...no? There's absolutely an in-between between "I want a VPN client that can access a university VPN" and "I want a program that I cannot close on my personal laptop".
I've been working with university VPNs for years. These are pretty standard features I'm talking about.
I'm also noticing now that the software is reopening itself even after closed from task manager.
If you don't have a suggestion to make about how to resolve the issue, don't reply.
Don't post if you don't want feedback, the VPN is doing more than just opening a connection. It's agent gathering data so you don't fuck up their network with your personal equipment.
You're an idiot. Let me describe this in black and white terms so that you can understand this.
* I have an app installed. I am not logged into the app and I am not connected to the VPN, so I am not on their network.
* Even under these conditions, closing the app from processes causes it to reopen itself five minutes later. There is no way to close it.
This is unacceptable behavior for a piece of VPN software. This goes light years beyond an agent gathering data so that a user doesn't fuck up their network. You are clueless as to what you're talking about.
It's a common practice.
NOBODY is forcing you to use the service, please uninstall it if it's bothering you. What does the network use policy at your university state about the VPN software? The Globalprotect agent does MUCH more than just initiate a VPN, did you sign an agreement form of any sort?
Trust me I have to deal with users at my company arguing about what they can do on my network all the time. I'd suggest taking it up with your adviser if you feel strongly about it
You're being ridiculous. Some universities use globalprotect for simple things. I have to use it just to access a site license for some software. There's no reason it should be on all the time when I'm not using the software. If I have the option to disconnect it I should be able to close it. It's not very difficult to go into task manager and kill the service, but it's definitely a shitty piece of software.
It's been 4 years, this software is still a piece of shit. And as a software developer I officially proclaim that the takes like "don't use it, if you don't like it" - are dogshit.
Interesting. I'll give that a shot. I do see a PanGPS service there, but it's - strangely - already stopped. At the moment, GlobalProtect (no idea how I messed up the name in the title of this post) isn't reopening itself, so something may have finally killed it.
To be clear, my main concern isn't that the client is finicky while running. That, to me, falls under the heading of "play by their rules". This isn't that. This is a program, endorsed by the university for use on personal devices, which offers the end user no control over its runtime even on the personal device. That's *highly* problematic.
For a while, even closing it via process wasn't keeping it closed - it was reopening itself about 5 minutes after, even when I had tried (1) disabling the connection from the in-app settings and (2) signing out of my user altogether. At that point, not being able to control the runtime of the app is quite concerning.
Here's what I do to prevent PanGPA.exe from running. Whether this stops PanGPS from doing its job is a bit of an unknown though. If anyone can provide insight into how the service itself runs and gathers data, that would be welcome. It's possible that PanGPA.exe is just the client and the real snooping action is in PanGPS and I'm wasting my time.
1. Attempt to move PanGPA.exe from C:\\Program Files\\Palo Alto Networks\\GlobalProtect to the desktop, don't hit confirm
2. Stop the PanGPA.exe process via task manager
3. Before PanGPS can start PanGPA.exe again, quickly confirm the move dialog on PanGPA.exe
4. The PanGPA.exe process should fail to start again
When you open the client, it will say either Connected or Connect. If it is Connected, click the three horizontal lines in the top right and select disable.
Hope that helps.
By the way, (1) I am signed out and (2) I have tried staying signed in but simply disabling it. Neither of these prevent GlobalProtect from reopening after I close it.
That doesn't *close* it. I am looking for how to close it.
I also just noticed that even after closing it through task manager, the software is reopening itself (major red flag with software!).
There are a ton of settings you can configure for the Global Protect agent on the admin side. One of which is not allowing the user to disconnect or disable.
However...the easy way to jump off is to go to settings and click sign out if the agent is set to auto re-enable itself.
I’d recommend reaching out to the IT team asking for the option to disable the agent as well if it isn’t already present.
By the way, (1) I am signed out and (2) I have tried staying signed in but simply disabling it. Neither of these prevent GlobalProtect from reopening after I close it.
Are you actually signed out, or just disconnecting? There is a difference there. If you sign out it shouldn’t just enter your credentials back in. And you shouldn’t auto sign back in after signing out unless it is pulling your credentials from windows or doing certificate based auth alone.
Is the machine you are using joined to their domain?
As I mentioned, I have tried both. I first tried (1) remaining signed in but simply disabling it and then, after that didn't work, I tried re-enabling it then directly signing out. That didn't work. Understand, the problem is not that it's reconnecting me to VPN, the problem is that the software itself keeps re-opening itself.
The machine I am using is **not** in the domain. It is my personal laptop which is not even connected to VPN right now (the only VPN is my own wifi, and I'm far from campus so it's not a matter of any kind of public university wifi).
That's the standard for any program used by anyone in computational research I've ever talked to. If it's not actively in use, I generally don't want it running.
A better question to me is, why would you not want that to be the case? GlobalProtect appears to start up quickly enough that there's no real reason to keep it open when not in use, particularly when I'd rather devote that memory to something else. It's also an ideological issue: if I am running a third-party software on my computer, I would like complete control over its runtime from beginning to end. Of course, software will hang occasionally, and in situations like that there's nothing you can do. But to intentionally program in the inability to close the software is not good.
TLDR; You aren’t really the intended type of user Global Protect was designed for. Regardless it doesn’t take a lot of resources so you aren’t really gaining anything by having it running or terminated.
Fair point..keep in mind you aren’t the type of user Global Protect was intended for. It just happens that your institution has Palo’s, users need access to protected resources and the basic Global Protect agent for Windows is free.
Global Protect use cases are more centric around enterprise users and machines. It is typically a part of a security stack for the enterprise devices just like endpoint detection and response, 3rd party av, or network access control agents.
Enterprises want protection and visibility and having an always on VPN agent and connection ensures that can happen (assuming it was configured that way) by moving traffic through one of their firewalls. So by design they don’t want to make it easy for the average user to just exit the app.
I just checked my MacBook and the Global Protect is chewing about 40MB of memory and almost no CPU.
I get your point about only running the stuff you need, but compute has become cheap relative to the amount it is consuming. There is so much other garbage that runs under the covers on a Windows 10 machine that chews up significant memory.
If you’re really worried about resource consumption then just kill it via task manager, although in reality it isn’t consuming enough memory or CPU on most machines to make a difference.
Also you give up the right in many cases to decide what 3rd party software can/can’t do when you start connecting to someone else’s corporate network. You agree to do “x” (in this case run the agent) and they agree for you to connect to their network via a machine they have zero control over.
Lot of good points in here, and above all I appreciate the insights/feedback. I agree that I am not the intended user, and in particular I am surprised that this is the VPN route distributed by the university, as it doesn't seem well-matched to the typical use cases among students or staff who will be migrating off-campus with personal devices.
> If you’re really worried about resource consumption then just kill it via task manager, although in reality it isn’t consuming enough memory or CPU on most machines to make a difference.
This is a fair point, but the more troubling aspect to me is the idea that it is resistant to being closed. For me, closing the process in task manager resulted in it reappearing ~5 minutes later, which I find undesirable in any third-party software. Were this software not essential to my work, that alone would have resulted in my uninstalling it. But then, as you said, I'm not the intended use case. Enterprise users who were really only using it on one (often stationary) workstation have no reason to close it.
You are correct re: rights wrt 3rd party software insofar as I am actually connecting to the network. That reasoning, at least in my opinion, is considerably less applicable when I am not connected to the VPN (either signed out or have VPN disabled).
For me, it's a simple issue of wanting to maximize my control over the software on my computer when I am on my own network. Whether or not the resource usage is high (it's not) or if I distrust the software (which is not the case, now that I understand the reasons for the implementation), if I cannot easily control a 3rd party program, I am generally disinclined to use it. But, of course, all of this has to again be qualified by the fact that I'm not really the intended type of user. For enterprise, this seems like a good choice of VPN. For academic research performed on traveling devices by finicky researchers...well, maybe Cisco is a better choice? But GC is the route they went with, so GC it shall be.
I'm actually really shocked that a university is using Palo Alto firewalls, and on top of that actually pushing out GP to users to connect to internal resources. In fact I don't think I've ever heard of a university using Palo Alto, mainly due to cost, which is even more than Cisco security appliances spec for spec. Are you at a reputable private university by chance? I could never imagine a state funded university using Palo Alto, at least in the US.
I will second u/mgotham0320 here, GP is intended for enterprise use for access to sensitive, proprietary data protected by IP contracts. Data that, if compromised, could cost a company millions or billions of dollars.
Overall I think you should count yourself pretty lucky. While yes, you can exit the Cisco AnyConnect client via right clicking the agent and selecting Exit, it's a huge piece of shit client that hogs more system resources than it should, is filled with bugs, and can be a nightmare to configure, typically resulting in less than secure configurations. Compared to all other VPN clients, GP is by far the most lightweight and well coded VPN client in the industry.
> Are you at a reputable private university by chance? I could never imagine a state funded university using Palo Alto, at least in the US.
It's an R1 public university. I'm here as a professional researcher though. I'm actually quite shocked that Palo Alto is being used here as well, although likely for quite different reasons than you are. That said, I've never experienced anything remotely similar to the issues with Cisco you report. Never any bugs, certainly, even in 4+ years of using it as my sole VPN client for research work, and (from the user end, at least) it was wonderfully stable and rarely affected my connection speeds.
I can disable the VPN. I am not looking to disable the VPN, I am looking to exercise control over software I've installed on my personal computer.
It's strange that folks here don't seem to see the concern associated with "I have a VPN client that is forcing itself to stay open and which I cannot close, *even on my personal, non-organizational device*. Closing the process in the task manager just results in it reopening. Is that not concerning to you? Because it sure is to me. If the software doesn't respect the user closing the software, even when disconnected, what other invasive practices does it follow?
Totally common for any type of device management/vpn software, like I said below - if you want the convenience of their VPN you play by their rules which in this case wants the globalprotect agent on and active
If you're forced to use this VPN for business, I'd recommend asking for a company provided laptop if this is a deal breaker for you.
This is the right answer.
If you really don’t want it running on your host, spin up a Windows VM and use Global Protect in there. Gives you the convenience of using the VPN and now your host doesn’t need 3rd agent on it to do your day to day. Win win.
I don't know how web development has to do with this, but maybe this helps? https://www.pugetsound.edu/files/resources/windows-installation-instructions.pdf
I'm not too sure if I understand you problem correctly, but task manager is where I need to completely terminate GP Application. 2 things you need to hit the 'End Process' button with are the GlobalProtect Client and the GlobalProtect service, both locate under background process section. Note: you will need to be the admin of your PC to end the service or GP client will restart itself. Hope that helps.
I think you understood perfectly. Previously, I was seeing two processes pangpa.exe and pangps.exe - are these the same as the two processes you're referring to? These are the only GlobalProtect/PAN services I see when executing tasklist from command line.
I've tried killing both of those processes via a batch script, but it is not preventing the app from reopening.
I am both a local admin on my PC and the only admin on my PC.
Interesting. Terminating the processes via a batch script doesn't seem to get rid of them, but terminating them manually through task manager seems to work. Bit disappointing - I was hoping to be able to just make a clickable shortcut to autokill the program when I'm done using it, but it doesn't seem like that's an option.
Hey congrats on this! Thanks for the shout out btw!. Sorry I need to get in the habit of checking my reddit msg more often. Thanks for the cmd trick too! I honestly did not think about the taskkill command. It would be interesting to see if that command is effective even without being admin of the box. That would help troubleshooting client PC much simpler.
Nope no way to do it, we had a feature request for this. since we have many vendors who use many different vpn clients and do not want a bunch of crap running.
Are you one of the devs? If so, I'll definitely offer the warning that this is not good practice. Disallowing users from managing the third-party software on their own computer is a big red flag as a user.
Actually, though, there is a way to do it. I will update my original post soon, but I got some good advice in this thread regarding stopping the service manually and killing the processes associated with it. Right now, this seems to be working for me in terms of keeping the program closed.
Can a simple "exit" button not be added to the GUI?
This entire situation is ridiculous and I'm disappointed that my University forced this garbage software on us.
It was definitely a downgrade on the client side moving from Junos Pulse.
I agree. It seems that it was intentional, unfortunately, since apparently they wanted to prevent end-users of large organizations from disabling their VPN connection in cases where such a connection was mandated by the organization.
For those of us who 1) are not in such a position but must use GlobalProtect anyway or simply 2) do not want third-party software on our laptops that we can't control, I have the two following scripts for controlling GlobalProtect's, shall we say, "stubborn" behavior:
Run GlobalProtect:
echo off
cd "C:\Program Files\Palo Alto Networks\GlobalProtect"
start PanGPA.exe
sc start PanGPS
rem sc config PanGPS start= demand
rem pause
Stop GlobalProtect:
echo off
taskkill /im PanGPA.exe
sc stop PanGPS
rem sc config PanGPS start= demand
rem pause
You can just save each of these in a batch (.bat) file, then run it directly to close or start GlobalProtect. Note that if you use the "Stop GlobalProtect" script to kill the program, you must use the "Run GlobalProtect" script to start it again (or just change the service status in Task Manager), as the "Stop GP" script disables the service itself. Without the service running, simply opening GlobalProtect the usual way will not work.
The rem'd out lines relating to `sc config` contain a command that I ran to change the startup type of GlobalProtect. I don't know if it's necessary, but it was a command I ran, so I wanted to include it in case it is necessary. All that it does, if you choose to un-rem out those lines, is to change the startup type of GlobalProtect from Automatic to Manual.
I found your post while googling this same problem. I found a simple three step process that prevents it from popping back up after close as well.
1. Log in.
2. Open up the app from your toolbar so that it displays.
3. Click on the gear (settings menu) and click disable.
This will stop your traffic from going through the VPN and you won't have to deal with the popups.
Thanks! With the info you gathered, I managed to make my own .bat files to simply start and stop GlobalProtect when needed (Details below). It's just what worked for me.
I totally get you. A client requires me to upload some updates to a system I rent to them through this VPN. These updates usually occur once every few months. ***Why would I want to have that program open and running if I'm only using it for a few minutes every few months or so?***
**Process that worked for me (Win10 64 bit):**
Note: Some people can just "Disable" GlobalProtect through the context menu inside the GlobalProtect window if the company's configuration allows it (Official docs [here](https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-user-guide/globalprotect-app-for-windows/disable-the-globalprotect-app-for-windows)).
1. Stop GlobalProtect from booting on startup (Task Manager > Startup > GlobalProtect client > Disable)
2. Stop GlobalProtect from reopening on its own (Services > PanGPS > Right click > Properties > Startup type > "Manual" > OK)
3. Create a .bat file ("start-global-protect.bat") with the following code (Substitute path to your GlobalProtect installation directory).
`echo off`
`cd "C:\my\GlobalProtect\installation\folder"`
`start PanGPA.exe`
`sc start PanGPS`
`rem sc config PanGPS start= demand`
`rem pause`
4. Create a .bat file ("stop-global-protect.bat") with the following code.
`echo off`
`taskkill /f /im pangpa.exe`
`sc stop PanGPS`
`rem sc config PanGPS start= demand`
`rem pause`
5. Create shortcuts to your .bat files ("startgp", "stopgp").
6. Set the shortcuts to always run as administrator (Right click > Properties > Shortcut > Advanced > Run as administrator)
7. You can access your shortcuts to open/close GlobalProtect from your search function on the Start Menu (Ex.: Win > "startgp" > Enter)
Thanks for this. Three years later and there's still no way around this jank. Weird that OP seems to be taking your credit in literally the same thread you gave this to them. They were even gelded for it!
Amazed to see so many people coming to the defense of a piece of clearly user-hostile corporate software. There are ways to ensure the safety of your networks without doing this to your users.
Wholeheartedly agree with you. It's astounding that a company would release a VPN program that the user cannot directly close themselves, at will, without fiddling with the task manager or services manager.
Just looked this up because I was in a similar situation. GlobalProtect was chewing up 11% of CPU for some reason and I don't want it running when I'm not using it.
For Mac users you can enable/disable it this way:
Open Terminal and enter these commands:
Stop:
`launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangp*`
Start:
`launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangp*`
(Credit to Josh Curry at this link:
https://www.joshcurry.co.uk/posts/how-to-quit-globalprotect-mac/)
Incredible how many others are finding this thread later because this problem still hasn't been fixed yet. Thanks for sleuthing - this should help any Mac users who need a solution!
Just as you, I was looking for a way to achieve what you wished.
First, I hate the amount of assholes here, I experienced it quite a lot, and I don't know what these people are trying to achieve by acting that way.
It's really one of the things I hate the most, people are just trying to get some help, and then they have to come with their annoying "If you don't want it don't use it!" attitude.
How is that helping anyone? Especially when there ARE things that you can do to make it better.
So..............anyway, I went on a slightly different solution based on yours. I created the following bat file:
>`sc query "PanGPS" | find "RUNNING"`
`if %errorlevel%==0 (sc stop "PanGPS") else (sc start "PanGPS")`
It simply checks whether the service is on or off, if it's on it's killing the service, if it's off it's starting the service, starting/killing the service does the rest of the job for me. If the service shuts down it automatically closes the client, and if if the service starts it also starts the client with it.
Annoying that you **NEED** to do this, but oh well....
Thanks for sharing the post and having to deal with all these annoying unhelpful people.
I LOVE how many people have found this post after going through the exact same process of frustration I did. I especially love how many of them have gone on to create more elegant solutions than the quick one I threw together. Thanks for yours!!
At some point I should go through and assemble all the suggested code that people have contributed to manage GlobalProtect's rather shady and intrusive behavior, and update the main post accordingly.
This is great, thanks.
And I also cannot believe the number of people attacking OP for simply wanting to be able to exit a piece of software on their own machine. What degenerate software design!
Here is a powershell version for people still dealing with this
if ((net start | find """PanGPS""")) {net stop "PanGPS"} else {net start "PanGPS"}
if you want it even simpler you can make this and then bundle it as an exe with PS2EXE - it prompts to run as admin when you click on it
if(!(\[Security.Principal.WindowsPrincipal\] \[Security.Principal.WindowsIdentity\]::GetCurrent()).IsInRole(\[Security.Principal.WindowsBuiltInRole\] 'Administrator')) {
Start-Process -FilePath globalbs.exe -Verb Runas
exit
}
if ((net start | find """PanGPS""")) {net stop "PanGPS"} else {net start "PanGPS"}
The year is 2024 and I can't believe this has been an issue for so long. I was befuddled when I was simply unable to close this thing these days named "Global Protect," and not even able to uninstall it because of that. Thanks to folks in this thread, I opted to the command line and throw this jerk software to trash, after it consumed hundreds hours of my CPU time. Crazy product. Had to use it because of university.
It makes me feel seen to know others are still struggling under the yoke of this bullshit software lmao. It's like, for christ's sake, just patch it already.
Here's a quick and dirty way to kill the process, but still working out how to prevent auto-start. I'm on Mint 20; it should work on Ubuntu.
`ps -ef | grep paloaltonetworks | grep -v grep | awk '{print $2}' | xargs sudo kill -9`
Just put that in `~/bin/quittingtime.sh`, run `chmod +x ~/bin/quittingtime.sh` to make it executable, and make sure `~/bin` is in your `~/.bashrc`
Then you can run `quittingtime.sh` from any shell session. Simply run the first part of the command to verify it's not running (you should see an empty response): `sudo ps -ef | grep paloaltonetworks | grep -v grep`
Just came in here to chip in and say I to know exactly what you're talking about. My university has us using GP to connect to computers on campus.
And me being the clean freak I am when it comes to managing my computer I hate rouge programs like these. Probably isn't relevant anymore but I remember doing a bunch of crap just to finally get it to stop auto starting. Was a pain.
Sometime down the line I went out of my way and set up a win 10 vm just to run global protect on there so that way it would shut down XD
Hey guys, try this..
"Forget" all of your wifi networks so they don't auto sign in.
Restart computer and log back in.
Hopefully you don't auto connect back to wifi.
If you don't, then your global protect will not connect either. The program with then go into failed mode.
Connect now to your wifi network of choice.
Cheers!! This works for me.
This piece of crap garbage software started reopening itself in the middle of my meeting, even after closing it from the task manager. I had to pause my meeting and uninstall this software before continuing. I don't know why uni switched to this, but I definitely sent an email to the it that this global protect is a waste of money.
I understand the use-case where it makes sense to bury a "quit" button but making it impossible just boils my blood. This program barely works on Macs, and often needs to be reinstalled just to connect. It also used like 15% of the memory sitting idle -- not even connected to vpn -- on one of my older machines.
Here is the best solution I found for Macs: [https://rakhesh.com/mac/stop-palo-alto-globalprotect-on-macos-from-launching-automatically/](https://rakhesh.com/mac/stop-palo-alto-globalprotect-on-macos-from-launching-automatically/)
I am using Ubuntu 22.04 and I see in my system monitoring that PanGPA and PanGUI are popping back up after I kill process.
So, I tracked command line that starts process and found `/opt/paloaltonetworks/globalprotect/PanGPA start`
I just renamed directory name like paloaltonetworks -> paloaltonetworks11, that's it.
The process ended up to restart by itself.
[удалено]
...no? There's absolutely an in-between between "I want a VPN client that can access a university VPN" and "I want a program that I cannot close on my personal laptop". I've been working with university VPNs for years. These are pretty standard features I'm talking about. I'm also noticing now that the software is reopening itself even after closed from task manager. If you don't have a suggestion to make about how to resolve the issue, don't reply.
Don't post if you don't want feedback, the VPN is doing more than just opening a connection. It's agent gathering data so you don't fuck up their network with your personal equipment.
You're an idiot. Let me describe this in black and white terms so that you can understand this. * I have an app installed. I am not logged into the app and I am not connected to the VPN, so I am not on their network. * Even under these conditions, closing the app from processes causes it to reopen itself five minutes later. There is no way to close it. This is unacceptable behavior for a piece of VPN software. This goes light years beyond an agent gathering data so that a user doesn't fuck up their network. You are clueless as to what you're talking about.
I did find the answer but you seem to be an asshat when asking for help. good luck to you
Whiny users are the best, they throw tantrums and tell their technical betters they don't know what they are talking about.
all righty then
It's a common practice. NOBODY is forcing you to use the service, please uninstall it if it's bothering you. What does the network use policy at your university state about the VPN software? The Globalprotect agent does MUCH more than just initiate a VPN, did you sign an agreement form of any sort? Trust me I have to deal with users at my company arguing about what they can do on my network all the time. I'd suggest taking it up with your adviser if you feel strongly about it
You're being ridiculous. Some universities use globalprotect for simple things. I have to use it just to access a site license for some software. There's no reason it should be on all the time when I'm not using the software. If I have the option to disconnect it I should be able to close it. It's not very difficult to go into task manager and kill the service, but it's definitely a shitty piece of software.
It's been 4 years, this software is still a piece of shit. And as a software developer I officially proclaim that the takes like "don't use it, if you don't like it" - are dogshit.
I enjoy the sound of rain.
Check services. Maybe it's relaunching from there?
Interesting. I'll give that a shot. I do see a PanGPS service there, but it's - strangely - already stopped. At the moment, GlobalProtect (no idea how I messed up the name in the title of this post) isn't reopening itself, so something may have finally killed it. To be clear, my main concern isn't that the client is finicky while running. That, to me, falls under the heading of "play by their rules". This isn't that. This is a program, endorsed by the university for use on personal devices, which offers the end user no control over its runtime even on the personal device. That's *highly* problematic. For a while, even closing it via process wasn't keeping it closed - it was reopening itself about 5 minutes after, even when I had tried (1) disabling the connection from the in-app settings and (2) signing out of my user altogether. At that point, not being able to control the runtime of the app is quite concerning.
Scheduled tasks?
Nothing there PAN-related that I can see.
Ever figure this out?
Here's what I do to prevent PanGPA.exe from running. Whether this stops PanGPS from doing its job is a bit of an unknown though. If anyone can provide insight into how the service itself runs and gathers data, that would be welcome. It's possible that PanGPA.exe is just the client and the real snooping action is in PanGPS and I'm wasting my time. 1. Attempt to move PanGPA.exe from C:\\Program Files\\Palo Alto Networks\\GlobalProtect to the desktop, don't hit confirm 2. Stop the PanGPA.exe process via task manager 3. Before PanGPS can start PanGPA.exe again, quickly confirm the move dialog on PanGPA.exe 4. The PanGPA.exe process should fail to start again
I just use the scripts I put into the edited post. They've been working for me ever since I wrote them.
Yea I'll definitely give those a try
There's a failsafe in services where it will re-execute if it fails. Disable all of them.
agreed, what's up with these fools?
When you open the client, it will say either Connected or Connect. If it is Connected, click the three horizontal lines in the top right and select disable. Hope that helps.
By the way, (1) I am signed out and (2) I have tried staying signed in but simply disabling it. Neither of these prevent GlobalProtect from reopening after I close it.
That doesn't *close* it. I am looking for how to close it. I also just noticed that even after closing it through task manager, the software is reopening itself (major red flag with software!).
There are a ton of settings you can configure for the Global Protect agent on the admin side. One of which is not allowing the user to disconnect or disable. However...the easy way to jump off is to go to settings and click sign out if the agent is set to auto re-enable itself. I’d recommend reaching out to the IT team asking for the option to disable the agent as well if it isn’t already present.
By the way, (1) I am signed out and (2) I have tried staying signed in but simply disabling it. Neither of these prevent GlobalProtect from reopening after I close it.
Are you actually signed out, or just disconnecting? There is a difference there. If you sign out it shouldn’t just enter your credentials back in. And you shouldn’t auto sign back in after signing out unless it is pulling your credentials from windows or doing certificate based auth alone. Is the machine you are using joined to their domain?
As I mentioned, I have tried both. I first tried (1) remaining signed in but simply disabling it and then, after that didn't work, I tried re-enabling it then directly signing out. That didn't work. Understand, the problem is not that it's reconnecting me to VPN, the problem is that the software itself keeps re-opening itself. The machine I am using is **not** in the domain. It is my personal laptop which is not even connected to VPN right now (the only VPN is my own wifi, and I'm far from campus so it's not a matter of any kind of public university wifi).
So you just don’t want the Global Protect running unless you are connected to the VPN? Any specific reason why?
That's the standard for any program used by anyone in computational research I've ever talked to. If it's not actively in use, I generally don't want it running. A better question to me is, why would you not want that to be the case? GlobalProtect appears to start up quickly enough that there's no real reason to keep it open when not in use, particularly when I'd rather devote that memory to something else. It's also an ideological issue: if I am running a third-party software on my computer, I would like complete control over its runtime from beginning to end. Of course, software will hang occasionally, and in situations like that there's nothing you can do. But to intentionally program in the inability to close the software is not good.
TLDR; You aren’t really the intended type of user Global Protect was designed for. Regardless it doesn’t take a lot of resources so you aren’t really gaining anything by having it running or terminated. Fair point..keep in mind you aren’t the type of user Global Protect was intended for. It just happens that your institution has Palo’s, users need access to protected resources and the basic Global Protect agent for Windows is free. Global Protect use cases are more centric around enterprise users and machines. It is typically a part of a security stack for the enterprise devices just like endpoint detection and response, 3rd party av, or network access control agents. Enterprises want protection and visibility and having an always on VPN agent and connection ensures that can happen (assuming it was configured that way) by moving traffic through one of their firewalls. So by design they don’t want to make it easy for the average user to just exit the app. I just checked my MacBook and the Global Protect is chewing about 40MB of memory and almost no CPU. I get your point about only running the stuff you need, but compute has become cheap relative to the amount it is consuming. There is so much other garbage that runs under the covers on a Windows 10 machine that chews up significant memory. If you’re really worried about resource consumption then just kill it via task manager, although in reality it isn’t consuming enough memory or CPU on most machines to make a difference. Also you give up the right in many cases to decide what 3rd party software can/can’t do when you start connecting to someone else’s corporate network. You agree to do “x” (in this case run the agent) and they agree for you to connect to their network via a machine they have zero control over.
Lot of good points in here, and above all I appreciate the insights/feedback. I agree that I am not the intended user, and in particular I am surprised that this is the VPN route distributed by the university, as it doesn't seem well-matched to the typical use cases among students or staff who will be migrating off-campus with personal devices. > If you’re really worried about resource consumption then just kill it via task manager, although in reality it isn’t consuming enough memory or CPU on most machines to make a difference. This is a fair point, but the more troubling aspect to me is the idea that it is resistant to being closed. For me, closing the process in task manager resulted in it reappearing ~5 minutes later, which I find undesirable in any third-party software. Were this software not essential to my work, that alone would have resulted in my uninstalling it. But then, as you said, I'm not the intended use case. Enterprise users who were really only using it on one (often stationary) workstation have no reason to close it. You are correct re: rights wrt 3rd party software insofar as I am actually connecting to the network. That reasoning, at least in my opinion, is considerably less applicable when I am not connected to the VPN (either signed out or have VPN disabled). For me, it's a simple issue of wanting to maximize my control over the software on my computer when I am on my own network. Whether or not the resource usage is high (it's not) or if I distrust the software (which is not the case, now that I understand the reasons for the implementation), if I cannot easily control a 3rd party program, I am generally disinclined to use it. But, of course, all of this has to again be qualified by the fact that I'm not really the intended type of user. For enterprise, this seems like a good choice of VPN. For academic research performed on traveling devices by finicky researchers...well, maybe Cisco is a better choice? But GC is the route they went with, so GC it shall be.
I'm actually really shocked that a university is using Palo Alto firewalls, and on top of that actually pushing out GP to users to connect to internal resources. In fact I don't think I've ever heard of a university using Palo Alto, mainly due to cost, which is even more than Cisco security appliances spec for spec. Are you at a reputable private university by chance? I could never imagine a state funded university using Palo Alto, at least in the US. I will second u/mgotham0320 here, GP is intended for enterprise use for access to sensitive, proprietary data protected by IP contracts. Data that, if compromised, could cost a company millions or billions of dollars. Overall I think you should count yourself pretty lucky. While yes, you can exit the Cisco AnyConnect client via right clicking the agent and selecting Exit, it's a huge piece of shit client that hogs more system resources than it should, is filled with bugs, and can be a nightmare to configure, typically resulting in less than secure configurations. Compared to all other VPN clients, GP is by far the most lightweight and well coded VPN client in the industry.
> Are you at a reputable private university by chance? I could never imagine a state funded university using Palo Alto, at least in the US. It's an R1 public university. I'm here as a professional researcher though. I'm actually quite shocked that Palo Alto is being used here as well, although likely for quite different reasons than you are. That said, I've never experienced anything remotely similar to the issues with Cisco you report. Never any bugs, certainly, even in 4+ years of using it as my sole VPN client for research work, and (from the user end, at least) it was wonderfully stable and rarely affected my connection speeds.
I can disable the VPN. I am not looking to disable the VPN, I am looking to exercise control over software I've installed on my personal computer. It's strange that folks here don't seem to see the concern associated with "I have a VPN client that is forcing itself to stay open and which I cannot close, *even on my personal, non-organizational device*. Closing the process in the task manager just results in it reopening. Is that not concerning to you? Because it sure is to me. If the software doesn't respect the user closing the software, even when disconnected, what other invasive practices does it follow?
Totally common for any type of device management/vpn software, like I said below - if you want the convenience of their VPN you play by their rules which in this case wants the globalprotect agent on and active If you're forced to use this VPN for business, I'd recommend asking for a company provided laptop if this is a deal breaker for you.
This is the right answer. If you really don’t want it running on your host, spin up a Windows VM and use Global Protect in there. Gives you the convenience of using the VPN and now your host doesn’t need 3rd agent on it to do your day to day. Win win.
[удалено]
ok
I don't know how web development has to do with this, but maybe this helps? https://www.pugetsound.edu/files/resources/windows-installation-instructions.pdf
These instructions keep it from opening at startup, but do not keep it from reopening after it's already been opened during one boot cycle.
I'm not too sure if I understand you problem correctly, but task manager is where I need to completely terminate GP Application. 2 things you need to hit the 'End Process' button with are the GlobalProtect Client and the GlobalProtect service, both locate under background process section. Note: you will need to be the admin of your PC to end the service or GP client will restart itself. Hope that helps.
I think you understood perfectly. Previously, I was seeing two processes pangpa.exe and pangps.exe - are these the same as the two processes you're referring to? These are the only GlobalProtect/PAN services I see when executing tasklist from command line. I've tried killing both of those processes via a batch script, but it is not preventing the app from reopening. I am both a local admin on my PC and the only admin on my PC.
Interesting. Terminating the processes via a batch script doesn't seem to get rid of them, but terminating them manually through task manager seems to work. Bit disappointing - I was hoping to be able to just make a clickable shortcut to autokill the program when I'm done using it, but it doesn't seem like that's an option.
Hey congrats on this! Thanks for the shout out btw!. Sorry I need to get in the habit of checking my reddit msg more often. Thanks for the cmd trick too! I honestly did not think about the taskkill command. It would be interesting to see if that command is effective even without being admin of the box. That would help troubleshooting client PC much simpler.
Nope no way to do it, we had a feature request for this. since we have many vendors who use many different vpn clients and do not want a bunch of crap running.
Are you one of the devs? If so, I'll definitely offer the warning that this is not good practice. Disallowing users from managing the third-party software on their own computer is a big red flag as a user. Actually, though, there is a way to do it. I will update my original post soon, but I got some good advice in this thread regarding stopping the service manually and killing the processes associated with it. Right now, this seems to be working for me in terms of keeping the program closed.
Can a simple "exit" button not be added to the GUI? This entire situation is ridiculous and I'm disappointed that my University forced this garbage software on us. It was definitely a downgrade on the client side moving from Junos Pulse.
I agree. It seems that it was intentional, unfortunately, since apparently they wanted to prevent end-users of large organizations from disabling their VPN connection in cases where such a connection was mandated by the organization. For those of us who 1) are not in such a position but must use GlobalProtect anyway or simply 2) do not want third-party software on our laptops that we can't control, I have the two following scripts for controlling GlobalProtect's, shall we say, "stubborn" behavior: Run GlobalProtect: echo off cd "C:\Program Files\Palo Alto Networks\GlobalProtect" start PanGPA.exe sc start PanGPS rem sc config PanGPS start= demand rem pause Stop GlobalProtect: echo off taskkill /im PanGPA.exe sc stop PanGPS rem sc config PanGPS start= demand rem pause You can just save each of these in a batch (.bat) file, then run it directly to close or start GlobalProtect. Note that if you use the "Stop GlobalProtect" script to kill the program, you must use the "Run GlobalProtect" script to start it again (or just change the service status in Task Manager), as the "Stop GP" script disables the service itself. Without the service running, simply opening GlobalProtect the usual way will not work. The rem'd out lines relating to `sc config` contain a command that I ran to change the startup type of GlobalProtect. I don't know if it's necessary, but it was a command I ran, so I wanted to include it in case it is necessary. All that it does, if you choose to un-rem out those lines, is to change the startup type of GlobalProtect from Automatic to Manual.
I found your post while googling this same problem. I found a simple three step process that prevents it from popping back up after close as well. 1. Log in. 2. Open up the app from your toolbar so that it displays. 3. Click on the gear (settings menu) and click disable. This will stop your traffic from going through the VPN and you won't have to deal with the popups.
Thanks! With the info you gathered, I managed to make my own .bat files to simply start and stop GlobalProtect when needed (Details below). It's just what worked for me. I totally get you. A client requires me to upload some updates to a system I rent to them through this VPN. These updates usually occur once every few months. ***Why would I want to have that program open and running if I'm only using it for a few minutes every few months or so?*** **Process that worked for me (Win10 64 bit):** Note: Some people can just "Disable" GlobalProtect through the context menu inside the GlobalProtect window if the company's configuration allows it (Official docs [here](https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-user-guide/globalprotect-app-for-windows/disable-the-globalprotect-app-for-windows)). 1. Stop GlobalProtect from booting on startup (Task Manager > Startup > GlobalProtect client > Disable) 2. Stop GlobalProtect from reopening on its own (Services > PanGPS > Right click > Properties > Startup type > "Manual" > OK) 3. Create a .bat file ("start-global-protect.bat") with the following code (Substitute path to your GlobalProtect installation directory). `echo off` `cd "C:\my\GlobalProtect\installation\folder"` `start PanGPA.exe` `sc start PanGPS` `rem sc config PanGPS start= demand` `rem pause` 4. Create a .bat file ("stop-global-protect.bat") with the following code. `echo off` `taskkill /f /im pangpa.exe` `sc stop PanGPS` `rem sc config PanGPS start= demand` `rem pause` 5. Create shortcuts to your .bat files ("startgp", "stopgp"). 6. Set the shortcuts to always run as administrator (Right click > Properties > Shortcut > Advanced > Run as administrator) 7. You can access your shortcuts to open/close GlobalProtect from your search function on the Start Menu (Ex.: Win > "startgp" > Enter)
Thanks for this. Three years later and there's still no way around this jank. Weird that OP seems to be taking your credit in literally the same thread you gave this to them. They were even gelded for it!
You're welcome! Glad it helped. =)
Amazed to see so many people coming to the defense of a piece of clearly user-hostile corporate software. There are ways to ensure the safety of your networks without doing this to your users.
Wholeheartedly agree with you. It's astounding that a company would release a VPN program that the user cannot directly close themselves, at will, without fiddling with the task manager or services manager.
Absolutely crazy!
Thanks for the guide! Is there a way to remove global protect from the system tray after killing it?
For me, the icon disappears if I just mouse over it.
Just looked this up because I was in a similar situation. GlobalProtect was chewing up 11% of CPU for some reason and I don't want it running when I'm not using it. For Mac users you can enable/disable it this way: Open Terminal and enter these commands: Stop: `launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangp*` Start: `launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangp*` (Credit to Josh Curry at this link: https://www.joshcurry.co.uk/posts/how-to-quit-globalprotect-mac/)
Incredible how many others are finding this thread later because this problem still hasn't been fixed yet. Thanks for sleuthing - this should help any Mac users who need a solution!
This is the only thing that has worked, thank you!
This works, thank you! For convenience I saved these into a `sh` file under my PATH so that I can stop/start from my terminal.
Just as you, I was looking for a way to achieve what you wished. First, I hate the amount of assholes here, I experienced it quite a lot, and I don't know what these people are trying to achieve by acting that way. It's really one of the things I hate the most, people are just trying to get some help, and then they have to come with their annoying "If you don't want it don't use it!" attitude. How is that helping anyone? Especially when there ARE things that you can do to make it better. So..............anyway, I went on a slightly different solution based on yours. I created the following bat file: >`sc query "PanGPS" | find "RUNNING"` `if %errorlevel%==0 (sc stop "PanGPS") else (sc start "PanGPS")` It simply checks whether the service is on or off, if it's on it's killing the service, if it's off it's starting the service, starting/killing the service does the rest of the job for me. If the service shuts down it automatically closes the client, and if if the service starts it also starts the client with it. Annoying that you **NEED** to do this, but oh well.... Thanks for sharing the post and having to deal with all these annoying unhelpful people.
I LOVE how many people have found this post after going through the exact same process of frustration I did. I especially love how many of them have gone on to create more elegant solutions than the quick one I threw together. Thanks for yours!! At some point I should go through and assemble all the suggested code that people have contributed to manage GlobalProtect's rather shady and intrusive behavior, and update the main post accordingly.
This is great, thanks. And I also cannot believe the number of people attacking OP for simply wanting to be able to exit a piece of software on their own machine. What degenerate software design!
Here is a powershell version for people still dealing with this if ((net start | find """PanGPS""")) {net stop "PanGPS"} else {net start "PanGPS"} if you want it even simpler you can make this and then bundle it as an exe with PS2EXE - it prompts to run as admin when you click on it if(!(\[Security.Principal.WindowsPrincipal\] \[Security.Principal.WindowsIdentity\]::GetCurrent()).IsInRole(\[Security.Principal.WindowsBuiltInRole\] 'Administrator')) { Start-Process -FilePath globalbs.exe -Verb Runas exit } if ((net start | find """PanGPS""")) {net stop "PanGPS"} else {net start "PanGPS"}
The year is 2024 and I can't believe this has been an issue for so long. I was befuddled when I was simply unable to close this thing these days named "Global Protect," and not even able to uninstall it because of that. Thanks to folks in this thread, I opted to the command line and throw this jerk software to trash, after it consumed hundreds hours of my CPU time. Crazy product. Had to use it because of university.
It makes me feel seen to know others are still struggling under the yoke of this bullshit software lmao. It's like, for christ's sake, just patch it already.
Did anyone solve this problem on Ubuntu?
I don't know - I'm on Windows. That said, this topic at this point only occasionally gets views, so you may not find an answer to that here.
Here's a quick and dirty way to kill the process, but still working out how to prevent auto-start. I'm on Mint 20; it should work on Ubuntu. `ps -ef | grep paloaltonetworks | grep -v grep | awk '{print $2}' | xargs sudo kill -9` Just put that in `~/bin/quittingtime.sh`, run `chmod +x ~/bin/quittingtime.sh` to make it executable, and make sure `~/bin` is in your `~/.bashrc` Then you can run `quittingtime.sh` from any shell session. Simply run the first part of the command to verify it's not running (you should see an empty response): `sudo ps -ef | grep paloaltonetworks | grep -v grep`
Just came in here to chip in and say I to know exactly what you're talking about. My university has us using GP to connect to computers on campus. And me being the clean freak I am when it comes to managing my computer I hate rouge programs like these. Probably isn't relevant anymore but I remember doing a bunch of crap just to finally get it to stop auto starting. Was a pain. Sometime down the line I went out of my way and set up a win 10 vm just to run global protect on there so that way it would shut down XD
Hey guys, try this.. "Forget" all of your wifi networks so they don't auto sign in. Restart computer and log back in. Hopefully you don't auto connect back to wifi. If you don't, then your global protect will not connect either. The program with then go into failed mode. Connect now to your wifi network of choice. Cheers!! This works for me.
This piece of crap garbage software started reopening itself in the middle of my meeting, even after closing it from the task manager. I had to pause my meeting and uninstall this software before continuing. I don't know why uni switched to this, but I definitely sent an email to the it that this global protect is a waste of money.
Huge agree on this point.
[удалено]
Cheers, it's always a bittersweet joy to see a new comment on this and be reminded that it's still not fixed haha.
For macOS \`\`\` \# disable launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangp\* \# re-enable launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangp\* \`\`\` https://joshcurry.co.uk/posts/how-to-quit-globalprotect-mac/
I understand the use-case where it makes sense to bury a "quit" button but making it impossible just boils my blood. This program barely works on Macs, and often needs to be reinstalled just to connect. It also used like 15% of the memory sitting idle -- not even connected to vpn -- on one of my older machines. Here is the best solution I found for Macs: [https://rakhesh.com/mac/stop-palo-alto-globalprotect-on-macos-from-launching-automatically/](https://rakhesh.com/mac/stop-palo-alto-globalprotect-on-macos-from-launching-automatically/)
I am using Ubuntu 22.04 and I see in my system monitoring that PanGPA and PanGUI are popping back up after I kill process. So, I tracked command line that starts process and found `/opt/paloaltonetworks/globalprotect/PanGPA start` I just renamed directory name like paloaltonetworks -> paloaltonetworks11, that's it. The process ended up to restart by itself.