>
    Strata Copilot
    GlobalProtect — Customize App Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: GlobalProtect
    6. GlobalProtect — Customize App Settings
    Download PDF
    Prisma Access

    GlobalProtect — Customize App Settings

    Table of Contents

    GlobalProtect — Customize App Settings

    Customize how your end users interact with the GlobalProtect app.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Customize how your end users interact with the GlobalProtect app.
    There are some settings that you can customize globally. These global app settings apply to the GlobalProtect app across all devices. Other GlobalProtect app settings are set by default. You can then customize these options and, based on match criteria, target them to specific users and devices. The match criteria you define for app settings tells Prisma Access the users, devices, or systems that should receive the settings. For example, you could specify that a rule applies only to devices with serial numbers that match Active Directory entries.
    GlobalProtect App Settings
    Explore and customize app settings here (Prisma Access examples are shown in the table)
    Prisma Access (Managed by Strata Cloud Manager): Go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectGlobalProtect App.
    You can Add multiple app settings, or Clone an existing app setting and modify it.
    Prisma Access (Managed by Panorama): in the Mobile_User_Template, go to NetworkGlobalProtectPortalsGlobalProtect_PortalAgentDefaultApp
    Authentication Override
    Enable Prisma Access to generate and accept secure, encrypted cookies for user authentication. Turning this on allows the user to provide login credentials only once during the specified period of time.
    • Generate cookie for authentication override—Enables the Prisma Access to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
    • Accept cookie for authentication override—Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user.
      The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to Prisma Access for user authentication.
    • Cookie Lifetime—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1 to 72; for weeks is 1 to 52; and for days is 1 to 365. After the cookie expires, the user must re-enter their login credentials and then Prisma Access subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the Cookie Lifetime that you configure.
      If you have set the Authentication Override Cookie Lifetime value higher than the Tunnel Login Lifetime, review the table below.
      PAN-OS VersionCookie Lifetime Value
      PAN-OS 10.1On PAN-OS 10.1.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime.
      PAN-OS 10.2
      On PAN-OS versions 10.2 through 10.2.13, the Authentication Override Cookie Lifetime can exceed the Tunnel Login Lifetime value.
      On PAN-OS versions 10.2.14 and later 10.2.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime.
      PAN-OS 11.0
      On PAN-OS versions 11.0 through 11.0.6, the Authentication Override Cookie Lifetime can exceed the Tunnel Login Lifetime value.
      On PAN-OS versions 11.0.7 and later 11.0.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime.
      PAN-OS 11.1
      On PAN-OS 11.1.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime.
    • Certificate to Encrypt/Decrypt Cookie—Selects the RSA certificate used to encrypt and decrypt the cookie.
    Connection Settings
    Specify the method that the GlobalProtect app uses to Connect to Prisma Access.
    • User-logon (Always On)—The GlobalProtect app automatically connects to Prisma Access as soon as the user logs in. When used in conjunction with SSO (Windows endpoints only), the login is transparent to the end user.
      On iOS endpoints, this setting prevents one-time password (OTP) applications from working because the GlobalProtect app forces all traffic to go through the tunnel.
    • Pre-logon (Always On)—The GlobalProtect app authenticates the user and establishes a VPN tunnel to Prisma Access before the user logs in. This option requires that you use an external PKI solution to pre-deploy a machine certificate to each device that receives these settings.
    • On-demand (Manual user initiated connection)—Users must manually launch the app to connect to GlobalProtect.
    • Pre-logon then On-demand—Similar to the Pre-logon (Always On) connect method, this connect method (which requires Content Release version 590-3397 or later) enables the GlobalProtect app to authenticate the user and establish a VPN tunnel to Prisma Access before the user logs in to the endpoint. Unlike the pre-logon connect method, after the user logs in, users must manually launch the app to connect to GlobalProtect if the connection is terminated for any reason. The benefit of this option is that you can allow users to specify a new password after their password expires or they forget their password, but still require users to manually initiate the connection after they log in.
    GlobalProtect
    Decide what GlobalProtect app settings the user can adjust:
    • Disable GlobalProtect—Decide whether or not users can disable the GlobalProtect app. Users that disable the GlobalProtect app can not connect to Prisma Access (and your protected company resources) until they turn the app back on.
    • Upgrade GlobalProtect—Specify how app upgrades should work, including whether users can initiate updates.
      If you want to control when users can upgrade, you can customize the app upgrade on a per-configuration basis. For example, if you want to test a release on a small group of users before deploying it to your entire user base, you can create a configuration that applies to users in your IT group only, thus allowing them to upgrade and test while disabling upgrades in all other user/group configurations. After you have thoroughly tested the new version, you can modify the agent configurations for the rest of your users to allow the upgrade.
      • Allow when user accepts the upgrade prompt—Prompt users to upgrade when a new version of the app is available.
      • Disallow—Prevent app upgrades.
      • Allow manually—Let users initiate app upgrades from inside the GlobalProtect app.
      • Allow transparently—Upgrades occur automatically without user interaction.
      • Allow when the users is on the corporate network—Upgrade when the users are on the corporate network.
    • Uninstall GlobalProtect—Allow users to uninstall the GlobalProtect app, prevent them from uninstalling the GlobalProtect app, or allow them to uninstall if they specify a password you create.
    • User Can Change Portal—Let users change the portal the GlobalProtect app uses to connect to Prisma Access.
    App Configuration -Advanced Options
    App Settings
    • Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)—Select No to prevent the GlobalProtect app from sending HIP data when the status of the Windows Security Center (WSC) changes. Select Yes (default) to immediately send HIP data when the status of the WSC changes.
    User Behavior Settings
    User Behavior settings include:
    Authentication Settings
    Authentication settings include:
    VPN Settings
    Configure VPN timeout and tunnel settings:
    • Display IPSec to SSL Fallback Notification—Select No to prevent pop-up notifications when the GlobalProtect app fails to establish connection to an IPSec tunnel and falls back to an SSL tunnel. Select Yes (default) to allow pop-up notifications when the connection changes.
    Enforcement Settings
    Enforce settings for specified traffic:
    • Allow traffic to specified FDQN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is established Learn more.
    • Automatically Launch Webpage in Default Browser Upon Captive Portal Detection — To automatically launch your default web browsers so that users can log in to the authentication portal seamlessly, enter the fully qualified domain name (FQDN) or IP address of the website that you want to use for the initial connection attempt that initiates web traffic when the default web browser launches (maximum length is 256 characters). The authentication portal then intercepts this website connection attempt and redirects the default web browser to the authentication portal login page. If this field is empty (default), Prisma Access does not launch the default web browser automatically upon authentication portal detection.
    • Enable Advance Internal Host Detection — Enable advance internal host detection to add an extra security layer during internal host detection by the GlobalProtect app. With the advance internal host detection, the app validates the server certificate of the internal gateways in addition to performing a reverse DNS lookup of the internal host to determine whether the app is inside the enterprise network. Enabling the advanced internal host detection stops malicious actors from spoofing the reverse DNS server response during the internal host detection and thereby prevents unauthorized access to the endpoints in the enterprise network. If you do not enable the advance internal host detection, the existing internal host detection works as expected.
    Connection Behavior Settings
    Connection Behavior settings include:
    Learn more.
    DNS Settings
    DNS settings include:
    Proxy Settings
    Specify the Proxy Auto-Configuration (PAC) File URL that you want to push to the endpoint to configure proxy settings. The maximum URL length is 256 characters. The following Proxy Auto-Configuration (PAC) File URL methods are supported:
    • Proxy Auto-Config (PAC) standard (for example, http://pac.<hostname or IP>/proxy.pac).
    • Web Proxy Auto-Discovery Protocol (WPAD) standard (for example, http://wpad.<hostname or IP>/wpad.dat).
    MFA Settings
    MFA settings include:
    Troubleshooting Settings
    Troubleshooting settings include:
    Device Quarantine Settings
    Device Quarantine settings include:
    Internal Host Detection
    If you do not require your mobile users to connect to Prisma Access when they are on the internal network, enable internal host detection to enable the GlobalProtect app to determine if it is on an internal or external network.
    • Enter the IP Address (IPv4 or IPv6) of a host that can be resolved from the internal network only.
    • Enter the DNS Hostname that resolves to the IP address you enter.
    When a mobile user connects to Prisma Access, the GlobalProtect app attempts to do a reverse DNS lookup on the specified address. If the lookup fails, the GlobalProtect app determines that it is on the external network and then initiates a connection to Prisma Access.
    Enable Internal Host Detection
    If you want the GlobalProtect app will retry network discovery when an internal gateway and internal host detection are configured without an external gateway and internal host detection fails, set the Enable Intelligent Internal Host Detection parameter to yes.
    Gateways
    By default, all the gateways in your Prisma Access locations are available to users. If you have additional GlobalProtect gateways (internal or external) that you’d like your users to be able to connect to, you can add those gateways here.
    HIP Data Collection
    Define custom host information profile (HIP) data that you want the app to collect or exclude from collection. When this option is enabled, the app collects data from devices running Windows, Mac, or Linux operating systems.
    For example, a custom check could enable you to know whether a certain application is installed or running on an endpoint.The data that you define to be collected in a custom check is included in the raw host information data that the GlobalProtect app collects and then submits to Prisma Access when the appconnects.
    To monitor the data collected with custom checks, create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to endpoint traffic and enforce security rules.
    Go to ConfigurationNGFW and Prisma AccessObjectsHIP and HIP Objects or HIP Profiles. Select the Prisma AccessMobile Users ContainerGlobalProtect configuration scope.
    Timeout Settings
    • On the GlobalProtect Setup page, select the gear icon in the Global App Settings area.
    • Modify the maximum Login Lifetime for a single gateway login session (the default is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the Inactivity Logout period. After this time, the login session ends automatically.
    • Set the amount of advance notice to provide users to indicate that their app sessions are about to expire due to login lifetime expiry. The default value is 30 minutes. The accepted range is 0-60 minutes.
    • Customize the timeout notification message.
    • Modify the Inactivity Logout period to specify the amount of time after which idle users are logged out of GlobalProtect. You can enforce a security policy to monitor traffic from endpoints while connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions by setting a shorter inactivity logout period. Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
      The default value is 180 minutes. The accepted range is 5-43200 minutes.
    • Set the amount of advance notice to provide users to indicate that their app sessions are about to expire due to inactivity. The default value is 30 minutes. The accepted range is 0-60 minutes.
    • Customize the inactivity notification message.
    • Specify whether to notify end users if their administrator logs them out and set the display message.
    • Click Save.
    Source IP Address Enforcement for Authentication Cookies
    Configure VPN connecting setting and authentication cookie usage restrictions for an enhanced security posture.
    • On the GlobalProtect Setup page, select the gear icon in the Global App Settings area.
    • Configure automatic restoration of SSL VPN tunnels.
      If the Automatic Restoration of VPN Connection is enabled on the GlobalProtect portal, you can disable it for this gateway by selecting Disable Automatic Restoration of SSL VPN.
    • Configure source IP address enforcement for authentication cookies.
      You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range.
      In the Authentication Cookie Usage Restrictions section, select Restrict Authentication Cookie Usage (for Automatic Restoration of VPN tunnel or Authentication Override) and then configure one of the following conditions:
      • If you select The original Source IP for which the authentication cookie was issued, the authentication cookie is valid only if the public source IP address of the endpoint that is attempting to use the cookie is the same public source IP address of the endpoint to which the cookie was originally issued.
      • If you select The original Source IP network range, the authentication cookie is valid only if the public source IP address of the endpoint attempting to use the cookie is within the designated network IP address range. Enter a Source IPv4 Netmask or Source IPv6 Netmask to define the subnet mask of the network IP address range for which the authentication cookie is valid (for example, 32 or 128).

    © 2026 Palo Alto Networks, Inc. All rights reserved.