Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
GlobalProtect
GlobalProtect Administrator's Guide
GlobalProtect Cryptography
Cipher Exchange Between the GlobalProtect App and Gateway

Last Updated:

Wed Mar 15 23:22:24 UTC 2023

Current Version:

10.1 & Later

Version 10.1 & Later
Version 10.0 (EoL)
Version 9.1

Table of Contents

Filter

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Get Started

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

GlobalProtect User Authentication

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Use the Default System Browser for SAML Authentication

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Authentication Using a Certificate Profile

Enable Authentication Using an Authentication Profile

Enable Authentication Using Two-Factor Authentication

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

GlobalProtect Gateways

Gateway Priority in a Multiple Gateway Configuration

Configure a GlobalProtect Gateway

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

GlobalProtect MIB Support

GlobalProtect Portals

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

GlobalProtect App Minimum Hardware Requirements

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

View and Collect GlobalProtect App Logs

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

Deploy Connect Before Logon Settings in the Windows Registry

Deploy GlobalProtect Credential Provider Settings in the Windows Registry

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

Deploy App Settings to Linux Endpoints

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Deploy a New Device Using Windows Autopilot and Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Manage the GlobalProtect App Using Jamf Pro

Deploy the GlobalProtect Mobile App Using Jamf Pro

Enable System and Network Extensions on macOS Endpoints Using Jamf Pro

Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

Enable GlobalProtect Network Extensions on macOS Catalina Endpoints Using Jamf Pro

Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro

Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0

Verify Configuration Profiles Deployed by Jamf Pro

Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro

Uninstall the GlobalProtect Mobile App Using Jamf Pro

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Collect Application and Process Data From Endpoints

Redistribute HIP Reports

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Quarantine Devices Using Host Information

Identification and Quarantine of Compromised Devices Overview and License Requirements

View Quarantined Device Information

Manually Add and Delete Devices From the Quarantine List

Automatically Quarantine a Device

Use GlobalProtect and Security Policies to Block Access to Quarantined Devices

Redistribute Device Quarantine Information from Panorama

Certifications

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode on Windows Endpoints

Enable and Verify FIPS-CC Mode on macOS Endpoints

FIPS-CC Security Functions

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

Always On VPN Configuration

Remote Access VPN with Pre-Logon

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks

Ciphers Used to Set Up IPsec Tunnels

SSL APIs

GlobalProtect App Log Collection for Troubleshooting

GlobalProtect App Log Collection for Troubleshooting Overview

Checklist for GlobalProtect App Log Collection for Troubleshooting

Set Up GlobalProtect Connectivity to Cortex Data Lake

Configure the App Log Collection Settings on the GlobalProtect Portal

View the GlobalProtect App Troubleshooting and Diagnostic Logs on the Explore App

Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs

Logging for GlobalProtect in PAN-OS

View a Graphical Display of GlobalProtect User Activity in PAN-OS

View All GlobalProtect Logs on a Dedicated Page in PAN-OS

Event Descriptions for the GlobalProtect Logs in PAN-OS

Filter GlobalProtect Logs for Gateway Latency in PAN-OS

Restrict Access to GlobalProtect Logs in PAN-OS

Forward GlobalProtect Logs to an External Service in PAN-OS

Configure Custom Reports for GlobalProtect in PAN-OS

GlobalProtect Overview
Get Started
- Create Interfaces and Zones for GlobalProtect
- Enable SSL Between GlobalProtect Components
GlobalProtect User Authentication
GlobalProtect Gateways
GlobalProtect Portals
GlobalProtect Apps
- Deploy the GlobalProtect App to End Users
- Deploy App Settings Transparently
GlobalProtect Clientless VPN
Mobile Device Management
GlobalProtect for IoT Devices
Host Information
Certifications
GlobalProtect Quick Configs
GlobalProtect Architecture
GlobalProtect Cryptography
GlobalProtect App Log Collection for Troubleshooting
Logging for GlobalProtect in PAN-OS

Document:GlobalProtect Administrator's Guide

Cipher Exchange Between the GlobalProtect App and Gateway

Last Updated:

Wed Mar 15 23:22:24 UTC 2023

Current Version:

10.1 & Later

Version 10.1 & Later
Version 10.0 (EoL)
Version 9.1

Table of Contents

Filter

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Get Started

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

GlobalProtect User Authentication

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Use the Default System Browser for SAML Authentication

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Authentication Using a Certificate Profile

Enable Authentication Using an Authentication Profile

Enable Authentication Using Two-Factor Authentication

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

GlobalProtect Gateways

Gateway Priority in a Multiple Gateway Configuration

Configure a GlobalProtect Gateway

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

GlobalProtect MIB Support

GlobalProtect Portals

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

GlobalProtect App Minimum Hardware Requirements

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

View and Collect GlobalProtect App Logs

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

Deploy Connect Before Logon Settings in the Windows Registry

Deploy GlobalProtect Credential Provider Settings in the Windows Registry

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

Deploy App Settings to Linux Endpoints

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Deploy a New Device Using Windows Autopilot and Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Manage the GlobalProtect App Using Jamf Pro

Deploy the GlobalProtect Mobile App Using Jamf Pro

Enable System and Network Extensions on macOS Endpoints Using Jamf Pro

Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

Enable GlobalProtect Network Extensions on macOS Catalina Endpoints Using Jamf Pro

Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro

Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0

Verify Configuration Profiles Deployed by Jamf Pro

Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro

Uninstall the GlobalProtect Mobile App Using Jamf Pro

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Collect Application and Process Data From Endpoints

Redistribute HIP Reports

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Quarantine Devices Using Host Information

Identification and Quarantine of Compromised Devices Overview and License Requirements

View Quarantined Device Information

Manually Add and Delete Devices From the Quarantine List

Automatically Quarantine a Device

Use GlobalProtect and Security Policies to Block Access to Quarantined Devices

Redistribute Device Quarantine Information from Panorama

Certifications

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode on Windows Endpoints

Enable and Verify FIPS-CC Mode on macOS Endpoints

FIPS-CC Security Functions

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

Always On VPN Configuration

Remote Access VPN with Pre-Logon

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints