Looks like GlobalProtect got an interface overhaul in the new 6.0 agent.
Broke it not being able to login with SAML default browser login and endpoint traffic enforcement enabled. Was a nice 30 second run, back to 5.2 and it’s fun
Well it sure looks pretty. Definitely moved into a more modern look. Let’s see how it functions 
Looks nice. I’ll be waiting for quite a while before upgrading to it though 
Is password change via RADIUS/AD a new feature?
This was good timing for me at least. I was working with a client to get one of his users Microsoft Surface machines with an ARM processor to connect to GP. He had been fighting it for a couple days. I worked with him for a couple hours trying to get the virtual adapter to install. Uninstalling, messing with registry ect…
While fighting with it I got the email about the 6.0.0 release. Downloaded the ARM version of that, installed, and connected immediately.
Well, how is it working? We have a proxy-LDAP server on our back-end for 2FA and I cannot afford for that to fail to function. I had issues with cookies enabled on 5.2.5, so those were disabled on the PA side for the users to be able to login.
We don’t route all default traffic through the PA, only the specific site-to-site network routes.
Has anyone noticed any pitfalls in the routing tables getting pushed?
Does ADEM work without prisma access? If someone clicks to submit troubleshooting information, where does that go if your not using prisma? Anyway to see logs for ADEM synthetic testing outside of prisma?
It keeps opening up the web browser to authentic via SAML and then keeps it open. This would be an annoyance to our users. I too have to go back to 5.2
Is it possible to test GP 6.0 if I don’t want to download it to the firewall? I don’t want installed clients just upgrading or attempting to upgrade it. I just want to get the msi from somewhere and try it on one machine.
Does anyone know if you can jump from 5.2.3 to 6.0? Or does it need to be stair stepped?
What broke? Can you not set an exclusion for your idP?
No, it was introduced in PAN-OS 8.1.
but WHHHHYYYYYY the ARM edition of Windows? I haven’t found any ARM processors that run Windows ready for prime-time. I installed Win10 ARM64 on an 8MB Pi4 and let me tell you my 5 oclock shadow came about before I could even get decent functionality and apps installed. Running OS from a USB 3.1 disk, not sd.
You need to be using a Cortex Data Lake
which OS?
seems fine on macOS 12 for me so far.
Do you have SAML auth configured?
What is the value of Use Default Browser for SAML Authentication set to in the App config assigned to the user(s) with the issue?
You can download the installer from the Palo Alto Networks support portal.
You can jump straight. No stair stepping needed.
Yup - I do have FQDN Exceptions for GP Enforcer turned on with my IdP domains and it works great in 5.2. When turning on endpoint traffic enforcement in 6.0 (blocks incoming connections to the endpoint, new feature), it all falls apart
Windows Surface Pro X apparently. I had never heard of it but it appears to be a thing.
https://www.microsoft.com/en-us/d/surface-pro-x/8xtmb6c575md?activetab=pivot%3Aoverviewtab
EDIT: as for the performance; I was just observing a remote session and not in control so I can’t say the feel of it but it didn’t look particularly slow. It was just the app compatibility that was a PITA.