What Features Does GlobalProtect Support?
Table of Contents
Expand all | Collapse all
- CN-Series Firewalls
- MFA Vendor Support
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.2 GlobalProtect Cipher Suites
- PAN-OS 11.2 IPSec Cipher Suites
- PAN-OS 11.2 IKE and Web Certificate Cipher Suites
- PAN-OS 11.2 Decryption Cipher Suites
- PAN-OS 11.2 Administrative Session Cipher Suites
- PAN-OS 11.2 HA1 SSH Cipher Suites
- PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.1 GlobalProtect Cipher Suites
- PAN-OS 11.1 IPSec Cipher Suites
- PAN-OS 11.1 IKE and Web Certificate Cipher Suites
- PAN-OS 11.1 Decryption Cipher Suites
- PAN-OS 11.1 Administrative Session Cipher Suites
- PAN-OS 11.1 HA1 SSH Cipher Suites
- PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
- Prisma Access
- Strata Cloud Manager and Panorama Feature Parity
- User-ID Agent
- Terminal Server (TS) Agent
- Strata Logging Service Software Compatibility
- Cortex XDR
- Endpoint Security Manager (ESM)
- IPv6 Support by Feature
- Mobile Network Infrastructure Feature Support
What Features Does GlobalProtect Support?
Review the features that GlobalProtect™ supports based on the platform operating system
(OS).
The following table lists the features supported on
GlobalProtect™ by operating system (OS). An entry in the table indicates
the first supported release of the feature on the OS (however, you
should review the End-of-Life Summary to
ensure you are using a supported release). A dash (“—”) indicates
that the feature is not supported. For recommended minimum GlobalProtect
app versions, see Where Can I Install the GlobalProtect App?.
For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version to get
GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases.
(Refer also to the end-of-life (EoL) information for the
GlobalProtect app.)
Feature | Android | iOS | Chrome | Windows | Windows 10 UWP | macOS | Linux |
|---|---|---|---|---|---|---|---|
Authentication | |||||||
| SAML Authentication | 4.0.0 | 4.0.0 (On-Demand connect method only) | 4.1.0 | 4.0.0 | — | 4.0.0 | 5.1 (GUI-based GlobalProtect app) |
| SAML Authentication with Cloud
Authentication Service Note: Requires use of Default System Browser | 6.0.0 | 6.0.0 (On Demand connect method only) | 6.0.0 | 6.0.0 | — | 6.0.0 | 6.0.0 |
| Expired Active Directory Password Change for Remote Users | 4.1.0 | 4.1.0 (notifications only) 5.0.0 (full support) | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | — |
| Mixed Authentication Method Support or Certificates or User Credentials | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 |
Single Sign-On (SSO) | |||||||
SSO (Credential Provider) | — | — | — | 1.2.0 | — | — | — |
SAML SSO | 5.1.0 | 5.2.0 | 5.1.0 | 5.2.0 | — | 5.2.0 | 5.2.0 |
VPN Connections | |||||||
IPSec | 1.3.0 | 1.3.0 | 3.1.1 | 1.0.0 | — | 1.0.0 | 4.1.0 |
SSL | 1.3.0 | 1.3.0 | 3.1.1 | 1.0.0 | 3.1.3 | 1.0.0 | 4.1.0 |
| Clientless VPN | — (no client required) | — (no client required) | — (no client required) | — (no client required) | — (no client required) | — (no client required) | — (no client required) |
Connect Methods | |||||||
1.3.0 | 1.3.0 | 5.0.0 (through extended support for the GlobalProtect app for
Android) | 1.0.0 | 3.1.3 (Always On configured from third-party MDM) | 1.0.0 | 4.1.0 | |
Connection Priority | |||||||
| Internal Gateway Selection by Source IP Address | 4.0.0 (Except DHCP options) | 4.0.0 (Except DHCP options) | — | 4.0.0 | — | 4.0.0 | 4.1.0 |
Modes | |||||||
Internal mode | 1.3.0 | 1.3.0 | — | 1.0.0 | — | 1.0.0 | 4.1 |
External mode | 1.3.0 | 1.3.0 | 3.1.1 | 1.0.0 | 3.1.3 | 1.0.0 | 4.1 |
Networking | |||||||
IPv4 Addressing | 1.3.0 | 1.3.0 | 3.1.1 | 1.0.0 | 3.1.3 | 1.0.0 | 4.1 |
| Optimized Split Tunneling for GlobalProtect | — | — | — | 4.1.0 | — | 4.1.0 | 6.1.0 Domain-based split tunneling
only; application-based split tunneling not supported |
| Per-App VPN | 4.0.0 | 4.0.0 | |||||
Customization | |||||||
| Configurable Maximum Transmission Unit for GlobalProtect Connections | 5.2.4 | 5.2.4 | 5.2.4 | 5.2.4 | 5.2.4 | 5.2.4 | 5.2.4 |
| Endpoint Tunnel Configurations Based on Source Region or IP Address | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 |
| Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 | 4.1.0 |
|
—
|
—
| — | FIPS Validated on 5.1.4 CC Certified on 5.1.5 x86 platforms
FIPS-CC available on 6.0.7 | — | FIPS Validated on 5.1.4 CC Certified on 5.1.5 x86 platforms
FIPS-CC available on 6.0.7 | 6.0.7 | |
Pre-logon tunnel rename timeout | — | — | — | 4.0.2 | — | — | — |
| Enforce GlobalProtect for Network Access | — | — | — | 3.1.0 | 3.1.3 (VPN Lockdown configured from third-party MDM) | 3.1.0 | — |
Deployment of SSL Forward Proxy CA certificates in
the trust store | — | — | — | 3.0.0 | — | 3.0.0 | — |
HIP reports | 1.3.0 | 1.3.0 | 3.0.0 | 1.0.0 | 3.1.3 (Host information only; Notifications
not supported) | 1.0.0 | 4.1.0 (Host information only) |
Run scripts before and after sessions | — | — | — | 2.3.0 | — | 2.3.0 | — |
Allow users to disable GlobalProtect | 6.0 | — | — | 2.2.0 | — | 2.2.0 | 4.1.0 |
Welcome and help pages | 1.3.0 | 1.3.0 | 3.0.0 | 1.0.0 | — | 1.0.0 | — |
|
Extend User Session for GlobalProtect Users
|
—
|
—
|
—
|
6.2.0
|
6.2.0
|
6.2.0
|
—
|
Other | |||||||
| GlobalProtect Portal and Gateway Support for TLSv1.3 |
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
(Minimum version of Windows 11 required)
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
|
6.0.8, 6.1.3,6.2.1, or later versions
(Ubuntu 20)
|
Automatic VPN Reconnect for Chromebooks | — | — | 4.1.0 | — | — | — | — |
| Support for Native Certificate Store for Prisma Access and GloabProtect App on Linux Endpoints |
—
|
—
|
—
|
—
|
—
|
—
|
6.2.0 or later versions
|
| Enhancements for Authentication Using Smart Cards |
—
|
—
|
—
|
6.3.0 or later versions
|
—
|
6.3.1 or later versions
|
—
|
| Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts |
—
|
—
|
—
|
6.3.0 or later versions
|
—
|
6.3.0 or later versions
|
—
|
| CLI Support for SAML Authentication with Default Browser for GlobalProtect App on Linux Endpoints |
—
|
—
|
—
|
—
|
—
|
—
|
6.2.1 or later versions
|
(Deprecates Device Block List) | 5.1.0 | 5.1.0 | 5.1.0 | 5.1.0 | 5.1.0 | 5.1.0 | 5.1.0 |