Compatibility Matrix
What Features Does GlobalProtect Support?
Table of Contents
Expand All
|
Collapse All
Compatibility Matrix
-
- CN-Series Firewalls
- MFA Vendor Support
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.2 GlobalProtect Cipher Suites
- PAN-OS 11.2 IPSec Cipher Suites
- PAN-OS 11.2 IKE and Web Certificate Cipher Suites
- PAN-OS 11.2 Decryption Cipher Suites
- PAN-OS 11.2 Administrative Session Cipher Suites
- PAN-OS 11.2 HA1 SSH Cipher Suites
- PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.1 GlobalProtect Cipher Suites
- PAN-OS 11.1 IPSec Cipher Suites
- PAN-OS 11.1 IKE and Web Certificate Cipher Suites
- PAN-OS 11.1 Decryption Cipher Suites
- PAN-OS 11.1 Administrative Session Cipher Suites
- PAN-OS 11.1 HA1 SSH Cipher Suites
- PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
- Prisma Access
- Prisma SD-WAN
- Strata Cloud Manager and Panorama Feature Parity
- User-ID Agent
- Terminal Server (TS) Agent
- Strata Logging Service Software Compatibility
- Cortex XDR
- Endpoint Security Manager (ESM)
- IPv6 Support by Feature
- Mobile Network Infrastructure Feature Support
What Features Does GlobalProtect Support?
Review the features that GlobalProtect™ supports based on the platform operating system
(OS).
The following table lists the features supported on
GlobalProtect™ by operating system (OS). An entry in the table indicates
the first supported release of the feature on the OS (however, you
should review the End-of-Life Summary to
ensure you are using a supported release). A dash (“—”) indicates
that the feature is not supported. For recommended minimum GlobalProtect
app versions, see Where Can I Install the GlobalProtect App?.
For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version to get
GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases.
(Refer also to the end-of-life (EoL) information for the
GlobalProtect app.)
|
Feature
|
Android
|
iOS
|
Chrome
|
Windows
|
Windows 10 UWP
|
Windows 365 Cloud PC
|
macOS
|
Linux
|
|---|---|---|---|---|---|---|---|---|
|
Authentication
| ||||||||
| Cloud Identity Engine Authentication |
—
|
—
|
—
| 6.0.0 |
—
|
—
| 6.0.0 |
—
|
| Multi-Factor Authentication Policy |
—
|
—
|
—
|
4.0.0
|
—
|
—
|
4.0.0
|
—
|
| SAML Authentication |
4.0.0
|
4.0.0 (On-Demand
connect method only)
| 4.1.0 |
4.0.0
|
—
| 6.2.5 |
4.0.0
|
5.1
(GUI-based GlobalProtect app)
|
| SAML Authentication with Cloud
Authentication Service Note: Requires use of Default
System Browser |
6.0.0
|
6.0.0
(On Demand
connect method only)
|
6.0.0
|
6.0.0
|
—
| 6.2.5 |
6.0.0
|
6.0.0
|
| Default System Browser for SAML Authentication |
5.2.0
|
5.2.0
|
5.2.0
|
5.2.0
|
—
| 6.2.5 |
5.2.0
|
5.2.0
|
| Expired Active Directory Password Change for Remote Users |
4.1.0
|
4.1.0
(notifications only)
5.0.0
(full support)
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
—
|
| Active Directory Password Change Using the GlobalProtect Credential Provider |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
—
|
—
|
| Mixed Authentication Method Support or Certificates or User Credentials |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Pre-Logon Followed by Two-Factor Authentication |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
4.1.0
|
—
|
| Pre-Logon Followed by SAML Authentication |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
4.1.0
|
—
|
|
Single Sign-On (SSO)
| ||||||||
|
SSO (Credential Provider)
|
—
|
—
|
—
|
1.2.0
|
—
|
—
|
—
|
—
|
|
Kerberos SSO
|
—
|
—
|
—
|
3.0.0
|
—
|
—
| 4.1.0 |
—
|
|
SAML SSO
|
5.1.0
|
5.2.0
|
5.1.0
|
5.2.0
|
—
| 6.2.5 |
5.2.0
|
5.2.0
|
| SSO (Smart Card Authentication) |
—
|
—
|
—
|
6.0.0
Windows 10 or later
|
—
|
—
|
—
|
—
|
|
VPN Connections
| ||||||||
|
IPSec
|
1.3.0
|
1.3.0
|
3.1.1
|
1.0.0
| — | 6.2.5 |
1.0.0
|
4.1.0
|
|
SSL
|
1.3.0
|
1.3.0
|
3.1.1
|
1.0.0
|
3.1.3
| 6.2.5 |
1.0.0
|
4.1.0
|
| SSL Tunnel Enforcement |
5.1.0
|
5.1.0
|
—
|
5.1.0
|
—
| 6.2.5 |
5.1.0
|
5.0.6 (CLI)
5.1.0 (web interface)
|
| Clientless VPN |
— (no client required)
|
— (no client required)
|
— (no client required)
|
— (no client required)
|
— (no client required)
|
—
|
— (no client required)
|
— (no client required)
|
|
Connect Methods
| ||||||||
|
1.3.0
|
1.3.0
| 5.0.0 (through extended support for the
GlobalProtect app for Android) |
1.0.0
|
3.1.3
(Always On configured from third-party MDM)
| 6.2.5 |
1.0.0
|
4.1.0
| |
|
—
|
—
|
—
|
1.1.0
|
—
|
—
|
1.1.0
|
—
| |
| Pre-logon (then on-demand) |
—
|
—
|
—
|
3.1.0
|
—
|
—
|
3.1.0
|
—
|
|
1.3.0
|
1.3.0
|
3.1.1
|
1.0.0
|
3.1.3
| 6.2.5 |
1.0.0
|
4.1.0
| |
|
—
|
—
|
—
|
5.2.0
|
—
|
—
|
—
|
—
| |
| Conditional Connect Method |
—
|
—
|
—
|
6.2.0
|
6.2.0
|
—
|
6.2.0
|
—
|
|
Connection Priority
| ||||||||
| External Gateway Priority by Source Region |
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
—
|
4.0.0
|
4.1.0
|
| Internal Gateway Selection by Source IP Address |
4.0.0
(Except DHCP options)
|
4.0.0
(Except DHCP options)
|
—
|
4.0.0
|
—
|
—
|
4.0.0
|
4.1.0
|
|
Modes
| ||||||||
|
Internal mode
|
1.3.0
|
1.3.0
|
—
|
1.0.0
|
—
|
—
|
1.0.0
|
4.1
|
|
External mode
|
1.3.0
|
1.3.0
|
3.1.1
|
1.0.0
|
3.1.3
|
—
|
1.0.0
|
4.1
|
|
—
|
—
|
—
|
6.2.0
|
6.2.0
|
—
|
6.2.0
|
—
| |
|
Networking
| ||||||||
| Intelligent Internal Host Detection |
—
|
—
| 6.3.1 | 6.3.1 | 6.3.1 |
—
| 6.3.1 | 6.3.1 |
| Traffic Enforcement |
—
|
—
| 6.3.1 | 6.3.1 | 6.3.1 |
—
| 6.3.1 | 6.3.1 |
|
IPv4 Addressing
|
1.3.0
|
1.3.0
|
3.1.1
|
1.0.0
|
3.1.3
| 6.2.5 |
1.0.0
|
4.1
|
| IPv6 Addressing |
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
| 6.2.5 |
4.0.0
|
4.1
|
| Split Tunnel to Exclude by Access Route |
—
|
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
| 6.2.5 |
4.0.0
|
4.1
|
| Optimized Split Tunneling for GlobalProtect |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
4.1.0
|
6.1.0
Domain-based split tunneling only; application-based split tunneling
not supported
|
| Enhanced Split Tunneling |
—
|
—
|
—
|
6.2.0
|
6.2.0
| 6.2.5 |
6.2.0
|
—
|
| Wildcard Support for Split Tunnel Settings Based on the Application |
—
|
—
|
—
| 6.3.1 |
—
| 6.3.1 | 6.3.1 |
—
|
| Split DNS for iOS |
—
|
6.1.6
|
—
|
—
|
—
|
—
|
—
|
—
|
| Split DNS |
—
|
—
|
—
|
5.2.0
|
—
|
6.2.5
|
5.2.0
|
6.1.0
|
| Per-App VPN |
4.0.0
|
4.0.0
|
—
| |||||
| No Direct Access to Local Network |
—
|
—
|
—
|
4.0.0
|
—
|
—
|
4.0.0
| |
| Endpoint Traffic Policy Enforcement | — | — | — | 6.0.0 Windows 10 or later | — |
6.2.6-c857 and later 6.2.x releases or 6.3.2 and later 6.3.x
releases
| 6.0.0 macOS 11 and later | — |
|
Customization
| ||||||||
| Autonomous DEM Integration for User Experience Management |
—
|
—
|
—
|
5.2.6
|
—
|
—
|
5.2.6
|
—
|
| GlobalProtect App Log Collection for Troubleshooting |
5.2.5
|
5.2.5
|
5.2.5
|
5.2.5
|
—
|
—
|
5.2.5
|
5.2.5
|
| Configurable Maximum Transmission Unit for GlobalProtect Connections |
5.2.4
|
5.2.4
|
5.2.4
|
5.2.4
|
5.2.4
|
—
|
5.2.4
|
5.2.4
|
| Connect Before Logon |
—
|
—
|
—
|
5.2.0
|
—
|
—
|
—
|
—
|
| User-Initiated Pre-Logon Connection |
-
|
-
|
-
|
5.0.3
|
-
|
—
|
-
|
-
|
| Support for Preferred Gateways |
5.0.3
|
5.0.7
|
-
|
5.0.3
|
-
|
—
|
5.0.3
|
-
|
| GlobalProtect Gateway Location Configuration |
5.0.0
|
5.0.0
|
-
|
5.0.0
|
-
|
—
|
5.0.0
|
-
|
| Automatic Launching of Web Browser in Captive Portal Environment |
-
|
-
|
-
|
4.1.0
|
-
|
—
|
4.1.0
|
-
|
| GlobalProtect Tunnel Preservation On User Logout |
-
|
-
|
-
|
4.1.0
|
-
|
—
|
-
|
-
|
| Endpoint Tunnel Configurations Based on Source Region or IP Address |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| HIP Report Redistribution |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| DNS Configuration Assignment Based on Users or User Groups |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Tunnel Restoration and Authentication Cookie Usage Restrictions |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Concurrent Support for IPv4 and IPv6 DNS Servers |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Support for IPv6-Only GlobalProtect Deployment |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
|
—
|
—
|
—
|
FIPS Validated on 5.1.4
CC Certified on 5.1.5
x86 platforms
FIPS-CC available on 6.0.7
|
—
|
—
|
FIPS Validated on 5.1.4
CC Certified on 5.1.5
x86 platforms
FIPS-CC available on 6.0.7
|
6.0.7
| |
| MDM Integration for HIP-Based Policy Enforcement |
5.0.0
|
5.0.0
|
—
|
—
|
—
|
—
|
—
|
—
|
| Captive Portal Notification Delay |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Tunnel Connections Over Proxies |
—
|
—
|
—
|
4.1.7
|
—
|
—
|
4.1.7
|
—
|
| PAC deployment via GlobalProtect app |
—
|
—
|
—
|
6.1.0
|
—
|
—
|
6.1.0
|
6.1.0
|
| End-user Notification about GlobalProtect Session Logout |
—
|
—
|
—
|
6.1.0
|
—
|
—
|
6.1.0
|
6.1.0
|
| GlobalProtect Credentials Provier Pre-Logon Connection Status |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
—
|
—
|
| Static IP Address Assignment |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
—
|
—
|
| Multiple Portal Support |
—
|
—
|
—
|
4.1.0
|
—
|
—
|
4.1.0
|
—
|
| Customizable Username and Password Labels |
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Gateway-Level IP Pools |
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
—
|
4.0.0
|
4.1.0
|
| Resilient VPN |
4.0.3
|
4.0.3
|
—
|
4.0.3
|
—
|
—
|
4.0.3
|
—
|
|
Pre-logon tunnel rename timeout
|
—
|
—
|
—
|
4.0.2
|
—
|
—
|
—
|
—
|
| Restrict Transparent Agent Upgrades to Internal Network Connections |
—
|
—
|
—
|
4.0.0
|
—
|
—
|
4.0.0
|
—
|
| Enforce GlobalProtect for Network Access |
—
|
—
|
—
|
3.1.0
|
3.1.3
(VPN Lockdown configured from third-party MDM)
|
6.2.5
|
3.1.0
|
—
|
| Enforce GlobalProtect Exclusions |
—
|
—
|
—
|
5.1.0
|
—
|
6.2.5
|
5.1.0
|
—
|
| Enforce GlobalProtect Connections with FQDN Exclusions |
—
|
—
|
—
|
5.2.0
|
—
|
6.2.5
|
5.2.0
|
—
|
| Certificate selection by OID |
—
|
—
|
—
|
3.0.0
|
—
|
—
|
3.0.0
|
—
|
|
Deployment of SSL Forward Proxy CA certificates in the trust
store
|
—
|
—
|
—
|
3.0.0
|
—
| 6.2.5 |
3.0.0
|
—
|
|
HIP reports
|
1.3.0
|
1.3.0
|
3.0.0
|
1.0.0
|
3.1.3
(Host information only; Notifications not supported)
| 6.2.5 |
1.0.0
|
4.1.0
(Host information only)
|
|
Run scripts before and after sessions
|
—
|
—
|
—
|
2.3.0
|
—
|
—
|
2.3.0
|
—
|
|
Allow users to disable GlobalProtect
|
6.0
|
—
|
—
|
2.2.0
|
—
|
—
|
2.2.0
|
4.1.0
|
|
Welcome and help pages
|
1.3.0
|
1.3.0
|
3.0.0
|
1.0.0
|
—
|
—
|
1.0.0
|
—
|
|
—
|
—
|
—
|
6.2.0
|
6.2.0
|
—
|
6.2.0
|
—
| |
|
—
|
—
|
—
|
6.2.0
|
6.2.0
|
—
|
6.2.0
|
—
| |
|
Extend User Session for GlobalProtect Users
|
—
|
—
|
—
|
6.2.0
|
6.2.0
|
—
|
6.2.0
|
—
|
|
Other
| ||||||||
| Support for 100 Manual Gateways |
5.0.3
|
5.0.7
|
-
|
5.0.3
|
-
|
—
|
5.0.3
|
5.0.3
|
| GlobalProtect Portal and Gateway Support for TLSv1.3 |
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
(Minimum version of Windows 11 required)
|
6.0.8, 6.1.3,6.2.1, or later versions
|
—
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
(Ubuntu 20)
|
| User Location Visibility on GlobalProtect Gateways and Portals |
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
4.1.0
|
—
|
4.1.0
|
4.1.0
|
| Gateway and Portal Location Visibility for End Users |
5.0.0
|
5.0.0
|
—
|
5.0.0
|
—
|
—
|
5.0.0
|
—
|
| Primary Username Visiblity on GlobalProtect Gateways |
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
4.0.0
|
—
|
4.0.0
|
4.1.0
|
|
Automatic VPN Reconnect for Chromebooks
|
—
|
—
|
4.1.0
|
—
|
—
|
—
|
—
|
—
|
| Support for Native Certificate Store for Prisma Access and GloabProtect App on Linux Endpoints |
—
|
—
|
—
|
—
|
—
|
—
|
—
|
6.2.0 or later versions
|
| Enhanced HIP Remediation Process |
—
|
—
|
—
|
6.3.0 or later versions
|
—
|
—
|
6.3.0 or later versions
|
—
|
| Enhancements for Authentication Using Smart Cards |
—
|
—
|
—
|
6.3.0 or later versions
|
—
|
—
|
6.3.1 or later versions
|
—
|
| Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts |
—
|
—
|
—
|
6.3.0 or later versions
|
—
|
—
|
6.3.0 or later versions
|
—
|
| Intelligent Portal | 6.3 (Pre-logon (Always On) connect method only) |
—
| 6.3 | |||||
| Best Gateway Selection Criteria |
—
|
—
|
—
| 6.3.1 |
—
|
—
| 6.3.1 |
—
|
| CLI Support for SAML Authentication with Default Browser for GlobalProtect App on Linux Endpoints |
—
|
—
|
—
|
—
|
—
|
—
|
—
|
6.2.1 or later versions
|
|
(Deprecates Device Block List)
|
5.1.0
|
5.1.0
|
5.1.0
|
5.1.0
|
5.1.0
|
—
|
5.1.0
|
5.1.0
|