GlobalProtect | post-vpn-connection script

Gr1moT · March 7, 2025, 2:32am

Hi together,

I am trying to run a simple cmd command after logging into GlobalProtect locally on the PC.

For this, I came across the Windows Registry parameters, which can be used for my project.

Unfortunately, I can’t really get it to work…

Config under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect

-> post-vpn-connect was newly created
-> value “command” - c:\post-vpn-connect\pre_vpn_connection.bat

Inside the .bat only one gpudate/force is executed.
This also works - but not after logging into the GlobalProtect…

Any ideas?

Gr1moT · March 7, 2025, 2:32am

Quick update on my original post. Since I couldn’t find the answer in any other Reddit article on this topic, I’m posting my solution now.
First problem was the GlobalProtect version. For a working script I changed to version 6.1.2.
After that the following values were stored in the registry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect

command: C:\GlobalProtect\post_vpn_connect.bat

context: admin

error-msg: Failed executing post-vpn-connect action!

Inside the post_vpn_connect.bat the following script is stored:

call gpupdate /force

if %ERRORLEVEL% == 0 goto :next

echo %DATE% %TIME% Errors encountered during execution. Exited with status: %errorlevel% >> C:\GlobalProtect\scripterror.txt

goto :endofscript

:next

echo %DATE% %TIME% Successfull GPUpdate >> C:\GlobalProtect\scriptout.txt

:endofscript

echo %DATE% %TIME% Script End >> C:\GlobalProtect\ending.txt

I hope this helps one or the other who wants to achieve something similar!

galaxy1011 · March 7, 2025, 2:32am

What’s the business case for it?

chainsawday · March 7, 2025, 2:32am

Try using quotes in your registry command value. Also try putting in a pause of some sort in the .bat file.

We use the reg key/script for the same purpose and sometimes things don’t fully work when they are evoked while GlobalProtect is connecting or transitioning between connections. Seems like AD/DNS needs a second to catch up.

Hope that helps

Gr1moT · March 7, 2025, 2:32am

After GlobalProtect login, the network disks are not mapped. Here just a gpupdate /force should trigger this process.

Anythingelse999999 · March 7, 2025, 2:32am

do you have an example of that script or how you are doing this?

Your saying that gpupdate /force is enough to trigger reconnect/remap?