For organizations that must comply with government regulations, allowing network clients to fallback to a less secure tunnel type can pose a compliance risk. Previously, if the GlobalProtect® app failed to establish an IPSec tunnel, it automatically attempted to establish an SSL tunnel, potentially circumventing mandatory security policies. This lack of strict tunnel enforcement could lead to non-compliant access in high-security environments.

GlobalProtect 6.3.1 addresses this by unifying the control over tunnel mode enforcement under a single portal setting Advanced Control for Tunnel Mode Behavior. This new configuration combines the existing Connect with SSL Only feature with the new ability to enforce IPSec Only connections. For information on using this parameter, see step 5 in Customize the GlobalProtect App.

You can now meet mandates, such as Federal Government compliance regulations, by requiring the GlobalProtect app to stay disconnected if the IPSec tunnel fails or is unavailable on the gateway. This feature ensures that the GlobalProtect app only connects through the specific, approved tunnel mode your security policy requires, preventing unauthorized or non-compliant connections. This simplifies configuration by consolidating tunnel mode preferences in one centralized location.

To meet Federal Government compliance regulations, you can choose to prevent GlobalProtect fallback to SSL tunnel in case IPSec tunnel fails. If IPSec is not configured on the gateway, the GlobalProtect app stays disconnected.