Do not attach an interface management profile
that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have
configured a GlobalProtect portal or gateway because this enables
access to your management interface from the internet. Follow the Adminstrative Access Best Practices to
ensure that you are securing administrative access to your firewalls
in a way that will prevent successful attacks.
In the Network Settings area, select an
IP Address Type
for the portal web service:
The IP address type can be
IPv4 and IPv6.
if your network supports dual stack configurations,
where IPv4 and IPv6 run at the same time.
The IP address must be compatible with the IP address type.
for IPv4 addresses
for IPv6 addresses.
For dual stack configurations, enter both an IPv4 and IPv6 address.
SSL/TLS Service Profile
and configure Decryption
You can log successful and unsuccessful TLS/SSL handshakes
and you can forward Decryption logs to Log Collectors, other storage
devices, and to specific administrators.
the firewall logs only unsuccessful TLS handshakes. It is a best
practice to log successful handshakes as well so that you gain visibility
into as much decrypted traffic as available resources permit (but
don’t decrypt private or sensitive traffic; follow decryption best practices and
decrypt as much traffic as you can).
If you have not already done so, create a Log Forwarding profile to
forward Decryption logs and specify it in the Gateway configuration.
If you log successful TLS handshakes in addition to unsuccessful
TLS handshakes, configure a larger log storage space quota for the
Decryption log (
Logging and Reporting
The default quota (allocation) is one percent of the device’s log
storage capacity for Decryption logs and one percent for the general
decryption summary. There is no default allocation for hourly, daily,
or weekly decryption summaries. Configure Decryption Logging provides
more information about how to allocate firewall log space to Decryption
If you allow users
to authenticate to the portal using either user credentials OR a
client certificate, select a
the data that the GlobalProtect app collects from connecting endpoints
after users successfully authenticate to the portal.
The GlobalProtect app sends this data to the portal to
match against the selection criteria that
you define for each portal agent configuration. Based on this criteria,
the portal delivers a specific agent configuration to the GlobalProtect
apps that connect.
Portal Data Collection
Configure any of the following data collection settings:
If you want the GlobalProtect app to collect machine
certificates from connecting endpoints, select the
that specifies the machines certificates that
you want to collect.
If you want the GlobalProtect app to collect custom host
information from connecting endpoints, define the following registry,
plist, or process list data in the Custom Checks area:
collect registry data from Windows endpoints, select
To collect plist data from macOS endpoints, select