App Behavior Options

The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
Table: Customizable App Behavior Options
Portal Agent Configuration
Windows Registry/macOS Plist
Msiexec Parameter
Default
Connect Method
connect-method on-demand | pre-logon | user-logon
CONNECTMETHOD=”on-demand | pre-logon | user-logon”
user-logon
GlobalProtect App Config Refresh Interval (hours)
refresh-config-interval
<
hours
>
REFRESHCONFIGINTERVAL= ”
<
hours
>
24
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
wsc-autodetect yes | no
n/a
no
Detect Proxy for Each Connection (Windows Only)
proxy-multiple-autodetect yes | no
n/a
no
Clear Single Sign-On Credentials on Logout (Windows Only)
logout-remove-sso yes | no
LOGOUTREMOVESSO=”yes | no”
yes
Use Default Authentication on Kerberos Authentication Failure (Windows Only)
krb-auth-fail-fallback yes | no
KRBAUTHFAILFALLBACK= ”yes | no”
no
Use Default Browser for SAML Authentication
(
macOS plist
)
default-browser yes | no
DEFAULTBROWSER= “yes | no”
no
Custom Password Expiration Message (LDAP Authentication Only)
(
Deprecated
)
PasswordExpiryMessage
<
message
>
n/a
Password expires in <number> days
Portal Connection Timeout (sec)
portal-timeout
<
portaltimeout
>
n/a
5
TCP Connection Timeout (sec)
connect-timeout
<
connect-timeout
>
n/a
5
TCP Receive Timeout (sec)
receive-timeout
<
receive-timeout
>
n/a
30
Client Certificate Store Lookup
certificate-store-lookup user | machine | user and machine | invalid
CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
user and machine
SCEP Certificate Renewal Period (days)
scep-certificate-renewal-period
<
renewalPeriod
>
n/a
7
Maximum Internal Gateway Connection Attempts
max-internal-gateway-connection-attempts
<
maxValue
>
MIGCA="
<
maxValue
>
"
0
Extended Key Usage OID for Client Certificate
ext-key-usage-oid-for-client-cert
<
oidValue
>
EXTCERTOID=”
<
oidValue
>
n/a
User Switch Tunnel Rename Timeout (sec)
user-switch-tunnel-rename-timeout
<
renameTimeout
>
n/a
0
Use Single Sign-On
(Windows Only)
use-sso yes | no
USESSO="yes | no"
yes
Inbound Authentication Message
authentication-message
n/a
n/a
Allow Overriding Username from Client Certificate
override-cc-username yes | no
n/a
no
Not in portal
This setting specifies the default portal IP address (or hostname).
portal
<
IPaddress
>
PORTAL="
<
IPaddress
>
"
n/a
Not in portal
This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
prelogon 1
PRELOGON="1"
1
Not in portal
This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
(
Windows
)
can-prompt-user-credential yes | no
CANPROMPTUSERCREDENTIAL= ”yes | no”
yes
Windows only/Not in portal
This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
wrap-cp-guid {third party credential provider guid}
WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
no
Windows only/Not in portal
This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
filter-non-gpcp no
n/a
n/a
Windows only/Not in portal
This setting allows you to assign static IP addresses to Windows endpoints.
reserved-ipv4
<
reserved-ipv4
>
reserved-ipv6
<
reserved-ipv6
>
RESERVEDIPV4=”
<
reserved-ipv4
>
RESERVEDIPV6=”
<
reserved-ipv6
>
n/a
For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

Recommended For You