GlobalProtect- MSI Deployment

As promised I created the MSI deployment post.

You will learn how to deploy GlobalProtect via a batch file inside a Microsoft environment.

Things you will need beforehand:

1.       Have a login script created via GPO

2.       Download the MSI via the portal.

a.       View my post on how to disable the portal for security reason.

b.       https://paloaltofirewallconfiguration.blogspot.com/2019/04/globalprotect-disable-portal-login-page.html

OK let’s begin –

What the script doing:

1.  @ECHO OFF 
1. In this section we are telling the cmd to hide the code while its running.
2. your turn this one by applying the @ECHO ON or removing the line.
2. if exist "%TEMP%\pa.gp" goto exit
1. if the file gp.gp exist in the following path, please go to the exit label.
3. set GP="\\path-to-msi\GlobalProtect.msi"
1. define the location of the msi. make sure that the users can reach the destination.
4. msiexec /i %GP% CONNECTMETHOD="pre-logon" PRELOGON="1" PORTAL="IP" 
1. Run the msiexec.exe program and run the defined variable we defined as %GP% or our msi. Then you are telling the MSI that its going to be a pre-logon mode with the CONNECTMETHOD="pre-logon" 
2. After this, we want to add a reg entry to the machine so we add the PRELOGON="1" as the value of the reg entry. In other words, 1 for on and 0 for off.
1. reg value location: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
5. ::Hidden File section
1. we are creating a hidden file. This will prevent the script from running over and over again. This must match your "if exist" statement.
6. :exit
1. this is our exit label that will allow the script to jump out if the file pa.gp exist.

Notes: you can enable the msg command by removing the "::" comment.

You will need to know what method you will be deploying (pre-logon, on-demand, etc.) as this will affect the script.

Once that has been confirmed use the following bat file to deploy the MSI to the company.

:: --------------------------------------------------------------------------------------- :: By: AzNetAdmin :: Date: 10/11/2018 :: :: .Synopsis ::                             Installing Palo Alto Global Protect MSI :: .Description ::                             Deploying GP via Msiexec and Customizing the agent settings. :: .Notes ::             Troubleshooting ::                             start "" "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe" :: --------------------------------------------------------------------------------------- @ECHO OFF cls if exist "%TEMP%\pa.gp" goto exit ::Install MSI set GP="\\path-to-msi\GlobalProtect.msi" ::msiexec /i %GP% CONNECTMETHOD="on-demand" PORTAL="IP" CANCHANGEPORTAL="no" /qn msiexec /i %GP% CONNECTMETHOD="pre-logon" PRELOGON="1" PORTAL="IP" CANCHANGEPORTAL="no" /qn ::Hidden File echo @_@ >> "%TEMP%\pa.gp" attrib +h "%TEMP%\pa.gp" echo %date% %Username% >>"\\path-to-msi-log\log.txt" ::msg %username% /TIME:2 Global Protect have been installed. Thank you %username%! :exit

Don’t forget to make your log.txt writable via NTF permissions.

If you like to modify the MSI script with new settings:

visit the following page:
https://docs.paloaltonetworks.com/globalprotect/7-1/globalprotect-admin/set-up-the-globalprotect-infrastructure/deploy-agent-settings-transparently/customizable-agent-settings.html

Thank you,

AzNetAdmin