>
    Strata Copilot
    Configure a GlobalProtect Gateway
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Gateways
    5. Configure a GlobalProtect Gateway
    Download PDF
    GlobalProtect

    Configure a GlobalProtect Gateway

    Table of Contents

    Configure a GlobalProtect Gateway

    Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users.
    Where Can I Use This?What Do I Need?
    • Prisma Access
      The IKEv2 protocol is not supported on Prisma Access
    • NGFW
      The IKEv2 protocol is supported only on NGFW
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect 6.4.1 Innovation and PAN-OS 12.1.5 or later for the IKEv2 protocol. For access to the GlobalProtect 6.4.1 Innovation release, reach out to your Palo Alto Network account team.
    Because the GlobalProtect portal configuration that is delivered to the apps includes the list of gateways to which the endpoint can connect, it is recommended that you configure the gateways before configuring the portal.
    GlobalProtect Gateways are configured to provide two main functions:
    • Enforce security policy for the GlobalProtect apps that connect to the gateways. You can also enable HIP collection on the gateway for enhanced security policy granularity.
    • Provide virtual private network (VPN) access to the internal corporate network. VPN access is provided through an IPSec or SSL tunnel between the endpoint and the tunnel interface on the firewall hosting the gateway.
    On NGFW, GlobalProtect gateways support both IPSec and standardized Internet Key Exchange version 2 (IKEv2) protocols. Unlike proprietary or custom methods, IKEv2 utilizes industry-standard key exchange protocols to establish secure tunnels more efficiently, requiring only four message exchanges instead of eight. This protocol provides built-in Network Address Translation (NAT) Traversal and enhanced resiliency against denial-of-service (DoS) attacks.
    1. Before you begin configuring the gateway make sure you have:
    2. Add a gateway.
      1. To add a new gateway, do one of the following:
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppTunnel Settings.
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessConfiguration ScopeAll FirewallsDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway.
        • On Panorama, select NetworkGlobalProtectGateways.
      2. Click Add.
      3. Name the gateway.
        The gateway name cannot contain spaces and must be unique for each virtual system. As a best practice, include the location or other descriptive information to help users and administrators identify the gateway.
      4. (Optional) Select the virtual system Location to which this gateway belongs.
    3. Specify the network information that enables endpoints to connect to the gateway.
      If it does not already exist, create the network interface for the gateway.
      • Set the IP Address Type to IPv4 Only, IPv6 Only, or IPv4 and IPv6. Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
      • The IP address must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 addresses or 21DA:D3:0::2F3b for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
      Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH to the interface where you configure; doing so enables access to your management interface from the internet. Follow Adminstrative Access Best Practices to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.
    4. Configure Decryption log settings.
      You can log successful and unsuccessful TLS/SSL handshakes and you can forward Decryption logs to Log Collectors, other storage devices, and to specific administrators.
      • By default, the firewall logs only unsuccessful TLS handshakes. It is a best practice to log successful handshakes as well so that you gain visibility into as much decrypted traffic as available resources permit (but don’t decrypt private or sensitive traffic; follow decryption best practices and decrypt as much traffic as you can).
      • If you have not already done so, create a Log Forwarding profile to forward Decryption logs and specify it in the Gateway configuration.
      • If you log successful TLS handshakes in addition to unsuccessful TLS handshakes, configure a larger log storage space quota for the Decryption log (DeviceSetupManagementLogging and Reporting SettingsLog Storage). The default quota (allocation) is one percent of the device’s log storage capacity for Decryption logs and one percent for the general decryption summary. There is no default allocation for hourly, daily, or weekly decryption summaries. Configure Decryption Logging provides more information about how to allocate firewall log space to Decryption logs.
    5. Specify how the gateway authenticates users.
      If an SSL/TLS service profile for the gateway does not already exist, Deploy Server Certificates to the GlobalProtect Components.
      If authentication profiles or certificate profiles do not already exist, use the authentication setup task to configure these profiles for the gateway.
      Configure any of the following gateway Authentication settings
      • To secure communication between the gateway and the GlobalProtect app, select the SSL/TLS Service Profile for the gateway.
        The Max Version of TLS in the SSL/TLS Service Profile is TLSv1.2. TLSv1.3 is currently not supported for the GlobalProtect app and Clientless VPN connections.
        To provide the strongest security, set the Min Version of the SSL/TLS service profile to TLSv1.2.
      • To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP), Add a Client Authentication configuration with the following settings:
        • Specify a Name to identify the client authentication configuration.
        • Identify the type of OS (operating system) to which this configuration applies. By default, the configuration applies to Any operating system.
        • Select or add an Authentication Profile to authenticate endpoints seeking access to the gateway.
        • Enter a custom Username Label for gateway login (for example, Email Address (username@domain).
        • Enter a custom Password Label for gateway login (for example, Passcode for two-factor, token-based authentication).
        • Enter an Authentication Message to help end-users understand which credentials to use during login. The message can be up to 256 characters in length (default is Enter login credentials).
        • Select one of the following options to define whether users can authenticate to the gateway using credentials and/or client certificates:
          • To require users to authenticate to the gateway using both user credentials AND a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to No (User Credentials AND Client Certificate Required) (default).
          • To allow users to authenticate to the gateway using either user credentials OR a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to Yes (User Credentials OR Client Certificate Required).
            When you set this option to Yes, the gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the gateway using his or her user credentials.
            If you plan to use SAML authentication, do not configure the Username Field in the Certificate Profile.
      • To authenticate users based on a client certificate or a smart card/CAC, select the corresponding Certificate Profile. You must pre-deploy the client certificate or Deploy User-Specific Client Certificates for Authentication using the Simple Certificate Enrollment Protocol (SCEP).
        • If you want to require users to authenticate to the gateway using both their user credentials and a client certificate, you must specify both a Certificate Profile and an authentication profile
        • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you specify an Authentication Profile for user authentication, then the Certificate Profile is optional.
        • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you don’t select an Authentication Profile for user authentication, then the Certificate Profile is required.
        • If you do not configure any Authentication Profile that matches a specific OS, then the Certificate Profile is required.
        If you allow users to authenticate to the gateway using either user credentials or a client certificate, do not select a Certificate Profile that has the Username Field configured as None.
      • To use two-factor authentication, select both an Authentication Profile and a Certificate Profile. This requires the user to authenticate successfully using both methods to gain access.
        (Chrome only) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks.
        1. Log in to the Google Admin console and select Device managementChrome managementUser settings.
        2. In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites:
          {"pattern": "https://[*.]","filter":{}}
        3. Click Save. The Google Admin console deploys the policy to all devices within a few minutes.
        4. To block GlobalProtect users from logging in from quarantined devicesto the GlobalProtect gateway, select Block login for quarantined devices.
    6. Enable tunneling and then configure the tunnel parameters.
      Tunnel parameters are required for an external gateway; they are optional for an internal gateway.
      To force the use of SSL-VPN tunnel mode, disable (clear) the Enable IPSec option. By default, SSL-VPN is used only if the endpoint fails to establish an IPSec tunnel.
      Extended authentication (X-Auth) is supported only on IPSec tunnels. If you Enable X-Auth Support, GlobalProtect IPSec Crypto profiles are not used.
      GlobalProtect app is not able to connect to the GlobalProtect Gateway via IPSec tunnel if source NAT is configured on the same firewall for the GlobalProtect client's public IP address. In this case, the tunnel connection will fall back to SSL.
      For more information on supported cryptographic algorithms, refer to GlobalProtect App Cryptographic Functions.
      1. Click the Agent tab and enable Tunnel Mode to enable split tunneling.
      2. Select the Tunnel Interface that you defined when you created the network interface for the gateway.
      3. (Optional) Specify the maximum number of users (Max User) that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect app updates. The range of values is displayed when the field is empty and varies based on the platform.
      4. Enable IPSec and then select a GlobalProtect IPSec Crypto profile to secure the VPN tunnels between the GlobalProtect app and the gateway. The default profile uses AES-128-CBC encryption and sha1 authentication.
        IPSec is not supported with Windows 10 UWP endpoints.
        You can also create a New GlobalProtect IPSec Crypto profile (GlobalProtect IPSec Crypto drop-down) and then configure the following settings:
        1. Specify a Name to identify the profile.
        2. Add the Authentication and Encryption algorithms that VPN peers can use to negotiate the keys for securing data in the tunnel:
          • Encryption—If you don’t know what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows: aes-256-gcm, aes-128-gcm, aes-128-cbc. The peers will negotiate the strongest algorithm to establish the tunnel.
          • Authentication—Select the authentication algorithm (sha1) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting is only to the AES-CBC cipher (aes-128-cbc). If you use an AES-GCM encryption algorithm (aes-256-gcm or aes-128-gcm), the setting is ignored because these ciphers provide native ESP integrity protection.
        3. Click OK to save the profile.
      5. (Optional) Enable X-Auth Support if any endpoint must connect to the gateway using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the Group name and Group Password (if the endpoint requires it). By default, the user is not required to re-authenticate if the key that establishes the IPSec tunnel expires. To require users to re-authenticate, disable the option to Skip Auth on IKE Rekey.
        Extended authentication (X-Auth) is not supported for Prisma Access deployments.
        To Enable X-Auth Support for strongSwan endpoints, you must also disable the option to Skip Auth on IKE Rekey because these endpoints require re-authentication during IKE SA negotiation. In addition, you must add the closeaction=restart setting to the conn %default section of the strongSwan IPSec configuration file. (See Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints for more information on the StrongSwan IPSec configuration.)
        Although X-Auth access is supported on iOS and Android endpoints, it provides limited GlobalProtect functionality on these endpoints. Instead, use the GlobalProtect app for simplified access to all security features that GlobalProtect provides on iOS and Android endpoints. The GlobalProtect app for iOS is available in the Apple App Store. The GlobalProtect app for Android is available in Google Play.
    7. NGFW only, NGFW on Panorama requires GlobalProtect 6.4.1 or later and PAN-OS 12.1.5 or later, Windows and macOS endpoints only. To support the standardized IKEv2 protocol on the tunnel, click Enable IKEv2 and specify the following parameters.
      1. Select the IKEv2 mode:
        • Select IKEv2 Only to allow the client to connect only through IKEv2. If the user’s network blocks IKEv2 or the client is too old to support it, the connection fails completely
        • Select IKEv2 Preferred to allow the client to fall back to an SSL/TLS tunnel if IKEv2 fails. This option allows older clients to connect via SSL-VPN or IPSec (if enabled).
      2. Select the IKE Crypto Profile and IPSEC Crypto Profile associated with the network profile.
      3. Select one of the following the authentication methods:
        • Authentication via a pre-shared key
          1. Select Pre-Shared Key and enter the master key length in characters.
            The master key length must be within 32 and 128 characters.
          2. Click Generate Strong Master Key.
          3. Copy the generated master key and paste in the Master Key and Confirm Master Key fields.
            You can also directly enter a master key instead of generating a key. The key must contain an even number of characters and must follow the HEX format.
        • Certificate-based authentication
          The certificate profile specified in the gateway authentication tab is reused.
      To view IKEv2 logs, navigate to MonitorSystem.
      The following table describes the GlobalProtect app behavior based on the selected tunnel protocol (IPSec or IKEv2) and IKEv2 mode.
      Protocol SelectedIKEv2 Mode SelectedGlobalProtect App Version Earlier than 6.4.1GlobalProtect App Version 6.4.1 and Later
      None selectedN/ATLSTLS
      Enable IPSecN/AIPSec
      Can fall back to TLS
      		IPSec
      Can fall back to TLS
      Enable IPSec and Enable IKEv2IKEv2 OnlyIPSec
      Can fall back to TLS
      		IKEv2
      No fallback
      Enable IPSec and Enable IKEv2IKEv2 PreferredIPSec
      Can fall back to TLS
      		IKEv2
      Can fall back to TLS
      Enable IKEv2IKEv2 OnlyNo IPSec tunnel
      No fall back
      		IKEv2
      No fallback
      Enable IKEv2IKEv2 PreferredTLSIKEv2
      Can fall back to TLS
      If you downgrade PAN-OS to a version earlier than 12.1.5, the IKEv2 options are hidden and the Enable IPSec setting determines tunnel behavior.
    8. (Tunnel Mode Only) Specify selection criteria for your client settings configurations.
      The gateway uses the selection criteria to determine which configuration to deliver to the GlobalProtect apps that connect. If you have multiple configurations, you must make sure to order them correctly. As soon as the gateway finds a match (based on the Source User, OS, and Source Address), it delivers the associated configuration to the user. Therefore, more specific configurations must precede more general ones. See step 13 for instructions on ordering the list of configurations for client settings.
      You cannot Enable X-Auth Support when you specify the selection criteria for your client settings configurations.
      1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings.
      2. Select an existing client settings configuration or Add a new one. You can add up to 64 client configuration entries for a single gateway.
      3. Configure the following Config Selection Criteria:
        • To deploy this configuration to specific users or user groups, Add the Source User (or user group). To deploy this configuration only to users with apps in pre-logon mode, select pre-logon from the Source User drop-down; to deploy this configuration to all users, select any.
          To deploy the configuration to specific groups, you must first map users to groups as described when you Enable Group Mapping.
        • To deploy this configuration based on the endpoint operating system, Add an OS (such as Android or Chrome). To deploy this configuration to all operating systems, select Any.
        • To deploy this configuration based on user location, Add a source Region or IP address (IPv4 and IPv6). To deploy this configuration to all user locations, do not specify the Region or IP Address.
      4. Click OK to save your configuration selection criteria.
    9. (Tunnel Mode Only) Configure authentication override settings to enable the gateway to generate and accept secure, encrypted cookies for user authentication.
      This capability allows the user to provide login credentials only once during the specified period of time (for example, every 24 hours).
      By default, gateways authenticate users with an authentication profile and optional certificate profile. When authentication override is enabled, GlobalProtect caches the result of a successful login and uses the cookie to authenticate the user instead of prompting the user for credentials. For more information, see Cookie Authentication on the Portal or Gateway. If client certificates are required, the endpoint must also provide a valid certificate to gain access.
      If you must immediately block access to a device whose cookie has not expired (for example, if the device is lost or stolen), you can immediately Identification and Quarantine of Compromised Device by adding the device to a quarantine list.
      1. On the GlobalProtect Gateway Configuration dialog, select AgentClient Settings.
      2. Select an existing client settings configuration or Add a new one.
      3. Configure the following Authentication Override settings:
        • Name—Identifies the configuration.
        • Generate cookie for authentication override—Enables the gateway to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
          The authentication cookie includes the following fields:
          • user—Username that is used to authenticate the user.
          • domain—Domain name of the user.
          • os—Application name that is used on the device.
          • hostID—Unique ID that is assigned by GlobalProtect to identify the host.
          • gen time—Date and time that the authentication cookie was generated.
          • ip—IP address of the device that is used to successfully authenticate to GlobalProtect and to obtain the cookie.
        • Accept cookie for authentication override—Enables the gateway to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, the gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user.
          The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to the portal or gateway for user authentication.
          (Windows only) If you set the Use Single Sign-On option to Yes (SSO is enabled) in the portal agent configuration (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>.App), the GlobalProtect app uses the Windows username to retrieve the local authentication cookie for the user. If you set the Use Single Sign-On option to No (SSO is disabled), you must enable the GlobalProtect app to Save User Credentials in order for the app to retrieve the authentication cookie for the user. Set the Save User Credentials option to Yes to save both the username and password or Save Username Only to save only the username.
        • Cookie Lifetime—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1 to 72; for weeks is 1 to 52; and for days is 1 to 365. After the cookie expires, the user must re-enter their login credentials and then the gateway subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the Cookie Lifetime that you configure for the portal.
        • Certificate to Encrypt/Decrypt Cookie—Selects the RSA certificate used to encrypt and decrypt the cookie. You must use the same certificate on the portal and gateway.
          As a best practice, configure the RSA certificate to use the strongest digest algorithm that your network supports.
          The portal and gateway use the RSA encrypt padding scheme PKCS#1 V1.5 to generate the cookie (using the public certificate key) and to decrypt the cookie (using the private certificate key).
    10. (Tunnel Mode onlyOptional) Configure client level IP pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway.
      IP pools and split tunnel settings are not required for internal gateway configurations in non-tunnel mode because apps use the network settings assigned to the physical network adapter.
      Using address objects when configuring gateway IP address pools is not supported.
      1. On the GlobalProtect Gateway Configuration dialog, select AgentClient Settings.
      2. Select an existing client settings configuration or Add a new one.
      3. Configure any of the following IP Pools settings:
        • To specify the authentication server IP address pool for endpoints that require static IP addresses, enable the option to Retrieve Framed-IP-Address attribute from authentication server and then Add the subnet or IP address range to the Authentication Server IP Pool. When the tunnel is established, an interface is created on the remote user’s computer with an address in the subnet or IP range that matches the Framed-IP attribute of the authentication server.
          The authentication server IP address pool must be large enough to support all concurrent connections. IP address assignment is static and retained even after the user disconnects.
        • To specify the IP Pool used to assign IPv4 or IPv6 addresses to the endpoints that connect to the gateway, Add the IP address subnet/range. You can add IPv4 or IPv6 subnets or ranges, or a combination of the two.
          To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
      4. Click OK to save the IP pool configuration.
    11. (Tunnel Mode onlyOptional) Disable the split tunnel to ensure that all traffic(including local subnet traffic) goes through the VPN tunnel for inspection and policy enforcement.
    12. (Tunnel Mode onlyOptional) Configure split tunnel settings based on the access route.
    13. (Tunnel Mode onlyOptional) Configure split tunnel settings based on the destination domain.
    14. (Tunnel Mode onlyOptional) Configure split tunnel settings based on the application.
    15. (Tunnel Mode onlyOptional) Configure DNS settings for a client settings configuration.
      If you configure at least one DNS server or DNS suffix in the client settings configuration (NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-settings-config>Network Services), the gateway sends the configuration for both the DNS server and DNS suffix to the endpoint. This occurs even when you configure global (gateway level) DNS servers and DNS suffixes.
      If you do not configure any DNS servers or DNS suffixes in the client settings configuration, the gateway sends the global DNS servers and DNS suffixes to the endpoint, if configured (NetworkGlobalProtectGateways<gateway-config>AgentNetwork Services).
      1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings.
      2. Select an existing client settings configuration or Add a new one.
      3. Configure any of the following Network Services settings:
        • Specify the IP address of the DNS Server to which the GlobalProtect app with this client settings configuration sends DNS queries. You can add up to 10 DNS servers by separating each IP address with a comma.
        • Specify the DNS Suffix that the endpoint should use locally when encountering an unqualified hostname, which the endpoint cannot resolve.
    16. (Tunnel Mode Only) Arrange the gateway agent configurations so that the proper configuration is deployed to each GlobalProtect app.
      When an app connects, the gateway compares the source information in the packet against the agent configurations you defined (AgentClient Settings). As with security rule evaluation, the gateway looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
      • To move a gateway configuration up in the list of configurations, select the configuration and Move Up.
      • To move a gateway configuration down in the list of configurations, select the configuration and Move Down.
    17. (Tunnel Mode OnlyOptional) Configure the global IP address pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on all endpoints that connect to the gateway.
      This option enables you to simplify the configuration by defining IP pools at the gateway level instead of defining IP pools for each client setting in the gateway configuration.
      You must configure IP pools only at either the gateway level (NetworkGlobalProtectGateways<gateway-config>AgentClient IP Pool) or the client level (NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-setting>IP Pools).
      On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessConfiguration ScopeAll FirewallsDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway. On the Add Gateway page, add Client IP Pool.
      Using address objects when configuring gateway IP address pools is not supported.
      1. To configure the global IP address pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on all endpoints that connect to the gateway, do one of the following:
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessConfiguration ScopeAll FirewallsDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway. On the Add Gateway page, add Client IP Pool.
        • On Panorama, select NetworkGlobalProtectGateways<gateway-config>AgentClient IP Pool
      2. Add the IP address subnet or range used to assign IPv4 or IPv6 addresses to all endpoints that connect to the gateway. You can add IPv4 or IPv6 subnets or ranges, or a combination of the two.
        To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
    18. (Tunnel Mode Only) Specify the network configuration settings for the endpoint.
      Network settings are not required for internal gateway configurations in non-tunnel mode because the GlobalProtect app uses the network settings assigned to the physical network adapter.
      In the GlobalProtect Gateway Configuration dialog, select AgentNetwork Services and then configure any of the following network configuration settings:
      • If the firewall has an interface that is configured as a DHCP client, set the Inheritance Source to that interface so the GlobalProtect app is assigned the same settings as the DHCP client. You can also enable the option to Inherit DNS Suffixes from the inheritance source.
      • Manually assign the Primary DNS server, Secondary DNS server, Primary WINS server, Secondary WINS server, and DNS Suffix. You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.
        The DNS Suffix cannot contain any non-ASCII characters.
    19. (Optional) Modify the default timeout settings for endpoints.
      • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppGlobal App Settings. On the Global Settings page, select GeneralTimeout to modify the timeout settings.
      • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway. On the Add Gateway page, select Advanced SettingsConnection Settings to modify the settings.
      • On Panorama, select NetworkGlobalProtectGatewaysAgentConnection Settings.
    20. (Optional) Configure automatic restoration of SSL VPN tunnels.
      If the GlobalProtect connection is lost due to network instability or a change in the endpoint state, you can allow or prevent the GlobalProtect app from automatically reestablishing the VPN tunnel for specific gateways by configuring automatic restoration of SSL VPN tunnels.
      1. To configure automatic restoration of SSL VPN tunnels, do one of the following:
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway. On the Add Gateway page, select Advanced SettingsConnection SettingsAuthentication Cookie Usage Restrictions.
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppGlobal App Settings. On the Global Settings page, select GeneralAuthentication Cookie Usage Restrictions.
        • On Panorama, select NetworkGlobalProtectGatewaysAgentConnection Settings.
      2. Configure one of the following options for Authentication Cookie Usage Restrictions:
        • To prevent the GlobalProtect app from automatically reestablishing the VPN tunnel for this gateway, Disable Automatic Restoration of SSL VPN.
        • To allow the GlobalProtect app to automatically reestablish the VPN tunnel for this gateway, disable (clear) the option to Disable Automatic Restoration of SSL VPN (default).
    21. (Optional) Configure source IP address enforcement for authentication cookies.
      You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range.
      1. To configure source IP address enforcement for authentication cookies, do one of the following:
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysGateways and then Add Gateway. On the Add Gateway page, select Advanced SettingsConnection SettingsAuthentication Cookie Usage Restrictions.
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppGlobal App Settings. On the Global Settings page, select GeneralAuthentication Cookie Usage Restrictions.
        • On Panorama, select NetworkGlobalProtectGatewaysAgentConnection Settings.
      2. In the Authentication Cookie Usage Restrictions section, Restrict Authentication Cookie Usage (for Automatic Restoration of VPN tunnel or Authentication Override) and then configure one of the following conditions:
        • If you select The original Source IP for which the authentication cookie was issued, the authentication cookie is valid only if the public source IP address of the endpoint that is attempting to use the cookie is the same public source IP address of the endpoint to which the cookie was originally issued.
        • If you select The original Source IP network range, the authentication cookie is valid only if the public source IP address of the endpoint attempting to use the cookie is within the designated network IP address range. Enter a Source IPv4 Netmask or Source IPv6 Netmask to define the subnet mask of the network IP address range for which the authentication cookie is valid (for example, 32 or 128).
    22. (Tunnel Mode Only) Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel.
    23. (Optional) Define the notification messages that end users see when a security rule with a host information profile (HIP) is enforced.
      This step applies only if you created host information profiles and added them to your security policies. See Host InformationHost Information for details on configuring the HIP feature and information about creating HIP notification messages.
      1. To create HIP notification, do one of the following:
        • On Strata Cloud Manager (NGFW):
          1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeAll FirewallsDeviceGlobalProtectPortals and GatewaysGateways.
          2. On the Add Gateway page, select Advanced SettingsHIP Notifications.
          .
        • On Strata Cloud Manager (Prisma Access):
          1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppGlobal App Settings.
          2. On the Global Settings page, select Add HIP Notification.
        • On the firewall (or Panorama) hosting your GlobalProtect gateway(s), select NetworkGlobalProtectGateways. On the GlobalProtect Gateway Configuration dialog, select AgentHIP Notification.
      2. Select an existing HIP notification configuration or Add a new one.
      3. Configure the following settings:
        • Select the Host Information object or profile to which this message applies.
        • Depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when the profile is not matched, select Match Message or Not Match Message and then Enable notifications. You can create messages for both a match and a non-match instance based on the objects on which you are matching and what your objectives are for the policy. For the Match Message, you can also enable the option to Include Mobile App List to indicate what applications can trigger the HIP match.
        • Select whether you want to display the message as a System Tray Balloon or as a Pop Up Message.
        • Enter and format the text of your message (Template) and then click OK.
        • Repeat these steps for each message you want to define.
    24. Save the gateway configuration.
      1. Click OK to save the settings.
      2. Commit the changes.
    25. (Optional) To configure the GlobalProtect app to display a label that identifies the location of this gateway when end users are connected, specify the physical location of the firewall on which you configured this gateway.
      When end users experience unusual behavior, such as poor network performance, they can provide this location information to their support or Help Desk professionals to assist with troubleshooting. They can also use this location information to determine their proximity to the gateway. Based on their proximity, they can evaluate whether they need to switch to a closer gateway.
      If you do not specify a gateway location, the GlobalProtect app displays an empty location field.
      • In the CLI—Use the following CLI command to specify the physical location of the firewall on which you configured the gateway:
        <username@hostname> set deviceconfig setting global-protect location <location>
      • In the XML API—Use the following XML API to specify the physical location of the firewall on which you configured the gateway:
        • devices—name of the firewall on which you configured the gateway
        • location—location of the firewall on which you configured the gateway
        curl -k -F file=@filename.txt -g 'https://<firewall>/api/?key=<apikey>&type=config&action=set&xpath=/config/devices/entry[@name='<device-name>']/deviceconfig/setting/global-protect&element=<location>location-string</location>'

    © 2026 Palo Alto Networks, Inc. All rights reserved.