GlobalProtect
End User Experience
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
End User Experience
End users who are remote (outside the corporate network)
connect to one of the gateways in AWS or Azure. When you configure
the GlobalProtect portal client configuration, assign equal priority
to the gateways. With this configuration, the gateway to which users
connect depends on the SSL response time of each gateway measured
on the endpoint during tunnel setup.
For example, a user in Australia would typically connect to the
AWS-Sydney gateway. After the user is connected to AWS-Sydney, the
GlobalProtect app tunnels all traffic from the endpoint to the AWS-Sydney
firewall for inspection. GlobalProtect sends traffic to public internet
sites directly via the AWS-Sydney gateway and tunnels traffic to
corporate resources through a site-to-site tunnel between the AWS-Sydney
gateway and the Santa Clara gateway, and then through an IPsec site-to-site
tunnel to the corporate headquarters. This architecture is designed
to reduce any latency the user may experience when accessing the internet.
If the AWS-Sydney gateway (or any gateway closer to Sydney) was
unreachable, the GlobalProtect app would back-haul the internet
traffic to the firewall in the corporate headquarters and cause
latency issues.
Active Directory servers reside inside the corporate network.
When remote users authenticate, the GlobalProtect app sends authentication
requests through the site-to-site tunnel in AWS/Azure to the Santa
Clara gateway. The gateway then forwards the request through an
IPsec site-to-site tunnel to the Active Directory Server in corporate
headquarters.
To reduce the time it takes for remote user
authentication and tunnel setup, consider replicating the Active
Directory Server and making it available in AWS.
End users inside the corporate network authenticate to the three
internal gateways immediately after they log in. The GlobalProtect
app sends the HIP report to these internal gateways. Users that
are inside the office on the corporate network must meet the User-ID
and HIP requirements to access any resource at work.