### View DNS and Route Settings in PanGPS.log Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-split-dns-for-globalprotect-app-on-ios-endpoints Example of the DNS and routing configuration structure found within the PanGPS.log file for troubleshooting or verification. ```text DNSSettings = { protocol = cleartext server = ( x.x.x.x, ) searchDomains = () matchDomains = ( paloaltonetworks.com, *.paloaltonetworks.com, ) matchDomainsNoSearch = YES } IPv4Settings = { configMethod = manual addresses = ( xxx.xx.xx.xx, ) subnetMasks = ( xxx.xxx.xxx.xxx, ) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 }, { destinationAddress = x.x.x.x destinationSubnetMask = xxx.xxx.xxx.xxx }, ) excludedRoutes = ( { destinationAddress = xxx.xx.xx.xxx destinationSubnetMask = xxx.xxx.xxx.xxx }, ) overridePrimary = NO } IPv6Settings = { configMethod = manual addresses = ( fc00::4f, ) networkPrefixLengths = ( 128, ) includedRoutes = ( { destinationAddress = :: destinationNetworkPrefixLength = 0 }, { destinationAddress = :: destinationNetworkPrefixLength = 128 }, ) ``` -------------------------------- ### Enable FIPS-CC Mode for GlobalProtect via Msiexec Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-windows-registry Use the Microsoft Windows Installer (Msiexec) command-line utility to enable FIPS-CC mode during the GlobalProtect app installation or upgrade. ```batch msiexec /i GlobalProtect64.msi ENABLEFIPSCCMODE=YES ``` -------------------------------- ### Configure FIPS-CC mode in pangps.xml Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-on-linux-endpoints-redhat Add the enable-fips-cc-mode setting to the pre-deployment configuration file located at /opt/paloaltonetworks/globalprotect. ```xml yes 0 ``` -------------------------------- ### Debug Split Tunnel Options Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-split-dns-for-globalprotect-app-on-ios-endpoints Log output showing the current split-tunnel-option and mobile-specific split tunnel configuration. ```text Debug(13251): split-tunnel-option is network-traffic Debug(13262): Got split-tunnel-option-mobile is yes ``` -------------------------------- ### Restart GlobalProtect Services via Terminal Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list Use these commands to unload and reload the GlobalProtect launch agents to initialize FIPS-CC mode. ```bash username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ``` -------------------------------- ### Enable FIPS-CC Mode in Property List Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list Add this key-value pair to the GlobalProtect Settings dictionary in the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file. ```xml enable-fips-cc-mode yes ``` -------------------------------- ### Sign and Verify Split Tunnel Configuration Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host-a-split-tunnel-configuration-file-on-a-web-server Commands to generate a SHA256 signature for the configuration file and verify it using a public key. ```bash openssl dgst -sha256 -sign private_key.pem -out config_signature.sha256 config.txt ``` ```bash openssl dgst -sha256 -verify public_key.pem -signature config_signature.sha256 config.txt ``` -------------------------------- ### Verify FIPS-CC mode via CLI Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-on-linux-endpoints-redhat Use the GlobalProtect CLI command to check the current version and FIPS-CC mode status. ```bash globalprotect show --version ``` -------------------------------- ### Default Gateway Setting Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options Sets a valid default gateway on the GlobalProtect virtual adapter in Full-Tunnel mode. ```APIDOC ## SET fake-default-gateway ### Description Allows you to set a valid default gateway on GlobalProtect virtual adapter when you configure GlobalProtect app in Full-Tunnel mode. ### Method N/A (Configuration Setting) ### Endpoint N/A ### Parameters #### Query Parameters - **fake-default-gateway** (boolean) - Optional - 'yes' or 'no' ### Request Example ```json { "FIXDEFAULTGATEWAY": "yes | no" } ``` ### Response #### Success Response (n/a) N/A #### Response Example N/A ``` -------------------------------- ### Enable FIPS-CC Mode for GlobalProtect via Registry Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode Configure the GlobalProtect settings in the Windows Registry to enable FIPS-CC mode. This setting cannot be disabled after enabling; uninstallation and reinstallation are required for non-FIPS mode. Ensure GlobalProtect is restarted afterward. ```powershell regedit HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\ enable-fips-cc-mode (String Value) = yes ``` -------------------------------- ### Translate Enter Key for SAML Source: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options Configures the behavior of the Enter key during SAML authentication in the embedded browser on Windows endpoints. ```APIDOC ## SET translate-enter-key ### Description Allows you to press the Enter key to log in to GlobalProtect from the embedded browser on Windows endpoints during SAML authentication. In some cases, enabling this setting will prevent the Enter key press from being accepted during sign on. If this occurs, change the setting to no. ### Method N/A (Configuration Setting) ### Endpoint N/A ### Parameters #### Path Parameters - **Windows Registry Path**: HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings #### Query Parameters - **translate-enter-key** (boolean) - Optional - 'yes' or 'no' ### Request Example ```json { "TRANSLATEENTERKEY": "yes | no" } ``` ### Response #### Success Response (n/a) N/A #### Response Example N/A ```