>
    Script Deployment Options
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Apps
    4. Deploy App Settings Transparently
    5. Customizable App Settings
    6. Script Deployment Options
    Download PDF
    GlobalProtect

    Script Deployment Options

    Table of Contents

    Script Deployment Options

    Use the Script Deployment Options to execute scripts before and after connection establishment, allowing customization through parameters such as command execution, context, timeout, file integrity, checksum, and error messages.
    The following table displays options that enable GlobalProtect to initiate scripts before and after establishing a connection and before disconnecting. Because these options are not available in the portal, you must define the values for the relevant key—either pre-vpn-connect, post-vpn-connect, or pre-vpn-disconnect—from the Windows registry or macOS plist. For detailed steps to deploy scripts, see Deploy Scripts Using the Windows Registry, Deploy Scripts Using Msiexec, or Deploy Scripts Using the macOS Plist.
    If you are allowing end users to establish the VPN connection to the corporate network before logging in to the Windows endpoint by using Connect Before Logon, you must run VPN connect scripts with the context admin value specified the Windows registry. You cannot specify the default context user value because there is no user prior to Windows logon.
    Table: Customizable Script Deployment Options
    Portal Agent Configuration
    Windows Registry/macOS Plist
    Msiexec Parameter
    Default
    Execute the script specified in the command setting (including any parameters passed to the script).
    Environmental variables are supported.
    Specify the full path in commands.
    command <parameter1> <parameter2> [...]
    Windows example:
    command %userprofile%\vpn_script.bat c: test_user
    macOS example:
    command $HOME/vpn_script.sh /Users/test_user test_user
    PREVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    POSTVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    PREVPNDISCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    n/a
    (Optional) Specify the privileges under which the command(s) can run (default is user: if you do not specify the context, the command runs as the current active user).
    context admin | user
    PREVPNCONNECTCONTEXT= ”admin | user”
    POSTVPNCONNECTCONTEXT= ”admin | user”
    PREVPNDISCONNECTCONTEXT= ”admin | user”
    user
    (Optional) Specify the number of seconds the GlobalProtect app waits for the command to execute (range is 0-120). If the command does not complete before the timeout, the app proceeds to establish a connection or disconnect. A value of 0 (the default) means the app does not wait to execute the command.
    Not supported for post-vpn-connect.
    timeout <value>
    Example:
    timeout 60
    PREVPNCONNECTTIMEOUT= ”<value>
    PREVPNDISCONNECTTIMEOUT= ”<value>
    0
    (Optional) Specify the full path of a file used in a command. The GlobalProtect app verifies the integrity of the file by checking it against the value specified in the checksum key.
    Environmental variables are supported.
    file <path_file>
    PREVPNCONNECTFILE= ”<path_file>
    POSTVPNCONNECTFILE= ”<path_file>
    PREVPNDISCONNECTFILE= ”<path_file>
    n/a
    (Optional) Specify the sha256 checksum of the file referred to in the file key. If the checksum is specified, the GlobalProtect app executes the command(s) only if the checksum generated by the GlobalProtect app matches the checksum value specified here.
    checksum <value>
    PREVPNCONNECTCHECKSUM= ”<value>
    POSTVPNCONNECTCHECKSUM= ”<value>
    PREVPNDISCONNECTCHECKSUM =”<value>
    n/a
    (Optional) Specify an error message to inform the user that either the command(s) cannot be executed or the command(s) exited with a non-zero return code.
    The message must be 1,024 or fewer ANSI characters.
    error-msg <message>
    Example:
    error-msg Failed executing pre-vpn-connect action!
    PREVPNCONNECTERRORMSG= ”<message>
    POSTVPNCONNECTERRORMSG= ”<message>
    PREVPNDISCONNECTERRORMSG =”<message>
    n/a

    © 2024 Palo Alto Networks, Inc. All rights reserved.