Hi I am trying to connect to a VPN network using GlobalProtect VPN client. I can do that using the UI but I would like this to be automated. In another project where I was using Sonicwall Netextender, I created a batch file which I was calling from my C# code so I would connect to a VPN by calling the batch file, do some operations and disconnect using another batch file. I am trying to find a similar way to achieve it using Globalprotect. The command line arguments which I was using with Netextender does not seem to work with the PanGPA.exe. Any ideas how I could do that? I am not having any luck with the batch file so far. The netextender batch file is:

cd c:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\
NECLI connect -s 122.254.213.256 -d DNAME -u UNAME -p PASSWORD

There is no such automation possible with globalprotect VPN client

Update: just use OpenConnect v8.00 or newer. GlobalProtect support has been incorporated into the "official" OpenConnect builds as of v8.00. So GP support will Just Work™ with a recent official build.

———

You cannot do this with the official GP client. However, I have recently extended the fantastic open-source VPN client OpenConnect to support the PAN GlobalProtect VPN, both in its SSL-VPN and IPsec/ESP modes. It acts just like a native client and you can run it from the command line in a fully automated manner.

This is a work in progress, but I've been using it for real work already and it works very well for me. Having other people test it would be awesome and I welcome your feedback!

You'll need to build the globalprotect branch from this repository: https://github.com/dlenski/openconnect

... and then run it like this to test it (you can omit the --certificate part if your VPN doesn't use a client certificate):

echo password | openconnect --user username --passwd-on-stdin \
              --protocol=gp [--certificate=my_cert_with_pk.pem] \
              gp-gateway-server.company.com --dump -vvv

(I have not yet tested this build under Windows, but the official OpenConnect builds are all Windows-compatible and there is nothing particularly special about this one.)

A somewhat "hacked" workaround by virtually clicking the "Connect" button solved the problem for me on Windows. This can be accomplished using NirSoft's "NirCmd" command-line tool (1) using the following command:

NIRCMD win child class "#32770" sendmsg id 1160 0xF5 0 0

Effectively, this sends a BM_CLICK window message to the button, where "#32770" is the class name of its dialog window, "1160" (decimal) is the ItemID of the "Connect" button and 0xF5, according to (2), is the numerical Win32 API constant for the BM_CLICK message. This simulates the normal user action as if s/he would click the button manually. Clicking the button again (manually or by calling the same command) results in a disconnect of the established connection.

In my case, there was only a single connection configured — different things might happen if there are multiple connections in the list as the user might have to make a decision on which one to use.

Be careful, as the class name and ItemID values might be different on another machine or version/build of the GlobalProtect agent. These values worked for me as I figured them out using the "WinExplorer" tool by NirSoft (3) by capturing the button control and looking up its details. At least, both the class name and ItemID seem to be persistent, which means that a program crash, termination or reboot do not result in any changes.

References:
(1) https://www.nirsoft.net/utils/nircmd.html
(2) http://www.jasinskionline.com/windowsapi/ref/b/bm_click.html
(3) https://www.nirsoft.net/utils/winexp.html