>
    Strata Copilot
    Customizable App Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy App Settings Transparently
    6. Customizable App Settings
    Download PDF
    GlobalProtect

    Customizable App Settings

    Table of Contents

    Customizable App Settings

    Deploy app settings such as App Display, User Behavior, App Behavior, and Script Deployment Options to endpoints through the Windows Registry, macOS plist, or Msiexec.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama)
    • GlobalProtect Gateway license
    In addition to pre-deploying the portal address, you can also define the app settings. To Deploy App Settings to Windows Endpoints you define keys in the Windows Registry (path HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\ unless otherwise stated). To Deploy App Settings to macOS Endpoints you define entries in the Settings dictionary of the macOS plist (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist). To Deploy App Settings to Linux Endpoints you define entries under <Settings> of the /opt/paloaltonetworks/globalprotect/pangps.xml pre-deployment configuration file. On Windows endpoints only, you can also use the Windows Installer to Deploy App Settings from Msiexec.
    The following topics describe each customizable app setting. Settings defined in the GlobalProtect portal agent configuration take precedence over settings defined in the Windows Registry or the macOS plist.
    Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry or Msiexec. These include, but are not limited to, settings such as the following: can-prompt-user-credential, wrap-cp-guid, and filter-non-gpcp. They are listed in the following options as “Not in portal.”

    App Display Options

    Customize app display options such as app icon display, rediscover network option, and system tray notifications using the Windows Registry or macOS plist.
    The following table lists the options that you can configure in the Windows Registry or macOS plist to customize the display of the GlobalProtect app.
    Table: Customizable App Settings
    Portal Agent Configuration
    Windows Registry/ macOS Plist
    Msiexec Parameter
    Default
    Enable Advanced View
    enable-advanced-view yes | no
    ENABLEADVANCEDVIEW=”yes | no”
    yes
    Display GlobalProtect Icon
    show-agent-icon yes | no
    SHOWAGENTICON=”yes | no”
    yes
    Enable Rediscover Network Option
    rediscover-network yes | no
    REDISCOVERNETWORK=”yes | no”
    yes
    Enable Resubmit Host Profile Option
    resubmit-host-info yes | no
    n/a
    yes
    Show System Tray Notifications
    show-system-tray-notifications yes | no
    SHOWSYSTEMTRAYNOTIFICATIONS=”yes | no”
    yes

    User Behavior Options

    Learn how to configure settings in the Windows registry and macOS plist to customize how the user interacts with the GlobalProtect app.
    The following table lists the options that you can configure in the Windows registry and macOS plist to customize how the user interacts with the GlobalProtect app.
    Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry, Msiexec, or macOS plist. These settings are listed in the table as “Not in portal.” They include, but are not limited to, settings such as the following: ShowPrelogonButton and can-save-password.
    Table: Customizable User Behavior Options
    Portal Agent Configuration
    Windows Registry/macOS Plist
    Msiexec Parameter
    Default
    Allow User to Change Portal Address
    can-change-portal yes | no
    CANCHANGEPORTAL=”yes | no”
    yes
    Allow User to Dismiss Welcome Page
    enable-hide-welcome-page yes | no
    ENABLEHIDEWELCOMEPAGE= ”yes | no”
    yes
    Allow User to Continue with Invalid Portal Server Certificate
    can-continue-if-portal-cert-invalid yes | no
    CANCONTINUEIFPORTALCERTINVALID= ”yes | no”
    yes
    Allow User to Disable GlobalProtect App
    disable-allowed yes | no
    DISABLEALLOWED="yes | no"
    no
    Allow User to Uninstall GlobalProtect App
    1. The registry path is ..\Settings\<portal>.
    2. Specify a 0 to manually allow users to uninstall the GlobalProtect app with password. Specify a 1 to prevent users from uninstalling the GlobalProtect app.
    3. Restart the PAN GP agent services or restart the machine to read the new value.
    Uninstall 0 | 1
    		n/an/a
    Save User Credentials
    Specify a 0 to prevent GlobalProtect from saving credentials, a 1 to save both username and password, or a 2 to save the username only.
    save-user-credentials 0 | 1 | 2
    n/a
    		n/a
    Not in portal
    The Allow user to save password setting is deprecated in the web interface in PAN-OS 7.1 and later releases but is configurable from the Windows registry and macOS plist. Any value specified in the Save User Credentials field overwrites a value specified here.
    can-save-password yes | no
    CANSAVEPASSWORD=”yes | no”
    yes
    Windows only/Not in portal
    This setting enables the GlobalProtect credential provider to display the Start GlobalProtect Connection button, which allows users to initiate the GlobalProtect pre-logon connection manually.
    ShowPrelogonButton yes | no
    n/a
    no
    Windows 10 only/Not in portal
    This setting is used in conjunction with GlobalProtect SSO and enables the GlobalProtect credential provider to be set as the default sign-in option at the next Windows login and for subsequent logins. See Deploy GlobalProtect Credential Provider Settings in the Windows Registry for details.
    MakeGPCPDefault yes | no
    MAKEGPCPDEFAULT=”yes | no”
    n/a
    Windows only/Not in portal This setting is used in conjunction with GlobalProtect SSO and sets the number of seconds for users to wait to log in to Windows before establishing a tunnel connection. See Deploy GlobalProtect Credential Provider Settings in the Windows Registryfor details.
    LogonWaitTime <5-30 seconds>
    n/a
    n/a
    Windows only/Not in portal This setting is used in conjunction with GlobalProtect SSO and sets the number of seconds to delay users from logging in to Windows after establishing a tunnel connection. See Deploy GlobalProtect Credential Provider Settings in the Windows Registryfor details.
    LogonPostWaitTime <3-10 seconds>
    n/a
    n/a

    App Behavior Options

    Learn how to configure settings in the Windows registry and macOS plist to customize how the GlobalProtect app behaves.
    The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
    Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry, Msiexec, or macOS plist. These settings are listed in the table as “Not in portal.” They include, but are not limited to, settings such as the following: portal <IPaddress>, prelogon 1, and can-prompt-user-credential.
    Table: Customizable App Behavior Options
    Portal Agent Configuration
    Windows Registry/macOS Plist
    Msiexec Parameter
    Default
    Connect Method
    connect-method on-demand | pre-logon | user-logon
    CONNECTMETHOD=”on-demand | pre-logon | user-logon”
    user-logon
    Conditional Connect Method Based on Network Type
    		conditional-connect yes | non/a
    no
    Not supported on the portal
    intelligent-portal yes | no
    INTELLIGENTPORTAL=”yes | no”
    no
    Portal IP Address for USA and China
    		 portal-country-map "<IP address>(US);<IP address>(CN)" PORTALCOUNTRYMAP = "<Portal IP address>(US);<Portal IP address>(CN)"n/a
    User Location intelligent-portal-service "URL" INTELLIGENTPORTALSERVICE = "<IP location URL>"n/a
    Not supported on the portalSAMLAUTHPROXY="--proxy-server=<proxy server>"
    For example,
    --proxy-pac-url="https://example.com/proxy.pac"
    Supported only for Windows endpoints.
    		SAMLAUTHPROXY="--proxy-server=<proxy server>" n/a
    Use Default Browser for Captive PortalCPUSINGDEFBROWSER = yes | no
    Supported only for Windows endpoints.
    		CPUSINGDEFBROWSER = yes | noyes
    The default browser is used for captive portal.
    GlobalProtect App Config Refresh Interval (hours)
    refresh-config-interval <hours>
    REFRESHCONFIGINTERVAL= ”<hours>
    24
    Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
    wsc-autodetect yes | no
    n/a
    no
    Detect Proxy for Each Connection (Windows Only)
    proxy-multiple-autodetect yes | no
    n/a
    no
    Clear Single Sign-On Credentials on Logout (Windows Only)
    logout-remove-sso yes | no
    LOGOUTREMOVESSO=”yes | no”
    yes
    Disable Single Sign-On on local machines
    This setting allows you to disable the SSO feature even if it is configured on the portal. It overwrites the portal configuration when you manually add the key to the Windows registry or macOS plist and set the value as Yes.
    For Windows endpoints, you must manually add this setting to the Windows registry:
    Windows Path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
    Key Name/Value:
    force-sso-disable yes | no
    For macOS endpoints, you must manually add this setting to the macOS plist:
    macOS Path:
    /Library/Preferences/com.paloaltonetworks. GlobalProtect.settings.plist
    Add the setting under Palo Alto Networks > GlobalProtect > Settings
    Key Name/Value:
    force-sso-disable yes | no
    This setting is not supported in msiexec.
    n/a
    Use Default Authentication on Kerberos Authentication Failure (Windows Only)
    krb-auth-fail-fallback yes | no
    KRBAUTHFAILFALLBACK= ”yes | no”
    no
    Use Default Browser for SAML Authentication
    		(macOS plist)
    default-browser yes | no
    DEFAULTBROWSER= “yes | no”
    no
    Custom Password Expiration Message (LDAP Authentication Only)
    		(Deprecated)
    PasswordExpiryMessage <message>
    n/a
    Password expires in <number> days
    Portal Connection Timeout (sec)
    portal-timeout <portaltimeout>
    n/a
    5
    TCP Connection Timeout (sec)
    connect-timeout <connect-timeout>
    n/a
    5
    TCP Receive Timeout (sec)
    receive-timeout <receive-timeout>
    n/a
    30
    Client Certificate Store Lookup
    certificate-store-lookup user | machine | user and machine | invalid
    CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
    user and machine
    SCEP Certificate Renewal Period (days)
    scep-certificate-renewal-period <renewalPeriod>
    n/a
    7
    Maximum Internal Gateway Connection Attempts
    max-internal-gateway-connection-attempts <maxValue>
    MIGCA="<maxValue>"
    0
    Extended Key Usage OID for Client Certificate
    ext-key-usage-oid-for-client-cert <oidValue>
    EXTCERTOID=”<oidValue>
    n/a
    User Switch Tunnel Rename Timeout (sec)
    user-switch-tunnel-rename-timeout <renameTimeout>
    n/a
    0
    Use Single Sign-On
    (Windows Only)
    use-sso yes | no
    USESSO="yes | no"
    yes
    Use Single Sign-On for Smart Card (Windows Only)
    use-sso-pin yes | no
    USESSOPIN="yes | no"
    no
    Inbound Authentication Message
    authentication-message
    n/a
    n/a
    Allow Overriding Username from Client Certificate
    override-cc-username yes | no
    n/a
    no
    Not in portal
    This setting specifies the default portal IP address (or hostname).
    portal <IPaddress>
    PORTAL="<IPaddress>"
    n/a
    Not in portal
    This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
    prelogon 1
    PRELOGON="1"
    1
    Not in portal
    This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
    (Windows) can-prompt-user-credential yes | no
    CANPROMPTUSERCREDENTIAL= ”yes | no”
    yes
    Windows only/Not in portal
    This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
    wrap-cp-guid {third party credential provider guid}
    WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
    no
    Windows only/Not in portal
    This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
    filter-non-gpcp no
    n/a
    n/a
    Windows only/Not in portal
    This setting allows you to assign static IP addresses to Windows endpoints.
    reserved-ipv4 <reserved-ipv4>
    reserved-ipv6 <reserved-ipv6>
    RESERVEDIPV4=”<reserved-ipv4>
    RESERVEDIPV6=”<reserved-ipv6>
    n/a
    (Windows Only)
    This setting allows you to set a valid default gateway on GlobalProtect virtual adapter when you configure GlobalProtect app in Full-Tunnel mode.
    fake-default-gateway yes | no
    FIXDEFAULTGATEWAY yes | no
    n/a
    (Windows Only)
    This setting allows you to collect HIP data on Windows endpoints.
    collect-hip-data yes | no
    COLLECTHIPDATA= ”yes | no”
    n/a
    (Windows Only)
    This setting allows you to save gateway passwords on Windows endpoints.
    save-gateway-password yes | no
    SAVEGATEWAYPASSWORD= ”yes | no”
    n/a
    Windows Only/Not in portal
    This setting allows you to press the Enter key to log in to GlobalProtect from the embedded browser on Windows endpoints during SAML authentication.
    In some cases, enabling this setting will prevent the Enter key press from being accepted during sign on. If this occurs, change the setting to no.
    		Windows Registry Path:
    HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
    Key Name/Value
    translate-enter-key yes | no
    TRANSLATEENTERKEY= "yes | no"
    		yes
    For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

    Script Deployment Options

    Use the Script Deployment Options to execute scripts before and after connection establishment, allowing customization through parameters such as command execution, context, timeout, file integrity, checksum, and error messages.
    The following table displays options that enable GlobalProtect to initiate scripts before and after establishing a connection and before disconnecting. Because these options are not available in the portal, you must define the values for the relevant key—either pre-vpn-connect, post-vpn-connect, or pre-vpn-disconnect—from the Windows registry or macOS plist. For detailed steps to deploy scripts, see Deploy Scripts Using the Windows Registry, Deploy Scripts Using Msiexec, or Deploy Scripts Using the macOS Plist.
    If you are allowing end users to establish the VPN connection to the corporate network before logging in to the Windows endpoint by using Connect Before Logon, you must run VPN connect scripts with the context admin value specified the Windows registry. You cannot specify the default context user value because there is no user prior to Windows logon.
    Table: Customizable Script Deployment Options
    Portal Agent Configuration
    Windows Registry/macOS Plist
    Msiexec Parameter
    Default
    Execute the script specified in the command setting (including any parameters passed to the script).
    Environmental variables are supported.
    Specify the full path in commands.
    command <parameter1> <parameter2> [...]
    Windows example:
    command %userprofile%\vpn_script.bat c: test_user
    macOS example:
    command $HOME/vpn_script.sh /Users/test_user test_user
    PREVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    POSTVPNCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    PREVPNDISCONNECTCOMMAND= ”<parameter1> <parameter2> [...]”
    n/a
    (Optional) Specify the privileges under which the command(s) can run (default is user: if you do not specify the context, the command runs as the current active user).
    context admin | user
    PREVPNCONNECTCONTEXT= ”admin | user”
    POSTVPNCONNECTCONTEXT= ”admin | user”
    PREVPNDISCONNECTCONTEXT= ”admin | user”
    user
    (Optional) Specify the number of seconds the GlobalProtect app waits for the command to execute (range is 0-120). If the command does not complete before the timeout, the app proceeds to establish a connection or disconnect. A value of 0 (the default) means the app does not wait to execute the command.
    Not supported for post-vpn-connect.
    timeout <value>
    Example:
    timeout 60
    PREVPNCONNECTTIMEOUT= ”<value>
    PREVPNDISCONNECTTIMEOUT= ”<value>
    0
    (Optional) Specify the full path of a file used in a command. The GlobalProtect app verifies the integrity of the file by checking it against the value specified in the checksum key.
    Environmental variables are supported.
    file <path_file>
    PREVPNCONNECTFILE= ”<path_file>
    POSTVPNCONNECTFILE= ”<path_file>
    PREVPNDISCONNECTFILE= ”<path_file>
    n/a
    (Optional) Specify the sha256 checksum of the file referred to in the file key. If the checksum is specified, the GlobalProtect app executes the command(s) only if the checksum generated by the GlobalProtect app matches the checksum value specified here.
    checksum <value>
    PREVPNCONNECTCHECKSUM= ”<value>
    POSTVPNCONNECTCHECKSUM= ”<value>
    PREVPNDISCONNECTCHECKSUM =”<value>
    n/a
    (Optional) Specify an error message to inform the user that either the command(s) cannot be executed or the command(s) exited with a non-zero return code.
    The message must be 1,024 or fewer ANSI characters.
    error-msg <message>
    Example:
    error-msg Failed executing pre-vpn-connect action!
    PREVPNCONNECTERRORMSG= ”<message>
    POSTVPNCONNECTERRORMSG= ”<message>
    PREVPNDISCONNECTERRORMSG =”<message>
    n/a

    © 2025 Palo Alto Networks, Inc. All rights reserved.