>
    Strata Copilot
    App Behavior Options
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Apps
    4. Deploy App Settings Transparently
    5. Customizable App Settings
    6. App Behavior Options
    Download PDF
    GlobalProtect

    App Behavior Options

    Table of Contents

    App Behavior Options

    Learn how to configure settings in the Windows registry and macOS plist to customize how the GlobalProtect app behaves.
    The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
    Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry, Msiexec, or macOS plist. These settings are listed in the table as “Not in portal.” They include, but are not limited to, settings such as the following: portal <IPaddress>, prelogon 1, and can-prompt-user-credential.
    Table: Customizable App Behavior Options
    Portal Agent Configuration
    Windows Registry/macOS Plist
    Msiexec Parameter
    Default
    Connect Method
    connect-method on-demand | pre-logon | user-logon
    CONNECTMETHOD=”on-demand | pre-logon | user-logon”
    user-logon
    Conditional Connect Method Based on Network Type
    		conditional-connect yes | non/a
    no
    Not supported on the portal
    intelligent-portal yes | no
    INTELLIGENTPORTAL=”yes | no”
    no
    Portal IP Address for USA and China
    		 portal-country-map "<IP address>(US);<IP address>(CN)" PORTALCOUNTRYMAP = "<Portal IP address>(US);<Portal IP address>(CN)"n/a
    User Location intelligent-portal-service "URL" INTELLIGENTPORTALSERVICE = "<IP location URL>"n/a
    Not supported on the portalSAMLAUTHPROXY="--proxy-server=<proxy server>"
    For example,
    --proxy-pac-url="https://example.com/proxy.pac"
    Supported only for Windows endpoints.
    		SAMLAUTHPROXY="--proxy-server=<proxy server>" n/a
    Use Default Browser for Captive PortalCPUSINGDEFBROWSER = yes | no
    Supported only for Windows endpoints.
    		CPUSINGDEFBROWSER = yes | noyes
    The default browser is used for captive portal.
    GlobalProtect App Config Refresh Interval (hours)
    refresh-config-interval <hours>
    REFRESHCONFIGINTERVAL= ”<hours>
    24
    Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
    wsc-autodetect yes | no
    n/a
    no
    Detect Proxy for Each Connection (Windows Only)
    proxy-multiple-autodetect yes | no
    n/a
    no
    Clear Single Sign-On Credentials on Logout (Windows Only)
    logout-remove-sso yes | no
    LOGOUTREMOVESSO=”yes | no”
    yes
    Disable Single Sign-On on local machines
    This setting allows you to disable the SSO feature even if it is configured on the portal. It overwrites the portal configuration when you manually add the key to the Windows registry or macOS plist and set the value as Yes.
    For Windows endpoints, you must manually add this setting to the Windows registry:
    Windows Path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
    Key Name/Value:
    force-sso-disable yes | no
    For macOS endpoints, you must manually add this setting to the macOS plist:
    macOS Path:
    /Library/Preferences/com.paloaltonetworks. GlobalProtect.settings.plist
    Add the setting under Palo Alto Networks > GlobalProtect > Settings
    Key Name/Value:
    force-sso-disable yes | no
    This setting is not supported in msiexec.
    n/a
    Use Default Authentication on Kerberos Authentication Failure (Windows Only)
    krb-auth-fail-fallback yes | no
    KRBAUTHFAILFALLBACK= ”yes | no”
    no
    Use Default Browser for SAML Authentication
    		(macOS plist)
    default-browser yes | no
    DEFAULTBROWSER= “yes | no”
    no
    Custom Password Expiration Message (LDAP Authentication Only)
    		(Deprecated)
    PasswordExpiryMessage <message>
    n/a
    Password expires in <number> days
    Portal Connection Timeout (sec)
    portal-timeout <portaltimeout>
    n/a
    5
    TCP Connection Timeout (sec)
    connect-timeout <connect-timeout>
    n/a
    5
    TCP Receive Timeout (sec)
    receive-timeout <receive-timeout>
    n/a
    30
    Client Certificate Store Lookup
    certificate-store-lookup user | machine | user and machine | invalid
    CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
    user and machine
    SCEP Certificate Renewal Period (days)
    scep-certificate-renewal-period <renewalPeriod>
    n/a
    7
    Maximum Internal Gateway Connection Attempts
    max-internal-gateway-connection-attempts <maxValue>
    MIGCA="<maxValue>"
    0
    Extended Key Usage OID for Client Certificate
    ext-key-usage-oid-for-client-cert <oidValue>
    EXTCERTOID=”<oidValue>
    n/a
    User Switch Tunnel Rename Timeout (sec)
    user-switch-tunnel-rename-timeout <renameTimeout>
    n/a
    0
    Use Single Sign-On
    (Windows Only)
    use-sso yes | no
    USESSO="yes | no"
    yes
    Use Single Sign-On for Smart Card (Windows Only)
    use-sso-pin yes | no
    USESSOPIN="yes | no"
    no
    Inbound Authentication Message
    authentication-message
    n/a
    n/a
    Allow Overriding Username from Client Certificate
    override-cc-username yes | no
    n/a
    no
    Not in portal
    This setting specifies the default portal IP address (or hostname).
    portal <IPaddress>
    PORTAL="<IPaddress>"
    n/a
    Not in portal
    This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
    prelogon 1
    PRELOGON="1"
    1
    Not in portal
    This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
    (Windows) can-prompt-user-credential yes | no
    CANPROMPTUSERCREDENTIAL= ”yes | no”
    yes
    Windows only/Not in portal
    This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
    wrap-cp-guid {third party credential provider guid}
    WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
    no
    Windows only/Not in portal
    This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
    filter-non-gpcp no
    n/a
    n/a
    Windows only/Not in portal
    This setting allows you to assign static IP addresses to Windows endpoints.
    reserved-ipv4 <reserved-ipv4>
    reserved-ipv6 <reserved-ipv6>
    RESERVEDIPV4=”<reserved-ipv4>
    RESERVEDIPV6=”<reserved-ipv6>
    n/a
    (Windows Only)
    This setting allows you to set a valid default gateway on GlobalProtect virtual adapter when you configure GlobalProtect app in Full-Tunnel mode.
    fake-default-gateway yes | no
    FIXDEFAULTGATEWAY yes | no
    n/a
    (Windows Only)
    This setting allows you to collect HIP data on Windows endpoints.
    collect-hip-data yes | no
    COLLECTHIPDATA= ”yes | no”
    n/a
    (Windows Only)
    This setting allows you to save gateway passwords on Windows endpoints.
    save-gateway-password yes | no
    SAVEGATEWAYPASSWORD= ”yes | no”
    n/a
    Windows Only/Not in portal
    This setting allows you to press the Enter key to log in to GlobalProtect from the embedded browser on Windows endpoints during SAML authentication.
    In some cases, enabling this setting will prevent the Enter key press from being accepted during sign on. If this occurs, change the setting to no.
    		Windows Registry Path:
    HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
    Key Name/Value
    translate-enter-key yes | no
    TRANSLATEENTERKEY= "yes | no"
    		yes
    For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

    © 2025 Palo Alto Networks, Inc. All rights reserved.