In order to connect to GlobalProtect™, an endpoint must
be running the GlobalProtect app. Use the GlobalProtect app compatibility
matrix to determine what version of the GlobalProtect app
you want your users to run on their endpoints. Because the version
that an end user must download and install to enable successful
connectivity to your network depends on your environment, there
is no direct download link for the GlobalProtect app on the Palo
Alto Networks site.
After you decide what version of the GlobalProtect app you want
your end users to run, you can deploy the app. The software deployment
method depends on the type of endpoint as follows:
macOS and Windows endpoints
There are several options you can use to
distribute and install the software on macOS and Windows endpoints:
Directly from the portal
—Download the app software
to the firewall hosting the portal, and then activate it so that
end users can install the updates when they connect to the portal.
This option provides flexibility by allowing you to control how
and when end users receive updates based on the agent configuration
settings you define for each user, group, and/or operating system.
However, if you have a large number of apps that require updates,
it could put extra load on your portal. See Host
App Updates on the Portal for instructions.
From a web server
—If you have a large number of endpoints
that need to upgrade the app simultaneously, consider hosting the
app updates on a web server to reduce the load on the firewall.
App Updates on a Web Server for instructions.
Transparently from the command line
—For Windows endpoints,
you can deploy app settings automatically using the Windows Installer
(Msiexec). However, to upgrade to a later app version using Msiexec,
you must first uninstall the existing app. In addition, Msiexec
allows for deployment of app settings directly on the endpoints
by setting values in the Windows registry. Similarly, you can also
deploy app settings to macOS endpoints, by configuring settings
in the macOS plist. See Deploy
App Settings Transparently.
Using group policy rules
—In Active Directory environments,
the GlobalProtect app can also be distributed to end users through
an Active Directory group policy. AD Group policies allow for automated
modification of Windows endpoint settings and software. Refer to
the article at http://support.microsoft.com/kb/816102 for
more information on how to use Group Policy to automatically distribute
programs to endpoints or users.
From a mobile endpoint management system
—If you use
a mobile management system, such as an MDM or EMM, to manage your
mobile endpoints, you can use the system to deploy and configure
the GlobalProtect app. See Mobile
Windows 10 phone and Windows 10 UWP
From a mobile endpoint management system
you use a mobile management system, such as an MDM or EMM, that
supports Windows 10 endpoints, you can use the system to deploy
and configure the GlobalProtect app. See Mobile
you use a mobile management system, such as an MDM or EMM, you can
use the system to deploy and configure the GlobalProtect app. See Mobile
From an app store
—The end user can also download and
install the GlobalProtect app directly from the Apple App Store
(iOS endpoints) or from Google Play (Android endpoints). For instructions
on how to download and test the GlobalProtect app installation,
and Install the GlobalProtect Mobile App.
GlobalProtect app for Android is supported only on certain Chromebooks. Chromebooks
that do not support Android applications must continue to run the
GlobalProtect app for Chrome, which is not supported starting with
GlobalProtect app 5.0 and later.
After you download the GlobalProtect app
for Linux from the Support Site, you can
distribute and install the app:
Using Linux app
—Linux app distribution is typically managed
using third-party tools (such as Chef and Puppet), or using a local
repository for the Linux operating system (for example, Ubuntu repositories and RHELrepositories). See the documentation
for your Linux operating system for more information.
—If you make the software available
to your end users, they can manually install the software using
Linux tools such as
For instructions on how to install the GlobalProtect app for Linux,
As an alternative to deploying the GlobalProtect app software,
you can configure the GlobalProtect portal to provide secure
remote access to common enterprise web applications that use HTML,
secure access from SSL-enabled web browsers without installing
the GlobalProtect app software. Refer to GlobalProtect