identify Global Protect Driver issues on MAC Clients

Issue

After upgrading the Mac GlobalProtect client, the client never connects and just "spins".

Solution

If that doesn't work, try the following: Remove the GlobalProtect Enforcer Kernel Extension

Additional Troubleshooting

Apple added extra layer of complexity in 10.13 and the linked article has all the explanations. OS X blocks signed extensions from loading. It doesn’t load unsigned extensions at all. This is the error message from the logs:

08/22/2018 10:13:17.062325[Error 183]: Failed to load KEXT pangpd_10.9.kext, error sys_libkern:sub_libkern_kext (0x37:0x2:0xd)
    

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert. See this Apple page.

Once disabled try to enable the kernel extension for GP under System Preferences > Security & Privacy > General and then by clicking the Allow button. The user then needs to restart after clicking Allow to start the service.

  1. Boot into Recovery Mode. Instructions can be found here.

    • Click on Utilities in the menu bar.
    • Click on Terminal.
  2. run spctl kext-consent add PXPZ95SK77 in the terminal note: PXPZ95SK77 is the unique identifier for Palo Alto Networks

  3. Reboot the MAC system.

  4. Reinstall GlobalProtect.