What Features Does GlobalProtect Support?

Review the features that GlobalProtect™ supports depending on operating system (OS).

The following table lists the features supported on GlobalProtect™ by operating system (OS). An entry in the table indicates the first supported release of the feature on the OS (however, you should review the End-of-Life Summary to ensure you are using a supported release). A dash (“—”) indicates that the feature is not supported. For recommended minimum GlobalProtect app versions, see Where Can I Download and Install the GlobalProtect App?.

For Chromebook and other Chrome OS devices, use Android App 5.0 or later version to get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases. (Refer also to the end-of-life (EoL) information for the GlobalProtect app.)

Feature	Android	iOS	Chrome	Windows	Windows 10 UWP	Mac	Linux
`Authentication`
App Login Enhancements	4.0.0	4.0.0	—	4.0.0	—	4.0.0	—
Multi-Factor Authentication Policy	—	—	—	4.0.0	—	4.0.0	—
SAML Authentication	4.0.0	4.0.0 ( On-Demand `connect method only`)	4.1.0	4.0.0	—	4.0.0	5.1 (`GUI-based GlobalProtect app`)
SAML Authentication with Cloud Authentication Service	6.0.0	6.0.0	6.0.0	6.0.0	—	6.0.0	6.0.0
Default System Browser for SAML Authentication	5.2.0	5.2.0	5.2.0	5.2.0	—	5.2.0	5.2.0
Expired Active Directory Password Change for Remote Users	4.1.0	4.1.0 (`notifications only`) 5.0.0 (`full support`)	4.1.0	4.1.0	4.1.0	4.1.0	—
Active Directory Password Change Using the GlobalProtect Credential Provider	—	—	—	4.1.0	—	—	—
Mixed Authentication Method Support or Certificates or User Credentials	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Pre-Logon Followed by Two-Factor Authentication	—	—	—	4.1.0	—	4.1.0	—
Pre-Logon Followed by SAML Authentication	—	—	—	4.1.0	—	4.1.0	—
`Single Sign-On (SSO)`
SSO (Credential Provider)	—	—	—	1.2.0	—	—	—
Kerberos SSO	—	—	—	3.0.0	—	4.1.0	—
SAML SSO	5.1.0	5.2.0	5.1.0	5.2.0	—	5.2.0	5.2.0
SSO (Smart Card Authentication)	—	—	—	6.0.0 Windows 10 or later	—	—	—
`VPN Connections`
IPSec	1.3.0	1.3.0	3.1.1	1.0.0	—	1.0.0	4.1.0
SSL	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
SSL Tunnel Enforcement	5.1.0	5.1.0	—	5.1.0	—	5.1.0	5.0.6 (`CLI`) 5.1.0 (`web interface`)
Clientless VPN	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)
`Connect Methods`
User-logon (always on)	1.3.0	1.3.0	5.0.0 (`through extended support for the GlobalProtect app for Android`)	1.0.0	3.1.3 (`Always On configured from third-party MDM`)	1.0.0	4.1.0
Pre-logon (always-on)	—	—	—	1.1.0	—	1.1.0	—
Pre-logon (then on-demand)	—	—	—	3.1.0	—	3.1.0	—
On-demand	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
`Connection Priority`
External Gateway Priority by Source Region	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Internal Gateway Selection by Source IP Address	4.0.0 (`Except DHCP options`)	4.0.0 (`Except DHCP options`)	—	4.0.0	—	4.0.0	4.1.0
`Modes`
Internal mode	1.3.0	1.3.0	—	1.0.0	—	1.0.0	4.1
External mode	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
`Networking`
IPv4 Addressing	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
IPv6 Addressing	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Split Tunnel to Exclude by Access Route	—	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Optimized Split Tunneling for GlobalProtect	—	—	—	4.1.0	—	4.1.0	—
Split DNS	—	—	—	5.2.0	—	5.2.0	—
Per-App VPN	4.0.0	4.0.0
No Direct Access to Local Network	—	—	—	4.0.0	—	4.0.0	6.0.0
Endpoint Traffic Policy Enforcement	—	—	—	6.0.0 Windows 10 or later	—	6.0.0 macOS 11 and later	—
`Customization`
Autonomous DEM Integration for User Experience Management	—	—	—	5.2.6	—	5.2.6	—
GlobalProtect App Log Collection for Troubleshooting	5.2.5	5.2.5	5.2.5	5.2.5	—	5.2.5	5.2.5
Configurable Maximum Transmission Unit for GlobalProtect Connections	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4
Connect Before Logon	—	—	—	5.2.0	—	—	—
User-Initiated Pre-Logon Connection	-	-	-	5.0.3	-	-	-
Support for Preferred Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	-
GlobalProtect Gateway Location Configuration	5.0.0	5.0.0	-	5.0.0	-	5.0.0	-
Automatic Launching of Web Browser in Captive Portal Environment	-	-	-	4.1.0	-	4.1.0	-
GlobalProtect Tunnel Preservation On User Logout	-	-	-	4.1.0	-	-	-
Endpoint Tunnel Configurations Based on Source Region or IP Address	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
HIP Report Redistribution	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
DNS Configuration Assignment Based on Users or User Groups	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Restoration and Authentication Cookie Usage Restrictions	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Concurrent Support for IPv4 and IPv6 DNS Servers	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Support for IPv6-Only GlobalProtect Deployments	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
FIPS-CC Mode for GlobalProtect	—	—	—	5.0.0	—	5.0.0	—
MDM Integration for HIP-Based Policy Enforcement	5.0.0	5.0.0	—	—	—	—	—
Captive Portal Notification Delay	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Connections Over Proxies	—	—	—	4.1.7	—	4.1.7	—
GlobalProtect Credentials Provier Pre-Logon Connection Status	—	—	—	4.1.0	—	—	—
Static IP Address Assignment	—	—	—	4.1.0	—	—	—
Multiple Portal Support	—	—	—	4.1.0	—	4.1.0	—
Customizable Username and Password Labels	4.1.0	4.1.0	—	4.1.0	4.1.0	4.1.0	4.1.0
Gateway-Level IP Pools	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Resilient VPN	4.0.3	4.0.3	—	4.0.3	—	4.0.3	—
Pre-logon tunnel rename timeout	—	—	—	4.0.2	—	—	—
Restrict Transparent Agent Upgrades to Internal Network Connections	—	—	—	4.0.0	—	4.0.0	—
Enforce GlobalProtect for Network Access	—	—	—	3.1.0	3.1.3 (`VPN Lockdown configured from third-party MDM`)	3.1.0	—
Enforce GlobalProtect Exclusions	—	—	—	5.1.0	—	5.1.0	—
Enforce GlobalProtect Connections with FQDN Exclusions	—	—	—	5.2.0	—	5.2.0	—
Certificate selection by OID	—	—	—	3.0.0	—	3.0.0	—
Deployment of SSL Forward Proxy CA certificates in the trust store	—	—	—	3.0.0	—	3.0.0	—
HIP reports	1.3.0	1.3.0	3.0.0	1.0.0	3.1.3 (`Host information only; Notifications not supported`)	1.0.0	4.1.0 (`Host information only`)
Run scripts before and after sessions	—	—	—	2.3.0	—	2.3.0	—
Allow users to disable GlobalProtect	—	—	—	2.2.0	—	2.2.0	4.1.0
Welcome and help pages	1.3.0	1.3.0	3.0.0	1.0.0	—	1.0.0	—
`Other`
Support for 100 Manual Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	5.0.3
User Location Visibility on GlobalProtect Gateways and Portals	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Gateway and Portal Location Visibility for End Users	5.0.0	5.0.0	—	5.0.0	—	5.0.0	—
Primary Username Visiblity on GlobalProtect Gateways	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Automatic VPN Reconnect for Chromebooks	—	—	4.1.0	—	—	—	—
Identification and Quarantine of Compromised Devices (Deprecates Device Block List)	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0

Document:Palo Alto Networks Compatibility Matrix

What Features Does GlobalProtect Support?

What Features Does GlobalProtect Support?

Recommended For You

Document:Palo Alto Networks Compatibility Matrix

What Features Does GlobalProtect Support?

What Features Does GlobalProtect Support?

Recommended For You

Recommended Videos