GlobalProtect Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 8.1 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
-
- App-ID Changes in PAN-OS 8.1
- Authentication Changes in PAN-OS 8.1
- Content Inspection Changes in PAN-OS 8.1
- GlobalProtect Changes in PAN-OS 8.1
- User-ID Changes in PAN-OS 8.1
- Panorama Changes in PAN-OS 8.1
- Networking Changes in PAN-OS 8.1
- Virtualization Changes in PAN-OS 8.1
- Appliance Changes in PAN-OS 8.1
- Associated Software and Content Versions
- Limitations
-
- PAN-OS 8.1.26-h1 Addressed Issues
- PAN-OS 8.1.26 Addressed Issues
- PAN-OS 8.1.25-h3 Addressed Issues
- PAN-OS 8.1.25-h2 Addressed Issues
- PAN-OS 8.1.25-h1 Addressed Issues
- PAN-OS 8.1.25 Addressed Issues
- PAN-OS 8.1.24-h2 Addressed Issues
- PAN-OS 8.1.24-h1 Addressed Issues
- PAN-OS 8.1.24 Addressed Issues
- PAN-OS 8.1.23-h1 Addressed Issues
- PAN-OS 8.1.23 Addressed Issues
- PAN-OS 8.1.22 Addressed Issues
- PAN-OS 8.1.21-h3 Addressed Issues
- PAN-OS 8.1.21-h2 Addressed Issues
- PAN-OS 8.1.21-h1 Addressed Issues
- PAN-OS 8.1.21 Addressed Issues
- PAN-OS 8.1.20-h1 Addressed Issues
- PAN-OS 8.1.20 Addressed Issues
- PAN-OS 8.1.19 Addressed Issues
- PAN-OS 8.1.18 Addressed Issues
- PAN-OS 8.1.17 Addressed Issues
- PAN-OS 8.1.16 Addressed Issues
- PAN-OS 8.1.15-h3 Addressed Issues
- PAN-OS 8.1.15 Addressed Issues
- PAN-OS 8.1.14-h2 Addressed Issues
- PAN-OS 8.1.14 Addressed Issues
- PAN-OS 8.1.13 Addressed Issues
- PAN-OS 8.1.12 Addressed Issues
- PAN-OS 8.1.11 Addressed Issues
- PAN-OS 8.1.10 Addressed Issues
- PAN-OS 8.1.9-h4 Addressed Issues
- PAN-OS 8.1.9 Addressed Issues
- PAN-OS 8.1.8-h5 Addressed Issues
- PAN-OS 8.1.8 Addressed Issues
- PAN-OS 8.1.7 Addressed Issues
- PAN-OS 8.1.6-h2 Addressed Issues
- PAN-OS 8.1.6 Addressed Issues
- PAN-OS 8.1.5 Addressed Issues
- PAN-OS 8.1.4-h2 Addressed Issues
- PAN-OS 8.1.4 Addressed Issues
- PAN-OS 8.1.3 Addressed Issues
- PAN-OS 8.1.2 Addressed Issues
- PAN-OS 8.1.1 Addressed Issues
- PAN-OS 8.1.0 Addressed Issues
End-of-Life (EoL)
GlobalProtect Features
Learn about the exciting new GlobalProtect™ features
introduced in the PAN-OS® 8.1 release.
New GlobalProtect Feature | Description |
|---|---|
| Optimized Split Tunneling for GlobalProtect | In addition to route-based split tunnel
policy, GlobalProtect™ now supports split tunneling based on destination
domain, client process, and HTTP/HTTPS video streaming application.
This feature works on Windows and macOS endpoints and enables you to:
|
| Kerberos Authentication Support for macOS | GlobalProtect endpoints running macOS 10.10
and later releases now support Kerberos V5 single sign-on (SSO)
for GlobalProtect portal and gateway authentication. Kerberos SSO,
which is primarily intended for internal gateway deployments, provides
accurate User-ID™ information without user interaction and helps
enforce user and HIP policies. |
| SAML SSO for GlobalProtect on Chromebooks | GlobalProtect now supports SAML single sign-on (SSO)
for Chrome OS. If you configure SAML as the authentication standard
for Chromebooks, users can authenticate to GlobalProtect by leveraging
the same login they use to access the Chromebook applications. This
allows users to connect to GlobalProtect without having to re-enter
their credentials in the GlobalProtect app. With SSO enabled (default),
Google acts as the SAML service provider while the GlobalProtect
app authenticates users directly to your organization’s SAML identity
provider. GlobalProtect currently supports only the Post SAML
HTTP binding method. |
| GlobalProtect Credential Provider Pre-Logon Connection Status | The GlobalProtect credential provider logon
screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure
pre-logon for remote users. The pre-logon connection status indicates
the state of the pre-logon VPN connection prior to user logon. By
providing more visibility on the pre-logon connection status, this
feature allows end-users to determine whether they will be able
to access network resources upon logon, which prevents them from
logging in prematurely before the connection establishes and network
resource become available. If the GlobalProtect app determines
that an endpoint is internal (connected to the corporate network),
the logon screen displays the GlobalProtect connection status as Internal.
If the GlobalProtect app determines that an endpoint is external
(connected to a remote network), the logon screen displays the GlobalProtect connection
status as Connected or Not Connected. |
| Active Directory Password Change Using the GlobalProtect Credential Provider | End users can now change their Active Directory (AD) password using
the GlobalProtect credential provider on Windows 10 endpoints. This
enhancement improves the single sign-on (SSO) experience by allowing
users to update their AD password and access resources that are
secured by GlobalProtect using the GlobalProtect credential provider.
Users can change their AD password using the GlobalProtect credential
provider only when their AD password expires or an administrator
requires a password change at the next login. |
| Expired Active Directory Password Change for Remote Users | Remote users can now change their RADIUS or Active Directory (AD)
password through the GlobalProtect app when their password
expires or a RADIUS/AD administrator requires a password change
at the next login. With this feature, users can change their RADIUS
or AD password when they are unable to access the corporate network
locally and their only option is to connect remotely using RADIUS
authentication. This feature is enabled only when the user authenticates
with a RADIUS server using the Protected Extensible Authentication
Protocol Microsoft Challenge Handshake Authentication Protocol version
2 (PEAP-MSCHAPv2). |
| OPSWAT SDK V4 Support | GlobalProtect is now integrated
with OPSWAT SDK V4 to detect
and assess the endpoint state and the third-party security applications
running on the endpoint. OPSWAT is a security tool leveraged by
the Host Information Profile (HIP) to collect information about
the security status of your endpoints. GlobalProtect uses this information
for policy enforcement on the GlobalProtect gateway. This
integration follows the end-of-life (EoL) announcement for OPSWAT
SDK V3, which is the OPSWAT SDK version supported by GlobalProtect
in PAN-OS 8.0 and earlier releases. |
| GlobalProtect App for Linux | The new GlobalProtect app for Linux now extends User-ID
and security policy enforcement to users on Linux endpoints. The
GlobalProtect app provides a command-line interface and functions as
an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect
features and authentication methods, including certificate and two-factor
authentication and both user-logon and on-demand connect methods.
The app can also perform internal host detection to determine whether
the Linux endpoint is on the internal network and collects host
information (such as operating system and operating system version,
domain, hostname, host ID, and network interface). Using this information,
you can allow or deny access to a specific Linux endpoint based
on the adherence of that endpoint to the host policies you define. The
GlobalProtect app for Linux is available for the Linux distribution
of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of
each) and requires a GlobalProtect subscription. |
| GlobalProtect Tunnel Preservation On User Logout | You can now configure GlobalProtect
to preserve the existing VPN tunnel when
users log out of their endpoint. With this enhancement, you can
specify the amount of time for which the GlobalProtect session remains
active during user logout. |
| Automatic Launching of Web Browser in Captive Portal Environment | You can now configure GlobalProtect to launch your default web browser
automatically upon captive portal detection so that users
can log in to the captive portal seamlessly. With this enhancement,
you can specify the URL of the website that you want to use for
the initial connection attempt that initiates web traffic when the default
web browser launches. The captive portal then intercepts this website
connection attempt and redirects the default web browser to the captive
portal login page. |