GlobalProtect
Enforce GlobalProtect Connections with FQDN Exclusions
Table of Contents
Enforce GlobalProtect Connections with FQDN Exclusions
Configure up to 40 domain name exclusions when Enforce GlobalProtect for Network Access
is enabled. Improve user experience by allowing access to specific resources when
GlobalProtect is disconnected.
Software Support: Starting with GlobalProtect™
app 5.2 with Content Release version 8284-6139 or later.
OS
Support: Windows and macOS running macOS Catalina 10.15.4 or
later
You can now configure exclusions for specific fully qualified domain names when the Enforce
GlobalProtect for Network Access feature is enabled. With the Allow
traffic to specified FQDN when Enforce GlobalProtect Connection for Network
Access is enabled and GlobalProtect Connection is not established
option that is available as an app setting in the App
Configurations area of your GlobalProtect portal, you can now
specify the fully qualified domain names for which you allow access when you enforce
GlobalProtect connections for network access. You can configure up to 40 fully
qualified domain names for which you want to allow access when you enforce
GlobalProtect connections for network access and GlobalProtect cannot establish a
connection. By configuring FQDN exclusions, you can improve the user experience by
allowing end users to access specific resources when GlobalProtect is disconnected.
For example, the endpoint can communicate with a cloud-hosted identity provider
(ldP) for authentication purposes or a remote device management server even when the
Enforce GlobalProtect for Network Access feature is enabled.
Due to a recent change in macOS, enforcing
GlobalProtect connections with FQDN exclusions for multiple network extensions being
loaded at a time does not work in certain situations, such as in environments where
DnsClient.Net, GlobalProtect with the Allow traffic to specified FQDN
when Enforce GlobalProtect Connection for Network Access is enabled and
GlobalProtect Connection is not established option enabled, and
Cortex XDR are running.
- Configure exclusions for specific fully qualified
domain names or IP addresses.
- Launch the Web Interface.
- Select .
- Specify up to 40 fully qualified domain names for
which you want to allow access when you enforce GlobalProtect connections
for network access.The fully qualified domain names that you provide are used only when Enforce GlobalProtect Connection for Network Access is set to Yes. Use commas to separate multiple fully qualified domain names (for example, google.com, gmail.com). Use the wildcard character (*) for domain names and make sure you include a space between wildcard entries (for example, *.gpcloudservice.com, *.cnn.com). The maximum length is 1,024 characters.
![]()
When the Connect Before Logon (CBL) connect method is enabled for GlobalProtect app with SAML authentication and the Enforce GlobalProtect Connections for Network Access feature is configured, you must add the fully qualified domains (FQDNs) of the SAML authentication page to the exclusion list in the app settings of the GlobalProtect portal configuration. - Click OK twice.
- Commit the configuration.
