Reuse and reference an address or group of addresses across policy rules, filters, or other functions without having to manually add the address or addresses each time. You can define regions to apply policy to specified countries or locations. Applying policy based on region is a great way to control traffic between branch offices.

Your network traffic is automatically classified into applications that you can use to build a versatile security policy based on your business needs. To simplify the creation of security policies, applications requiring the same security settings can be combined into an application group. Application groups can include applications, application groups, and application filters.

While the HTTP and HTTPS services are already defined for you and ready to use, you can add service definitions to control the port numbers that applications can use. You can combine services that are often assigned together into service groups to simplify the creation of security policies.

Centrally manage your SaaS applications for each of your SaaS apps. SaaS App Management lets you find features you can use to safely enable apps for your enterprise.

Decide what GlobalProtect app data (the host information profile, or HIP, data the app collects from endpoints) that you want to use to enforce security policy. Combine HIP objects to build a HIP profile. Think of HIP profiles as security posture checklists again which your hosts are evaluated, and each HIP object is one item on the list. You can grant hosts access to your network or to sensitive resources based on their security posture compliance.

Dynamic user groups give you a way to auto-remediate anomalous user behavior and malicious activity. Membership in a dynamic user group is tag-based – users are included in the group only so long as they match your defined criteria.

Use tags to identify the purpose of a rule or configuration object and to help you better organize your rulebase.

Auto-tags give you a way to automate security actions based on activity. You can specify the log criteria that triggers security policy enforcement.

Configure a log forwarding profile to specify which logs to forward to your Logging Service.

An External Dynamic List (EDL) is an internally or externally hosted text file used for policy enforcement. The firewall check your EDLs at your configured intervals to enable dynamic policy enforcement.

Centrally manage the certificates that secure communication across your network.

Create a schedule to limit enforcement of a security policy rule to specific times that you define.

Identify and quarantine compromised devices. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network or restrict the device traffic based on a security rule.