1. Home
    2. GlobalProtect
    3. GlobalProtect™ App Release Notes
    4. GlobalProtect App 4.1 Release Information
    5. Changes to Default Behavior
    End-of-Life (EoL)

    Changes to Default Behavior

    Changes to default behavior in GlobalProtect app 4.1
    The following topics describe changes to default behavior in GlobalProtect app 4.1:

    Changes to Default Behavior in GlobalProtect App 4.1.13

    There are no changes to default behavior in GlobalProtect app 4.1.13.

    Changes to Default Behavior in GlobalProtect App 4.1.12

    There are no changes to default behavior in GlobalProtect app 4.1.12.

    Changes to Default Behavior in GlobalProtect App 4.1.11

    There are no changes to default behavior in GlobalProtect app 4.1.11.

    Changes to Default Behavior in GlobalProtect App 4.1.10

    The following table describes changes to default behavior in GlobalProtect app 4.1.10:
    Feature
    Description of Change
    Default Credential Provider for Other Users
    GlobalProtect no longer enforces Windows 10 endpoints to use the GlobalProtect Credential Provider as the default credential provider for users logging in through the
    Other user
     login option. With this change, the most recently selected credential provider becomes the default credential provider for the
    Other user
     login option.
    To manually assign the GlobalProtect credential provider as the default credential provider for the
    Other user
     login option, use the following steps:
    You must have administrative access to the Windows 10 endpoint.
    1. From your Windows endpoint, launch the Command Prompt.
    2. Enter the
      gpedit.msc
       command to open the Local Group Policy Editor.
    3. Select
      Computer Configuration
      Administrative Templates
      System
      Logon
      .
    4. From the list of Logon settings, select
      Assign a default credential provider
       and then edit the
      policy setting
      .
    5. When prompted, ensure that this setting is
      Enabled
      .
    6. In the Options area, enter the following CLSID for the GlobalProtect credential provider to
      Assign the following credential provider as the default credential provider
      :
      25CA8579-1BD8-469C-B9FC-6AC45A161C18
    7. Apply
       the changes and then click
      OK
      .
    8. Restart your endpoint to verify that the GlobalProtect credential provider is the default credential provider for the
      Other user
       login option.

    Changes to Default Behavior in GlobalProtect App 4.1.9

    There are no changes to default behavior in GlobalProtect app 4.1.9.

    Changes to Default Behavior in GlobalProtect App 4.1.8

    There are no changes to default behavior in GlobalProtect app 4.1.8.

    Changes to Default Behavior in GlobalProtect App 4.1.7

    There are no changes to default behavior in GlobalProtect app 4.1.7.

    Changes to Default Behavior in GlobalProtect App 4.1.6

    The following table describes changes to default behavior in GlobalProtect app 4.1.6:
    Feature
    Description of Change
    Trusted MFA Gateway Configuration
    If you enable the GlobalProtect app to receive multi-factor authentication (MFA) prompts with redirect URLs destined for a non-default HTTP/HTTPS port (for example, 6082), you must now specify both the gateway address and port number of the redirect URL in the
    Trusted MFA Gateways
     configuration (
    Network
    GlobalProtect
    Portals
    <portal-config>
    Agent
    <agent-config>
    App
    ).

    Changes to Default Behavior in GlobalProtect App 4.1.5

    There are no changes to default behavior in GlobalProtect app 4.1.5.

    Changes to Default Behavior in GlobalProtect App 4.1.4

    There are no changes to default behavior in GlobalProtect app 4.1.4.

    Changes to Default Behavior in GlobalProtect App 4.1.3

    Changes to default behavior in GlobalProtect app 4.1.3
    The following table describes changes to default behavior in GlobalProtect app 4.1.3:
    Feature
    Description of Change
    GlobalProtect Licensing for IPv6
    The IPv6-related licensing requirements for GlobalProtect have changed. If your GlobalProtect deployment supports IPv6 connections, you are now required to install GlobalProtect licenses only on external gateways that use IPv6. You are no longer required to install the GlobalProtect license on internal gateways in order to support IPv6 connections. As a result, you can now deploy GlobalProtect and utilize the PAN-OS IP address-to-username mapping feature to create flexible policies for internal segmentation without requiring a subscription license. This license change is supported on GlobalProtect app 4.1.3 and later releases.

    Changes to Default Behavior in GlobalProtect App 4.1.2

    Changes to default behavior in GlobalProtect app 4.1.2
    The following table describes changes to default behavior in GlobalProtect app 4.1.2:
    Feature
    Description of Change
    RFC7231 Compliant User-Agent Strings
    The User-Agent string that the GlobalProtect app sends to the firewall during HTTPS requests and to the SAML identity provider (IdP) during SAML Webview requests is now RFC 7231-compliant. Based on RFC 7231 specifications, the User-Agent string adheres to the following format:
    PAN GlobalProtect/<globalprotect-app-version> (<long-form-operating-system>)
    For example,
    PAN GlobalProtect/4.1.2-2 (Apple Mac OS X10.13.3)
     or
    PAN GlobalProtect/4.1.2-2(Microsoft Windows 10 Enterprise, 64-bit)
    .
    GlobalProtect app 4.0 and later releases for iOS endpoints do not support RFC 7231-compliant User-Agent strings.
    If you configure the SAML IdP to allow SAML requests based on the User-Agent string, you must include the updated GlobalProtect User-Agent string in the User-Agent string allow list (on the SAML IdP) to enable GlobalProtect apps to authenticate. The User-Agent strings that you include in the allow list will differ depending on whether SAML requests require an exact User-Agent string match (such as
    PAN GlobalProtect/4.1.2-2(Apple Mac OS X 10.13.3)
     or only a partial User-Agent string match (such as
    PAN GlobalProtect
    ).

    Changes to Default Behavior in GlobalProtect App 4.1.1

    Changes to default behavior in GlobalProtect app 4.1.1
    The following table describes changes to default behavior in GlobalProtect app 4.1.1:
    Feature
    Description of Change
    Local subnet access
    The GlobalProtect app on Windows endpoints no longer modifies the endpoint proxy settings after establishing and taking down a VPN tunnel if you configured
    No direct access to local network
     for the GlobalProtect gateway (
    Network
    GlobalProtect
    Gateways
    <gateway
    Agent
    Client Settings
    <client_settings_configuration>
    Split Tunnel
    Access Route
    ). Previously, the app removed and then re-stored the proxy settings when establishing and taking down the tunnel.
    GlobalProtect service logs
    On Windows UWP endpoints, the GlobalProtect app now stores PanGPS logs in the
    %localappdata%\Packages\PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg\LocalState\DiagOutputDir
    directory instead of the
    %localappdata%\Packages\PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg\LocalState
     directory.

    Changes to Default Behavior in GlobalProtect App 4.1.0

    Changes to default behavior in GlobalProtect app 4.1.1
    The following table describes changes to default behavior in GlobalProtect app 4.1.0:
    Feature
    Description of Change
    Help Page Configuration
    The GlobalProtect
    App Help Page
     configuration on the GlobalProtect portal has the following changes (
    Network
    GlobalProtect
    Portals
    <portal-config>
    GlobalProtect Portal Configuration
    General
    Appearance
    ):
    • If you select
      Factory Default
       from the
      App Help Page
       drop-down, the GlobalProtect app displays the default help file that is built in to the app.
    • If you select
      None
       (default) from the
      App Help Page
       drop-down, the
      Help
       option is removed from the
      Settings
       menu on the GlobalProtect status panel.
    • If you select
      Import
       from the
      App Help Page
       drop-down, you can upload a custom help file for the GlobalProtect app. The GlobalProtect portal provides the custom help file with the GlobalProtect portal configuration.
    Manual-Only Gateways in Always On Mode
    When you configure the GlobalProtect
    Connect Method
     as
    User-Logon (Always On)
     or
    Pre-Logon (Always On)
     but configure all external gateways as manual-only gateways, external users do not automatically connect to any of the manual-only gateways. GlobalProtect now remains in the
    Not Connected
     state until the external user connects to a gateway manually. In addition, GlobalProtect does not perform periodic auto-discovery for external gateways unless a network change occurs.
    This change to default behavior enables customers to deploy GlobalProtect to derive User-ID when the user is internal and support On-Demand VPN behavior when the user is external.
    Endpoint Traffic Handling
    If you configure the GlobalProtect app to tunnel all traffic, GlobalProtect drops packets that do not have the source IP address as the tunnel-assigned IP address. This change to default behavior enables applications to re-establish the connection through the tunnel. For example, if a user initiates a connection prior to establishing a GlobalProtect connection on the endpoint, all traffic for that connection is sourced from the IP address of the physical adapter (LAN or WiFi). After the user establishes the GlobalProtect connection, GlobalProtect drops all packets for the previously initiated connections, which have the source IP address as the IP address of the physical adapter.
    GlobalProtect Credential Provider Pre-Logon Domain Name Display
    When you configure GlobalProtect with the
    Pre-Logon
     connection method, the GlobalProtect Credential Provider logon screen on Windows 10 endpoints now displays the pre-populated domain name below the editable username field.
    Cached Passwords
    If you do not enable two-factor authentication for your GlobalProtect portal and gateway, the GlobalProtect service (PanGPS) now clears the following passwords when gateway authentication fails:
    • Cached single sign-on (SSO) passwords (when SSO is enabled)
    • Cached GlobalProtect portal passwords
    • Cached saved user passwords (when
      Save User Credentials
       is enabled)
    After authentication fails, users must re-enter their passwords on the GlobalProtect app or portal/gateway authentication prompt (when
    Do not prompt user for authentication
     is disabled) in order to authenticate and establish a connection to GlobalProtect. If users click
    Cancel
    , and then initiate a new authentication attempt, the GlobalProtect app prompts them to manually enter their passwords instead of using previously saved passwords.
    macOS Version Check
    The GlobalProtect app software package for macOS endpoints now includes a minimum OS version check to ensure that end users install the GlobalProtect app only on endpoints running macOS versions that the specific app release supports (such as GlobalProtect app 4.1). If users attempt to install the GlobalProtect app on endpoints running macOS versions that the app release does not support, installation fails. For example, users can install GlobalProtect app 4.1 only on endpoints running macOS 10.10 or later releases. Refer to the GlobalProtect Compatibility Matrix for the complete list of OS versions that each GlobalProtect app release supports.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo