GlobalProtect Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
GlobalProtect Features
Learn about the exciting new GlobalProtect™ features
introduced in the PAN-OS® 8.1 release.
New GlobalProtect Feature | Description |
---|---|
Optimized Split Tunneling for GlobalProtect | In addition to route-based split tunnel
policy, GlobalProtect™ now supports split tunneling based on destination
domain, client process, and HTTP/HTTPS video streaming application.
This feature works on Windows and macOS endpoints and enables you to:
|
Kerberos Authentication Support for macOS | GlobalProtect endpoints running macOS 10.10
and later releases now support Kerberos V5 single sign-on (SSO)
for GlobalProtect portal and gateway authentication. Kerberos SSO,
which is primarily intended for internal gateway deployments, provides
accurate User-ID™ information without user interaction and helps
enforce user and HIP policies. |
SAML SSO for GlobalProtect on Chromebooks | GlobalProtect now supports SAML single sign-on (SSO)
for Chrome OS. If you configure SAML as the authentication standard
for Chromebooks, users can authenticate to GlobalProtect by leveraging
the same login they use to access the Chromebook applications. This
allows users to connect to GlobalProtect without having to re-enter
their credentials in the GlobalProtect app. With SSO enabled (default),
Google acts as the SAML service provider while the GlobalProtect
app authenticates users directly to your organization’s SAML identity
provider. GlobalProtect currently supports only the Post SAML
HTTP binding method. |
GlobalProtect Credential Provider Pre-Logon Connection Status | The GlobalProtect credential provider logon
screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure
pre-logon for remote users. The pre-logon connection status indicates
the state of the pre-logon VPN connection prior to user logon. By
providing more visibility on the pre-logon connection status, this
feature allows end-users to determine whether they will be able
to access network resources upon logon, which prevents them from
logging in prematurely before the connection establishes and network
resource become available. If the GlobalProtect app determines
that an endpoint is internal (connected to the corporate network),
the logon screen displays the GlobalProtect connection status as Internal.
If the GlobalProtect app determines that an endpoint is external
(connected to a remote network), the logon screen displays the GlobalProtect connection
status as Connected or Not Connected. |
Active Directory Password Change Using the GlobalProtect Credential Provider | End users can now change their Active Directory (AD) password using
the GlobalProtect credential provider on Windows 10 endpoints. This
enhancement improves the single sign-on (SSO) experience by allowing
users to update their AD password and access resources that are
secured by GlobalProtect using the GlobalProtect credential provider.
Users can change their AD password using the GlobalProtect credential
provider only when their AD password expires or an administrator
requires a password change at the next login. |
Expired Active Directory Password Change for Remote Users | Remote users can now change their RADIUS or Active Directory (AD)
password through the GlobalProtect app when their password
expires or a RADIUS/AD administrator requires a password change
at the next login. With this feature, users can change their RADIUS
or AD password when they are unable to access the corporate network
locally and their only option is to connect remotely using RADIUS
authentication. This feature is enabled only when the user authenticates
with a RADIUS server using the Protected Extensible Authentication
Protocol Microsoft Challenge Handshake Authentication Protocol version
2 (PEAP-MSCHAPv2). |
OPSWAT SDK V4 Support | GlobalProtect is now integrated
with OPSWAT SDK V4 to detect
and assess the endpoint state and the third-party security applications
running on the endpoint. OPSWAT is a security tool leveraged by
the Host Information Profile (HIP) to collect information about
the security status of your endpoints. GlobalProtect uses this information
for policy enforcement on the GlobalProtect gateway. This
integration follows the end-of-life (EoL) announcement for OPSWAT
SDK V3, which is the OPSWAT SDK version supported by GlobalProtect
in PAN-OS 8.0 and earlier releases. |
GlobalProtect App for Linux | The new GlobalProtect app for Linux now extends User-ID
and security policy enforcement to users on Linux endpoints. The
GlobalProtect app provides a command-line interface and functions as
an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect
features and authentication methods, including certificate and two-factor
authentication and both user-logon and on-demand connect methods.
The app can also perform internal host detection to determine whether
the Linux endpoint is on the internal network and collects host
information (such as operating system and operating system version,
domain, hostname, host ID, and network interface). Using this information,
you can allow or deny access to a specific Linux endpoint based
on the adherence of that endpoint to the host policies you define. The
GlobalProtect app for Linux is available for the Linux distribution
of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of
each) and requires a GlobalProtect subscription. |
GlobalProtect Tunnel Preservation On User Logout | You can now configure GlobalProtect
to preserve the existing VPN tunnel when
users log out of their endpoint. With this enhancement, you can
specify the amount of time for which the GlobalProtect session remains
active during user logout. |
Automatic Launching of Web Browser in Captive Portal Environment | You can now configure GlobalProtect to launch your default web browser
automatically upon captive portal detection so that users
can log in to the captive portal seamlessly. With this enhancement,
you can specify the URL of the website that you want to use for
the initial connection attempt that initiates web traffic when the default
web browser launches. The captive portal then intercepts this website
connection attempt and redirects the default web browser to the captive
portal login page. |