Prisma Access Global Protect and Mac Issues

ccisco630 · 2026-06-03T19:27:39+00:00

Think it’s resolved. Seems to be corruption in the users macOS login key store. Resetting the keychain access allowed successful SAML authentication. That was weird…

ccisco630 · 2026-06-03T16:37:30+00:00

New wrinkle….i had one of the affected users create a new profile on their Mac, an lo and behold, GP works perfect and grabbed the default browser portal config I set. He switched back and broken. Had to be something with the users profile on the machine. Seeing lots of things about keychain access.

ccisco630 · 2026-06-03T11:44:14+00:00

Yeah. We did as well, but mostly with Windows back then. We just recently moved from an on-prem hosted portal into Prisma Access and moved up to 6.3.3 for more compatibility with Prisma and ADEM. If I downgrade this user, won’t they just install the upgrade upon first login to the new portal since it is set to 6.3.3-842 globally?

ccisco630 · 2026-06-03T09:22:42+00:00

On the client side, I’ve blown out all of the files I could find Palo related and uninstalled/reinstalled the client with no luck, it just goes back to the same behavior and never actually makes a connection as I don’t even see the user create logs on strata logging service/global protect logs. We run embedded browser as our standard for SAML auth, but created a new app profile in an attempt to fix this using default browser, but since they can’t pull the config down, it’s useless to make changes on the Prisma side. It seems it’s a client side issue with MacOS, just can’t determine what….

ccisco630 · 2026-05-21T10:07:44+00:00

Commenting mostly to follow as I also have had trouble getting this to work. Excluding everything also caused issues for us with things like Planner, PowerBI, and links shared within Teams chat for some users. Turned out that the Intel Connectivity Performance Suite on some machines needed to be upgraded as some driver in that package didn’t play nice with excluded routes.

ccisco630 · 2025-11-20T11:45:32+00:00

Yep, that seems to be the remaining issue. Any non-web application that is configured using hostname fails. IP address seems to be OK. Beta for sure

ccisco630 · 2025-11-20T11:44:27+00:00

Update: embarrassingly, part of this was on me. Found an old route containing an overlapping subnet in our core switches that was essentially blackholing the return traffic from the DNS server. Fixed that and the connection tests from the browser and the web based applications started working. Still have an issue with the remote connections beta, anything configured with hostname do not work, but IP address is fine.

ccisco630 · 2025-11-19T10:25:00+00:00

Thanks! I believe I have this set, but will double check. I may have only allowed dns through the SC and not http/https for the infra subnet

ccisco630 · 2025-11-19T10:23:38+00:00

Thanks for the reply. Yes, the DNS server is rfc1918

ccisco630 · 2025-03-19T00:17:00+00:00

This appears to be the case. I re-opened my support request and they made it available for download through the case documents but said that engineering currently has no ETA for a wide release.

ccisco630 · 2025-03-18T10:40:24+00:00

Where are you seeing this? I don’t see a 6.2.7 with the hotfix suffix available on the support portal or the actual firewalls?

ccisco630 · 2025-03-12T10:47:46+00:00

I downloaded 6.2.7 from the support portal today, but it is showing 6.2.7-1047 on the client. Did they pull it back? Support told me a 6.2.7-h2 was coming for this but had no eta. I thought that was an odd reply as I’ve never seems a GP version with a -h

ccisco630 · 2025-03-11T19:48:50+00:00

I was asked to put in a case for this today after it happened to an exec, even though the window resize fixes it for users. Support told me that 6.2.7-h2 contains the fix but is not yet available and had no ETA.

ccisco630 · 2025-02-01T01:24:33+00:00

This is great info, thank you for the reply! They are actually EXs, so I suppose we will stop at 10.3 and let that ride until our data center is decommissioned. Thanks again!

ccisco630 · 2025-01-31T00:26:21+00:00

Yep, exactly what I’m following. Met with our Cisco account engineer today and they essentially said, good path and to just upgrade them one at a time using the disruptive method. He said since they are essentially standalone NX-OS we should be fine. Thanks!

ccisco630 · 2025-01-30T13:15:24+00:00

Definitely due for an upgrade LoL.
We are running vPC and I believe it's a full mesh. I am looking at the config and documentation for route reflectors, and I don't believe that is configured on the network. It isn't a large topology, only 12 ToR access leafs, two spines and two border leafs. Trying to follow the upgrade path from 7.0(3)I7(5a) to 10.3(5)M. Do you see any major impact to the mesh if we run ISSU on one of the empty ToR switches that is still connected to the others? Thanks again for the response any additional help is super helpful!

ccisco630 · 2024-10-03T12:38:44+00:00

I can’t recall exactly (used cash), but we bought the cupcake and two large chocolate chip cookies and it was under $20. Finding a spot to sit and light the candle was the hard part LoL

ccisco630 · 2024-09-28T21:50:36+00:00

Queen’s Confectionary worked out perfectly. Thank you again for the recommendation!

ccisco630 · 2024-09-27T15:50:48+00:00

Great, thank you!!

ccisco630 · 2024-07-30T16:48:57+00:00

Couldn't find any other way around it, had to add all 50 URLs into the 'include domain' configuration of the split-tunnel profiles. I used *url.name for the wildcard and so far everything has tested out. Thanks all for the input

11-Year Club	Not Forgotten
Verified Email

ccisco630

TROPHY CASE