In mobile and roaming environments, preventing session hijacking is critical for maintaining robust security. Previously, an endpoint's authentication cookie could be used even if the device's network location changed, creating a potential security risk if the cookie was intercepted.

To mitigate this threat, you can now enforce that the GlobalProtect portal or gateway accepts authentication cookies only when the endpoint's IP address matches the original source IP address or falls within a designated network range. This security enhancement is important for maintaining session integrity in environments where users may roam within a campus or corporate subnet.

Enabling this capability ensures that if the network originally issued an authentication cookie to an endpoint within a secure network range, the cookie remains valid only for endpoints within that same network segment. By binding the authentication cookie to a designated network range, you mitigate the risk of unauthorized access attempts.

This existing feature in Panorama is now available in Prisma Access managed by Strata Cloud Manager. For more information, see GlobalProtect — Customize App Settings.