What Features Does GlobalProtect Cloud Service Support?

The following tables list the supported features and supported IPSec parameters of GlobalProtect cloud service.
For a description of the features that are supported in GlobalProtect, see What Features Does GlobalProtect Support?

GlobalProtect Cloud Service Feature Support

The following table lists the supported features for GlobalProtect cloud service. A check mark indicates that the feature is supported; a dash (—) indicates that the feature is not supported.
Feature
Support
Authentication
check-mark.png
check-mark.png
check-mark.png
Supported for both IPSec and Remote Access.
Single Sign-On (SSO)
SSO (Credential Provider)
check-mark.png
check-mark.png
Kerberos is supported for Windows clients only.
Security Features
check-mark.png
This feature is introduced in version 1.3 with the following Logging Service-based limitations:
  • Saas Application Usage report (MonitorPDF ReportsSaaS Application Usage): Include user group information in the report not available
  • Custom Report (MonitorManage Custom Reports): Detailed Logs (Slower) not available in Database area
  • Scheduled and pre-defined reports are not supported.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Management Features
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Mobile Features
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Content Inspection Features
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Routing Features
Static Routing
check-mark.png
Dynamic Routing (BGP)
check-mark.png
Dynamic Routing (OSPF)
VPN Connections
IPSec tunnels
check-mark.png
See the IPSec Tunnel Configuration Parameters table in this topic for a list of the supported IPSec tunnel parameters.
SSL
check-mark.png
SSL is supported only for Remote Access, not for site-to-site VPNs.
check-mark.png
This feature is introduced in version 1.3.1.
Hybrid Deployments
Hybrid Deployments
check-mark.png
Using on-premise gateways with GlobalProtect cloud service gateways is supported.
GlobalProtect cloud service gateway priority
check-mark.png
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in GlobalProtect cloud service. You can also specify source regions for on-premise gateways.
Manual gateway selection
check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External mode
check-mark.png
The gateways in GlobalProtect cloud service function as external gateways, allow you to add additional gateways, and can work with both internal and external on-premise gateways.
Internal mode
You cannot configure GlobalProtect cloud service gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-logon (always on)
check-mark.png
Pre-logon (always-on)
check-mark.png
Pre-logon (then on-demand)
check-mark.png
On-demand
check-mark.png
Security Profiles
Security Profile configuration
check-mark.png
Administrators can push security profiles to GlobalProtect cloud service.
Networking
IPv4 addressing
check-mark.png
IPv6 addressing
Split tunnel based on access route
check-mark.png
Split tunnel based on destination domain, client process, and video streaming application
check-mark.png
This feature is introduced in version 1.3.
NetFlow
QoS
check-mark.png
This feature is introduced in version 1.3.
GlobalProtect cloud service uses the same security policies and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as next-generation Palo Alto Networks firewalls.
Internet requests initiated from an outside network to GlobalProtect cloud service (inbound internet)
Traffic from the internet is allowed as long as the connection originated from the GlobalProtect cloud service-protected network.
NAT
check-mark.png
GlobalProtect cloud service automatically manages outbound NAT; you cannot the configure the settings.
SSL VPN connections
check-mark.png
Policies
Policy-Based Forwarding
DoS Protection
check-mark.png
The GlobalProtect cloud service infrastructure manages DoS protection.
MDM
check-mark.png
Virtual Routers
check-mark.png
This feature is introduced in version 1.3.
HIP reports
HIP
check-mark.png
HIP match log
check-mark.png
Hip-based security policy
check-mark.png
HIP notification
check-mark.png
HIP report submission
check-mark.png
check-mark.png
HIP Objects and Profiles
check-mark.png
HIP report viewing from Panorama
Tunnel Monitoring
Dead Peer Detection (DPD)
check-mark.png
ICMP
check-mark.png
Bidirectional Forwarding Detection (BFD)
Apps
Application Support
check-mark.png
Any applications that are supported by VM-series firewalls are supported by GlobalProtect cloud service.
Log Forwarding Application
check-mark.png
High Availability
High Availability
check-mark.png
Logging
Log Settings
check-mark.png
Monitoring
SNMP
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in GlobalProtect cloud service.

IPSec Tunnel Configuration Parameters

The following table describes the supported IPSec tunnel configuration parameters in GlobalProtect cloud service. A check mark indicates that the parameter is supported; a dash (—) indicates that the parameter is not supported.
Feature
Support
IPSec Tunnel
check-mark.png
GRE Tunnel
IKE Versions
IKE v1
check-mark.png
IKE v2
check-mark.png
IPSec Phase 1 DH-Group
Group 1
check-mark.png
Group 2
check-mark.png
(Default)
Group 5
check-mark.png
Group 14
check-mark.png
Group 19
check-mark.png
Group 20
check-mark.png
IPSec Phase 1 Auth
MD5
check-mark.png
SHA1
check-mark.png
(Default)
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
IPSec Phase 1 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
IPSec Phase 1 Key Lifetime Default
IPSec Phase 1 Key Lifetime Default
check-mark.png
(8 Hours)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
check-mark.png
Certificate
check-mark.png
IKE Peer Identification
FQDN
check-mark.png
IP Address
check-mark.png
User FQDN
check-mark.png
IKE Peer
As Static Peer
check-mark.png
As Dynamic Peer
check-mark.png
Options
NAT Traversal
check-mark.png
Passive Mode
check-mark.png
Ability to Negotiate Tunnel
Per Subnet Pair
check-mark.png
Per Pair of Hosts
check-mark.png
Per Gateway Pair
check-mark.png
IPSec Phase 2 DH-Group
Group 1
check-mark.png
Group 2
check-mark.png
(Default)
Group 5
check-mark.png
Group 14
check-mark.png
Group 19
check-mark.png
Group 20
check-mark.png
No PFS
check-mark.png
IPSec Phase 2 Auth
MD5
check-mark.png
SHA1
check-mark.png
(Default)
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
None
check-mark.png
IPSec Phase 2 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
AES-128-CCM
check-mark.png
AES-128-GCM
check-mark.png
AES-256-GCM
check-mark.png
NULL
check-mark.png
IPSec Protocol
ESP
check-mark.png
AH
check-mark.png
IPSec Phase 2 Key Lifetime Default
IPSec Phase 2 Key Lifetime Default
check-mark.png
(1 Hour)

Related Documentation