Enter a name to identify the client settings configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.

Add the specific users or user groups to which this configuration applies.

To deploy this configuration to all users, select any from the Source User drop-down. To deploy this configuration only to users with GlobalProtect apps in pre-logon mode, select pre-logon from the Source User drop-down.

To deploy this configuration based on the operating system of the endpoint, Add an OS (Android, Chrome, iOS, IoT, Linux, Mac, Windows, WindowsUWP). Alternatively, you can set this value to Any so that configuration deployment is based only on the user or user group and not on the operating system of the endpoint.

To deploy this configuration based on user location, Add a source Region or local IP Address (IPv4 and IPv6). To deploy this configuration to all user locations, do not specify a Region or IP Address. You must also leave these fields empty if your users are running GlobalProtect app 4.0 and earlier releases, as this feature is not supported on older GlobalProtect app releases.

Enable the gateway to use secure, device-specific, encrypted cookies to authenticate the user after the user first authenticates using the authentication scheme specified by the authentication or certificate profile.

Select this option to enable the GlobalProtect gateway to assign fixed IP addresses by use of an external authentication server. When this option is enabled, the GlobalProtect gateway allocates the IP address for connecting to devices by using the Framed-IP-Address attribute from the authentication server.

Add a subnet or range of IP addresses to assign to remote users. When the tunnel is established, the GlobalProtect gateway allocates the IP address in this range to connecting devices using the Framed-IP-Address attribute from the authentication server. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).

You can enable and configure Authentication Server IP Pool only if you enable Retrieve Framed-IP-Address attribute from authentication server.

The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user can receive the address 192.168.0.10.

Add a range of IP addresses to assign to remote users. When the tunnel is established, an interface is created on the remote user’s endpoint with an address in this range. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).

The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user may be assigned the address 192.168.0.10.

Use this option to enable or disable local network access on Windows, macOS and Linux endpoints (Linux endpoints must be running GlobalProtect app version 6.0.0 or later) when users are connected to GlobalProtect. When this option is enabled users cannot send traffic directly to proxies or local resources such as printers while connected to GlobalProtect. Split tunnel traffic based on access route, destination domain, and application still works as expected.

This options is supported on Windows, macOS, and Linux endpoints (Linux endpoints must be running GlobalProtect app version 6.0.0 or later).

Add routes to include in the VPN tunnel. These are the routes the gateway pushes to the remote users’ endpoint to specify what user endpoints can send through the VPN connection.

You can include IPv6 or IPv4 subnets. On PAN-OS 8.0.2 and later releases, up to 100 access routes can be used to include traffic in a split tunnel gateway configuration. Unless combined with GlobalProtect app 4.1.x or a later release, up to 1,000 access routes can be used.

Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).

You can define the routes you send through the VPN tunnel as routes you include in the tunnel, routes you exclude from the tunnel, or a combination of both. For example, you can set up split tunneling to allow remote users to access the internet without going through the VPN tunnel. Excluded routes should be more specific than the included routes to avoid excluding more traffic than you intend to exclude.

You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100 exclude access routes in a split tunnel gateway configuration. Unless combined with GlobalProtect app 4.1 and later releases, up to 200 exclude access routes can be used. You cannot exclude access routes for endpoints running Android on Chromebooks. Only IPv4 routes are supported on Chromebooks.

If you do not enable split tunneling, every request is routed through the tunnel (no split tunneling). In this case, each internet request passes through the firewall and then out to the network. This method can prevent the possibility of an external party accessing user endpoints and gaining access to the internal network (with a user endpoint acting as a bridge).

Add the software as a service (SaaS) or public cloud applications that you want to include in the VPN tunnel based on the destination domain and port (optional). These are the applications the gateway pushes to the remote users’ endpoint to specify what user endpoints can send through the VPN connection. ICMP is not included. You can add up to 200 entries to the list.

For example, add the *.office365.com domain to allow all Office 365 traffic to go through the VPN tunnel.

Add the software as a service (SaaS) or public cloud applications that you want to exclude from the VPN tunnel based on the destination domain and port (optional). These applications are sent through the physical adapter on endpoints rather than the virtual adapter (the tunnel). You can add up to 200 entries to the list.

For example, add the *.ringcentral.com domain to exclude all RingCentral traffic from the VPN tunnel.

If you do not enable split tunneling, every request is routed through the tunnel (no split tunneling). In this case, each Internet request passes through the firewall and out to the network. This method can prevent external parties from accessing user endpoints to gain access to the internal network.

Add the complete path of each application process for which you want to include the traffic in your VPN tunnel. These are the applications the gateway pushes to the endpoints of remote users to specify what those user endpoints can send through the VPN connection. You can add up to 200 entries to the list.

For example, add /Application/Safari.app/Contents/MacOS/Safari to allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.

Add the complete path of each application process for which you want to exclude the traffic from your VPN tunnel. These applications are sent through the physical adapter on endpoints rather than the virtual adapter (the tunnel). You can add up to 200 entries to the list.

For example, to exclude traffic from the RingCentral application:

If you do not enable split tunneling, every request is routed through the tunnel (no split tunneling). In this case, each Internet request passes through the firewall and out to the network. This method can prevent external parties from accessing user endpoints to gain access to the internal network.

Specify the IP address of the DNS server to which the GlobalProtect app with this client setting configuration sends DNS queries. You can add multiple DNS servers by separating each IP address with a comma.