What Features Does GlobalProtect Support?

The following table lists the features supported on GlobalProtect by OS. An entry in the table indicates the first supported release of the feature on the OS. A – indicates the feature is not supported. For recommended minimum GlobalProtect app versions, see What OS Versions are Supported with GlobalProtect?
in the GlobalProtect Administrator’s Guide for your PAN-OS version.

Feature	Android	iOS	Chrome	Windows	Windows 10 UWP	Mac	Linux
`Authentication`
App Login Enhancements	4.0.0	4.0.0	–	4.0.0	–	4.0.0	–
Multi-Factor Authentication Policy	–	–	–	4.0.0	–	4.0.0	–
SAML Authentication	4.0.0	4.0.0 ( On-Demand connect method only)	4.1.0	4.0.0	–	4.0.0	–
Expired Active Directory Password Change for Remote Users	4.1.0	4.1.0 (notifications only) 5.0.0 (full support)	4.1.0	4.1.0	4.1.0	4.1.0	–
Active Directory Password Change Using the GlobalProtect Credential Provider	–	–	–	4.1.0	–	–	–
Mixed Authentication Method Support or Certificates or User Credentials	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Pre-Logon Followed by Two-Factor Authentication	–	–	–	4.1.0	–	4.1.0	–
Pre-Logon Followed by SAML Authentication	–	–	–	4.1.0	–	4.1.0	–
`Single Sign-On (SSO)`
SSO (Credential Provider)	–	–	–	1.2.0	–	–	–
Kerberos SSO	–	–	–	3.0.0	–	4.1.0	–
`VPN Connections`
IPSec	1.3.0	1.3.0	3.1.1	1.0.0	–	1.0.0	4.1.0
SSL	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
Clientless VPN	– (no client required)	– (no client required)	– (no client required)	– (no client required)	– (no client required)	– (no client required)	– (no client required)
`Connect Methods`
User-logon (always on)	1.3.0	1.3.0	5.0.0 (through extended support for the GlobalProtect app for Android)	1.0.0	3.1.3 (Always On configured from third-party MDM)	1.0.0	4.1.0
Pre-logon (always-on)	–	–	–	1.1.0	–	1.1.0	–
Pre-logon (then on-demand)	–	–	–	3.1.0	–	3.1.0	–
On-demand	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
`Connection Priority`
External Gateway Priority by Source Region	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Internal Gateway Selection by Source IP Address	4.0.0 (Except DHCP options)	4.0.0 (Except DHCP options)	–	4.0.0	–	4.0.0	4.1.0
`Modes`
Internal mode	1.3.0	1.3.0	–	1.0.0	–	1.0.0	4.1
External mode	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
`Networking`
IPv4 Addressing	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
IPv6 Addressing	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Split Tunnel to Exclude by Access Route	–	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Optimized Split Tunneling for GlobalProtect	–	–	–	4.1.0	–	4.1.0	–
`Customization`
User-Initiated Pre-Logon Connection	-	-	-	5.0.3	-	-	-
Support for Preferred Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	-
GlobalProtect Gateway Location Configuration	5.0.0	5.0.0	-	5.0.0	-	5.0.0	-
Automatic Launching of Web Browser in Captive Portal Environment	-	-	-	4.1.0	-	4.1.0	-
GlobalProtect Tunnel Preservation On User Logout	-	-	-	4.1.0	-	-	-
Endpoint Tunnel Configurations Based on Source Region or IP Address	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
HIP Report Redistribution	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
DNS Configuration Assignment Based on Users or User Groups	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Restoration and Authentication Cookie Usage Restrictions	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Concurrent Support for IPv4 and IPv6 DNS Servers	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Support for IPv6-Only GlobalProtect Deployments	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
FIPS-CC Mode for GlobalProtect	–	–	–	5.0.0	–	5.0.0	–
MDM Integration for HIP-Based Policy Enforcement	5.0.0	5.0.0	–	–	–	–	–
Captive Portal Notification Delay	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Connections Over Proxies	–	–	–	4.1.7	–	4.1.7	–
GlobalProtect Credentials Provier Pre-Logon Connection Status	–	–	–	4.1.0	–	–	–
Static IP Address Assignment	–	–	–	4.1.0	–	–	–
Multiple Portal Support	–	–	–	4.1.0	–	4.1.0	–
Customizable Username and Password Labels	4.1.0	4.1.0	–	4.1.0	4.1.0	4.1.0	4.1.0
Gateway-Level IP Pools	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Resilient VPN	4.0.3	4.0.3	–	4.0.3	–	4.0.3	–
Pre-logon tunnel rename timeout	–	–	–	4.0.2	–	–	–
Restrict Transparent Agent Upgrades to Internal Network Connections	–	–	–	4.0.0	–	4.0.0	–
Enforce GlobalProtect for Network Access	–	–	–	3.1.0	3.1.3 (VPN Lockdown configured from third-party MDM)	3.1.0	–
Certificate selection by OID	–	–	–	3.0.0	–	3.0.0	–
Deployment of SSL Forward Proxy CA certificates in the trust store	–	–	–	3.0.0	–	3.0.0	–
HIP reports	1.3.0	1.3.0	3.0.0	1.0.0	3.1.3 (Host information only; Notifications not supported)	1.0.0	4.1.0 (Host information only)
Run scripts before and after sessions	–	–	–	2.3.0	–	2.3.0	–
Allow users to disable GlobalProtect	–	–	–	2.2.0	–	2.2.0	4.1.0
Welcome and help pages	1.3.0	1.3.0	3.0.0	1.0.0	–	1.0.0	–
`Other`
Support for 100 Manual Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	5.0.3
User Location Visibility on GlobalProtect Gateways and Portals	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Gateway and Portal Location Visibility for End Users	5.0.0	5.0.0	–	5.0.0	–	5.0.0	–
Primary Username Visiblity on GlobalProtect Gateways	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Automatic VPN Reconnect for Chromebooks	–	–	4.1.0	–	–	–	–

Document:Palo Alto Networks® Compatibility Matrix

What Features Does GlobalProtect Support?

What Features Does GlobalProtect Support?

Related Documentation