GlobalProtect app 4.1 for Windows and Mac endpoints introduces an enhanced user experience through a more modern and streamlined user interface and a more intuitive connection process. The new app features simplified workflows that enable end users to view and modify GlobalProtect app settings, manage notifications from a central location, and connect to or disconnect from GlobalProtect more seamlessly.

In addition to route-based split tunnel policy, GlobalProtect now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application.

This feature is available on Windows and Mac endpoints and enables you to:

The new GlobalProtect app for Linux now extends User-ID and Security policy enforcement to users on Linux endpoints. The GlobalProtect app provides a CLI and functions as an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect features and authentication methods, including certificate and two-factor authentication and both user-logon and on-demand connect methods. The app can also perform internal host detection to determine whether the Linux endpoint is on the internal network and collects host information (such as operating system and operating system version, domain, hostname, host ID, and network interface). Using this information, you can allow or deny access to a specific Linux endpoint based on the adherence of that endpoint to the host policies you define.

The GlobalProtect app for Linux is available for the Linux distribution of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and requires a GlobalProtect subscription.

The GlobalProtect app for Mac endpoints (macOS 10.10 and later releases) now supports Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO, which is primarily intended for internal gateway deployments, provides accurate User-ID information without user interaction and helps enforce user- and HIP-based policies.

The GlobalProtect app for Chromebooks (Chrome OS) now supports SAML single sign-on (SSO). If you configure SAML as the authentication standard for Chromebooks, end users can authenticate to GlobalProtect by leveraging the same login they use to access their Chromebook applications. This enables users to connect to GlobalProtect without having to re-enter their credentials in the GlobalProtect app. With SSO enabled (default), Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to your organization’s SAML identity provider.

The GlobalProtect app for Chromebooks can now automatically try to reestablish the connection when any of the following events occur:

This is especially useful for mobile users who encounter these events as part of their day-to-day operations because it reduces disruptions in VPN connectivity as well as the manual steps required to reestablish the connection. This feature is automatically enabled in Chrome OS 51 and later releases and does not require any configuration.

The GlobalProtect credential provider logon screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure pre-logon for remote users. The pre-logon connection status indicates the state of the pre-logon VPN connection prior to user logon. By providing more visibility on the pre-logon connection status, this feature allows end-users to determine whether they can access network resources after logon, and therefore avoid logging in prematurely before the connection establishes and network resource become available.

If the GlobalProtect app determines that an endpoint is internal (connected to the corporate network), the logon screen displays the GlobalProtect connection status as

Internal

. If the GlobalProtect app determines that an endpoint is external (connected to a remote network), the logon screen displays the GlobalProtect connection status as

Connected

or

Not Connected

.

End users can now change their Active Directory (AD) password using the GlobalProtect credential provider on Windows 10 endpoints. This enhancement improves the single sign-on (SSO) experience by allowing users to update their AD password and access resources that are secured by GlobalProtect using the GlobalProtect credential provider. Users can change their AD password using the GlobalProtect credential provider only when their AD password expires or an administrator requires a password change at the next login.

Remote users can now change their RADIUS or Active Directory (AD) password through the GlobalProtect app when their password expires or a RADIUS/AD administrator requires a password change at the next login. Users can change their RADIUS or AD password when they can’t access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user authenticates with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).

End users can now save multiple portals in a list on the GlobalProtect app for Windows and Mac endpoints. This enhancement enables you to manage deployments more efficiently, as end users can switch between different portals without having to re-enter the portal address each time they want to connect.

You can now assign static IP addresses to Windows endpoints by configuring the

reserved-ipv4

or

reserved-ipv6

entries in the Windows Registry prior to GlobalProtect app installation or the

RESERVEDIPV4

or

RESERVEDIPV6

options in the Windows Installer (MSiexec) during GlobalProtect app installation. This feature ensures that the GlobalProtect tunnel IP addresses that you assign to your endpoints do not change, which enables you to locate and troubleshoot errors in IP address assignment.

You can now configure custom username and password labels to display on the GlobalProtect app for GlobalProtect portal and gateway authentication.

You can now configure gateway-level IP pools that enable you to assign IPv4 or IPv6 addresses to all endpoints that connect to the GlobalProtect gateway. This enhancement simplifies gateway configuration by allowing you to define a global IP pool for the entire gateway instead of requiring separate IP pools for each client setting within the gateway configuration, which is the only IP pool configuration that GlobalProtect previously supported.

For enhanced reporting and user visibility, the GlobalProtect gateway now displays the primary username of all end users who are currently connected to the gateway or have previously connected to the gateway.

GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess the endpoint state and the third-party security applications running on the endpoint. OPSWAT is a security tool leveraged by the Host Information Profile (HIP) to collect information about the security status of the endpoints in the network. GlobalProtect uses this information for policy enforcement on the GlobalProtect gateway.

This integration follows the end-of-life (EoL) announcement for OPSWAT SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in PAN-OS 8.0 and earlier releases.

(

GlobalProtect app 4.1.1 and later releases

) The GlobalProtect app for Android endpoints now supports the ARMv7-A Application Binary Interface (ABI).

(

GlobalProtect app 4.1.5 and later releases

) GlobalProtect app 4.1.5 for Android endpoints introduces the following enhancements:

(

GlobalProtect app 4.1.5 and later releases

) The GlobalProtect app is now supported on macOS 10.14.

(

GlobalProtect app 4.1.5 and later releases

) The GlobalProtect app is now supported on Android 9.0.

(

GlobalProtect app 4.1.7 and later releases

) To prevent users from setting up personal proxies to access web resources without traversing a VPN tunnel, you can now configure GlobalProtect to bypass proxies. When you configure this option to bypass proxies, all HTTP/HTTPS traffic that matches the proxy/PAC file rules is required to go through the VPN tunnel for inspection and policy enforcement before reaching the intended destination