Limitations

See the limitations associated with the GlobalProtect app 4.1 release.

The following table includes limitations associated with the GlobalProtect app 4.1 release.

Issue ID	Description
GPC-7772	If you configure the GlobalProtect portal or gateway to authenticate users through Kerberos single sign-on (SSO) and the SSL handshake also requires machine certificate authentication (for example, with the pre-logon connect method), Kerberos SSO authentication fails if you import the user’s machine certificate to only the machine certificate store. Workaround : Import the machine certificate to both the machine certificate store and user certificate store.
GPC-7226	The GlobalProtect app for Linux can import only client certificates onto connecting endpoints for certificate-based portal and gateway authentication. The app cannot import the entire certificate chain, which includes the trusted root CA certificate and the intermediate CA certificate. Workaround : Import the trusted root CA certificates and intermediate CA certificates used to sign client certificates onto your firewall ( Device Certificate Management Certificates Device Certificates ), and then Add those CA Certificates to the client certificate profile ( Device Certificate Management Certificate Profile `<cert-profile>` ).
GPC-6663	The GlobalProtect app for iOS does not support SAML authentication when you configure GlobalProtect with the User-logon (Always On) Connect Method ( Network GlobalProtect Portals `<portal-config>` Agent `<agent-config>` App ). This limitation is due to the Apple Network Extension framework, which blocks network connections from the GlobalProtect app (where users are authenticated to their organization’s SAML identity provider) until the VPN tunnel is created.
GPC-6394	If you configure a split tunnel to exclude traffic for a specific destination domain, users with endpoints running macOS 10.13 and later releases must use one of the following options to manually enable their endpoint to allow GlobalProtect to exclude the traffic from the VPN tunnel: Allow the GlobalProtect split tunnel kernel extension to load on the endpoint. From your Mac endpoint, launch System Preference . Open the Security & Privacy preferences and then select General . To modify these preferences, Click the lock to make changes . When prompted, enter your Mac User Name and Password and then Unlock the preferences. In the Allow apps downloaded from area, accept the default setting of Mac App Store . The following notification message appears: System software from developer "Palo Alto Networks" was blocked from loading. Allow the kernel extension to load. To save these preferences, Click the lock to prevent further changes . Enable Palo Alto Network as a trusted developer. From your Mac endpoint, launch System Preference . Open the Security & Privacy preferences and then select General . To modify these preferences, Click the lock to make changes . When prompted, enter your Mac User Name and Password and then Unlock the preferences. In the Allow apps downloaded from area, select Mac App Store and identified developers . To save these preferences, Click the lock to prevent further changes . This limitation is due to the Apple User-Approved Kernel Extension Loading feature, in which users must approve new third-party kernel extensions manually. If users do not allow the kernel extension to load or do not enable Palo Alto Networks as a trusted developer on their endpoint, traffic for the specified destination domain cannot be excluded from the VPN tunnel.
GPC-5543	On macOS endpoints, native modal notification dialogs (such as the GlobalProtect update installation dialog) open behind the GlobalProtect status panel if they overlap.
GPC-5346	When users connect to Windows 10 endpoints using the Microsoft Remote Desktop Connection, they cannot authenticate and establish a connection to GlobalProtect using single sign-on (SSO) because Remote Desktop Services (RDS)—which enables users to access and run applications on the remote desktop—does not support SSO with non-native Windows credentials. If users initiate a remote desktop connection using credentials from the GlobalProtect Credential Provider, they must manually re-enter their credentials on the GlobalProtect Credential Provider logon screen (when prompted) to access the endpoint and establish the GlobalProtect connection.