App Behavior Options

The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry, Msiexec, or macOS plist. These settings are listed in the table as “Not in portal.” They include, but are not limited to, settings such as the following:
portal <IPaddress>
,
prelogon 1
, and
can-prompt-user-credential
.
Table: Customizable App Behavior Options
Portal Agent Configuration
Windows Registry/macOS Plist
Msiexec Parameter
Default
Connect Method
connect-method on-demand | pre-logon | user-logon
CONNECTMETHOD=”on-demand | pre-logon | user-logon”
user-logon
GlobalProtect App Config Refresh Interval (hours)
refresh-config-interval
<
hours
>
REFRESHCONFIGINTERVAL= ”
<
hours
>
24
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
wsc-autodetect yes | no
n/a
no
Detect Proxy for Each Connection (Windows Only)
proxy-multiple-autodetect yes | no
n/a
no
Clear Single Sign-On Credentials on Logout (Windows Only)
logout-remove-sso yes | no
LOGOUTREMOVESSO=”yes | no”
yes
Disable Single Sign-On on local machines
This setting allows you to disable the SSO feature even if it is configured on the portal. It overwrites the portal configuration when you manually add the key to the Windows registry or macOS plist and set the value as
Yes
.
For Windows endpoints, you must manually add this setting to the Windows registry:
Windows Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
Key Name/Value:
force-sso-disable yes | no
For macOS endpoints, you must manually add this setting to the macOS plist:
macOS Path:
/Library/Preferences/com.paloaltonetworks. GlobalProtect.settings.plist
Add the setting under
Palo Alto Networks > GlobalProtect > Settings
Key Name/Value:
force-sso-disable yes | no
This setting is not supported in msiexec.
n/a
Use Default Authentication on Kerberos Authentication Failure (Windows Only)
krb-auth-fail-fallback yes | no
KRBAUTHFAILFALLBACK= ”yes | no”
no
Use Default Browser for SAML Authentication
(
macOS plist
)
default-browser yes | no
DEFAULTBROWSER= “yes | no”
no
Custom Password Expiration Message (LDAP Authentication Only)
(
Deprecated
)
PasswordExpiryMessage
<
message
>
n/a
Password expires in <number> days
Portal Connection Timeout (sec)
portal-timeout
<
portaltimeout
>
n/a
5
TCP Connection Timeout (sec)
connect-timeout
<
connect-timeout
>
n/a
5
TCP Receive Timeout (sec)
receive-timeout
<
receive-timeout
>
n/a
30
Client Certificate Store Lookup
certificate-store-lookup user | machine | user and machine | invalid
CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
user and machine
SCEP Certificate Renewal Period (days)
scep-certificate-renewal-period
<
renewalPeriod
>
n/a
7
Maximum Internal Gateway Connection Attempts
max-internal-gateway-connection-attempts
<
maxValue
>
MIGCA="
<
maxValue
>
"
0
Extended Key Usage OID for Client Certificate
ext-key-usage-oid-for-client-cert
<
oidValue
>
EXTCERTOID=”
<
oidValue
>
n/a
User Switch Tunnel Rename Timeout (sec)
user-switch-tunnel-rename-timeout
<
renameTimeout
>
n/a
0
Use Single Sign-On
(Windows Only)
use-sso yes | no
USESSO="yes | no"
yes
Use Single Sign-On for Smart Card (Windows Only)
use-sso-pin yes | no
USESSOPIN="yes | no"
no
Inbound Authentication Message
authentication-message
n/a
n/a
Allow Overriding Username from Client Certificate
override-cc-username yes | no
n/a
no
Not in portal
This setting specifies the default portal IP address (or hostname).
portal
<
IPaddress
>
PORTAL="
<
IPaddress
>
"
n/a
Not in portal
This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
prelogon 1
PRELOGON="1"
1
Not in portal
This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
(
Windows
)
can-prompt-user-credential yes | no
CANPROMPTUSERCREDENTIAL= ”yes | no”
yes
Windows only/Not in portal
This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
wrap-cp-guid {third party credential provider guid}
WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
no
Windows only/Not in portal
This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
filter-non-gpcp no
n/a
n/a
Windows only/Not in portal
This setting allows you to assign static IP addresses to Windows endpoints.
reserved-ipv4
<
reserved-ipv4
>
reserved-ipv6
<
reserved-ipv6
>
RESERVEDIPV4=”
<
reserved-ipv4
>
RESERVEDIPV6=”
<
reserved-ipv6
>
n/a
(Windows Only)
This setting allows you to set a valid default gateway on GlobalProtect virtual adapter when you configure GlobalProtect app in Full-Tunnel mode.
fake-default-gateway yes | no
fake-default-gateway yes | no
n/a
(Windows Only)
This setting allows you to collect HIP data on Windows endpoints.
collect-hip-data yes | no
COLLECTHIPDATA= ”yes | no”
n/a
(Windows Only)
This setting allows you to save gateway passwords on Windows endpoints.
save-gateway-password yes | no
SAVEGATEWAYPASSWORD= ”yes | no”
n/a
For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

Recommended For You