What Features Does GlobalProtect Support?
Focus
Focus
Compatibility Matrix

What Features Does GlobalProtect Support?

Table of Contents

What Features Does GlobalProtect Support?

Review the features that GlobalProtect™ supports based on the platform operating system (OS).
The following table lists the features supported on GlobalProtect™ by operating system (OS). An entry in the table indicates the first supported release of the feature on the OS (however, you should review the End-of-Life Summary to ensure you are using a supported release). A dash (“—”) indicates that the feature is not supported. For recommended minimum GlobalProtect app versions, see Where Can I Install the GlobalProtect App?.
For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version to get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases. (Refer also to the end-of-life (EoL) information for the GlobalProtect app.)
Feature
Android
iOS
Chrome
Windows
Windows 10 UWP
Windows 365 Cloud PC
macOS
Linux
Authentication
Multi-Factor Authentication Policy
4.0.0
4.0.0
Improvements for Multi Authentication CIE Experience6.3.1
SAML Authentication
4.0.0
4.0.0 (On-Demand connect method only)
4.1.0
4.0.0
6.2.5
4.0.0
5.1
(GUI-based GlobalProtect app)
SAML Authentication with Cloud Authentication Service
Note: Requires use of Default System Browser
6.0.0
6.0.0
(On Demand connect method only)
6.0.0
6.0.0
6.2.5
6.0.0
6.0.0
Default System Browser for SAML Authentication
5.2.0
5.2.0
5.2.0
5.2.0
6.2.5
5.2.0
5.2.0
Expired Active Directory Password Change for Remote Users
4.1.0
4.1.0
(notifications only)
5.0.0
(full support)
4.1.0
4.1.0
4.1.0
4.1.0
Active Directory Password Change Using the GlobalProtect Credential Provider
4.1.0
Mixed Authentication Method Support or Certificates or User Credentials
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Pre-Logon Followed by Two-Factor Authentication
4.1.0
4.1.0
Pre-Logon Followed by SAML Authentication
4.1.0
4.1.0
Single Sign-On (SSO)
SSO (Credential Provider)
1.2.0
Kerberos SSO
3.0.0
4.1.0
SAML SSO
5.1.0
5.2.0
5.1.0
5.2.0
6.2.5
5.2.0
5.2.0
SSO (Smart Card Authentication)
6.0.0
Windows 10 or later
VPN Connections
IPSec
1.3.0
1.3.0
3.1.1
1.0.0
6.2.5
1.0.0
4.1.0
SSL
1.3.0
1.3.0
3.1.1
1.0.0
3.1.3
6.2.5
1.0.0
4.1.0
SSL Tunnel Enforcement
5.1.0
5.1.0
5.1.0
6.2.5
5.1.0
5.0.6 (CLI)
5.1.0 (web interface)
Clientless VPN
— (no client required)
— (no client required)
— (no client required)
— (no client required)
— (no client required)
— (no client required)
— (no client required)
Connect Methods
1.3.0
1.3.0
5.0.0
(through extended support for the GlobalProtect app for Android)
1.0.0
3.1.3
(Always On configured from third-party MDM)
6.2.5
1.0.0
4.1.0
1.1.0
1.1.0
Pre-logon (then on-demand)
3.1.0
3.1.0
1.3.0
1.3.0
3.1.1
1.0.0
3.1.3
6.2.5
1.0.0
4.1.0
5.2.0
Conditional Connect Method
6.2.0
6.2.0
6.2.0
Connection Priority
External Gateway Priority by Source Region
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.1.0
Internal Gateway Selection by Source IP Address
4.0.0
(Except DHCP options)
4.0.0
(Except DHCP options)
4.0.0
4.0.0
4.1.0
Modes
Internal mode
1.3.0
1.3.0
1.0.0
1.0.0
4.1
External mode
1.3.0
1.3.0
3.1.1
1.0.0
3.1.3
1.0.0
4.1
6.2.0
6.2.0
6.2.0
Networking
Intelligent Internal Host Detection
6.3.16.3.16.3.1
6.3.16.3.1
Traffic Enforcement
6.3.16.3.16.3.1
6.3.16.3.1
IPv4 Addressing
1.3.0
1.3.0
3.1.1
1.0.0
3.1.3
6.2.5
1.0.0
4.1
IPv6 Addressing
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
6.2.5
4.0.0
4.1
Split Tunnel to Exclude by Access Route
4.0.0
4.0.0
4.0.0
4.0.0
6.2.5
4.0.0
4.1
Optimized Split Tunneling for GlobalProtect
4.1.0
4.1.0
6.1.0
Domain-based split tunneling only; application-based split tunneling not supported
Enhanced Split Tunneling
6.2.0
6.2.0
6.2.5
6.2.0
Wildcard Support for Split Tunnel Settings Based on the Application
6.3.1
6.3.16.3.1
Split DNS for iOS
6.1.6
Split DNS
5.2.0
6.2.5
5.2.0
6.1.0
Per-App VPN
4.0.0
4.0.0
No Direct Access to Local Network
4.0.0
4.0.0
Endpoint Traffic Policy Enforcement6.0.0
Windows 10 or later
6.0.0
macOS 11 and later
Customization
Autonomous DEM Integration for User Experience Management
5.2.6
5.2.6
GlobalProtect App Log Collection for Troubleshooting
5.2.5
5.2.5
5.2.5
5.2.5
5.2.5
5.2.5
Configurable Maximum Transmission Unit for GlobalProtect Connections
5.2.4
5.2.4
5.2.4
5.2.4
5.2.4
5.2.4
5.2.4
Connect Before Logon
5.2.0
User-Initiated Pre-Logon Connection
-
-
-
5.0.3
-
-
-
Support for Preferred Gateways
5.0.3
5.0.7
-
5.0.3
-
5.0.3
-
GlobalProtect Gateway Location Configuration
5.0.0
5.0.0
-
5.0.0
-
5.0.0
-
Automatic Launching of Web Browser in Captive Portal Environment
-
-
-
4.1.0
-
4.1.0
-
GlobalProtect Tunnel Preservation On User Logout
-
-
-
4.1.0
-
-
-
Endpoint Tunnel Configurations Based on Source Region or IP Address
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
HIP Report Redistribution
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
DNS Configuration Assignment Based on Users or User Groups
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Tunnel Restoration and Authentication Cookie Usage Restrictions
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Concurrent Support for IPv4 and IPv6 DNS Servers
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Support for IPv6-Only GlobalProtect Deployment
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
FIPS Validated on 5.1.4
CC Certified on 5.1.5
x86 platforms
FIPS-CC available on 6.0.7
FIPS Validated on 5.1.4
CC Certified on 5.1.5
x86 platforms
FIPS-CC available on 6.0.7
6.0.7
MDM Integration for HIP-Based Policy Enforcement
5.0.0
5.0.0
Captive Portal Notification Delay
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Tunnel Connections Over Proxies
4.1.7
4.1.7
PAC deployment via GlobalProtect app
6.1.0
6.1.0
6.1.0
End-user Notification about GlobalProtect Session Logout
6.1.0
6.1.0
6.1.0
GlobalProtect Credentials Provier Pre-Logon Connection Status
4.1.0
Static IP Address Assignment
4.1.0
Multiple Portal Support
4.1.0
4.1.0
Customizable Username and Password Labels
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Gateway-Level IP Pools
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.1.0
Resilient VPN
4.0.3
4.0.3
4.0.3
4.0.3
Pre-logon tunnel rename timeout
4.0.2
Restrict Transparent Agent Upgrades to Internal Network Connections
4.0.0
4.0.0
Enforce GlobalProtect for Network Access
3.1.0
3.1.3
(VPN Lockdown configured from third-party MDM)
6.2.5
3.1.0
Enforce GlobalProtect Exclusions
5.1.0
6.2.5
5.1.0
Enforce GlobalProtect Connections with FQDN Exclusions
5.2.0
6.2.5
5.2.0
Certificate selection by OID
3.0.0
3.0.0
Deployment of SSL Forward Proxy CA certificates in the trust store
3.0.0
6.2.5
3.0.0
HIP reports
1.3.0
1.3.0
3.0.0
1.0.0
3.1.3
(Host information only; Notifications not supported)
6.2.5
1.0.0
4.1.0
(Host information only)
Run scripts before and after sessions
2.3.0
2.3.0
Allow users to disable GlobalProtect
6.0
2.2.0
2.2.0
4.1.0
Welcome and help pages
1.3.0
1.3.0
3.0.0
1.0.0
1.0.0
6.2.0
6.2.0
6.2.0
6.2.0
6.2.0
6.2.0
Extend User Session for GlobalProtect Users
6.2.0
6.2.0
6.2.0
Other
Support for 100 Manual Gateways
5.0.3
5.0.7
-
5.0.3
-
5.0.3
5.0.3
GlobalProtect Portal and Gateway Support for TLSv1.3
6.0.8, 6.1.3,6.2.1, or later versions
6.0.8, 6.1.3,6.2.1, or later versions
6.0.8, 6.1.3,6.2.1, or later versions
6.0.8, 6.1.3,6.2.1, or later versions
(Minimum version of Windows 11 required)
6.0.8, 6.1.3,6.2.1, or later versions
6.0.8, 6.1.3,6.2.1, or later versions
6.0.8, 6.1.3,6.2.1, or later versions
(Ubuntu 20)
User Location Visibility on GlobalProtect Gateways and Portals
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
4.1.0
Gateway and Portal Location Visibility for End Users
5.0.0
5.0.0
5.0.0
5.0.0
Primary Username Visiblity on GlobalProtect Gateways
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.0.0
4.1.0
Automatic VPN Reconnect for Chromebooks
4.1.0
Support for Native Certificate Store for Prisma Access and GloabProtect App on Linux Endpoints
6.2.0 or later versions
Enhanced HIP Remediation Process
6.3.0 or later versions
6.3.0 or later versions
Enhancements for Authentication Using Smart Cards
6.3.0 or later versions
6.3.1 or later versions
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts
6.3.0 or later versions
6.3.0 or later versions
Intelligent Portal6.3 (Pre-logon (Always On) connect method only)
6.3
Best Gateway Selection Criteria
6.3.1
6.3.1
CLI Support for SAML Authentication with Default Browser for GlobalProtect App on Linux Endpoints
6.2.1 or later versions
(Deprecates Device Block List)
5.1.0
5.1.0
5.1.0
5.1.0
5.1.0
5.1.0
5.1.0