See the limitations associated with the GlobalProtect app 4.1 release.
The following table includes limitations associated with the GlobalProtect app 4.1 release.
If you configure the GlobalProtect portal or gateway to authenticate users through Kerberos single sign-on (SSO) and the SSL handshake also requires machine certificate authentication (for example, with the pre-logon connect method), Kerberos SSO authentication fails if you import the user’s machine certificate to only the machine certificate store.
Workaround: Import the machine certificate to both the machine certificate store and user certificate store.
The GlobalProtect app for Linux can import only client certificates onto connecting endpoints for certificate-based portal and gateway authentication. The app cannot import the entire certificate chain, which includes the trusted root CA certificate and the intermediate CA certificate.
Importthe trusted root CA certificates and intermediate CA certificates used to sign client certificates onto your firewall (
), and then
CA Certificatesto the client certificate profile (
The GlobalProtect app for iOS does not support SAML authentication when you configure GlobalProtect with the
User-logon (Always On)
). This limitation is due to the Apple Network Extension framework, which blocks network connections from the GlobalProtect app (where users are authenticated to their organization’s SAML identity provider) until the VPN tunnel is created.
If you configure a split tunnel to exclude traffic for a specific destination domain, users with endpoints running macOS 10.13 and later releases must use one of the following options to manually enable their endpoint to allow GlobalProtect to exclude the traffic from the VPN tunnel:
This limitation is due to the Apple User-Approved Kernel Extension Loading feature, in which users must approve new third-party kernel extensions manually. If users do not allow the kernel extension to load or do not enable Palo Alto Networks as a trusted developer on their endpoint, traffic for the specified destination domain cannot be excluded from the VPN tunnel.
On macOS endpoints, native modal notification dialogs (such as the GlobalProtect update installation dialog) open behind the GlobalProtect status panel if they overlap.
When users connect to Windows 10 endpoints using the Microsoft Remote Desktop Connection, they cannot authenticate and establish a connection to GlobalProtect using single sign-on (SSO) because Remote Desktop Services (RDS)—which enables users to access and run applications on the remote desktop—does not support SSO with non-native Windows credentials.
If users initiate a remote desktop connection using credentials from the GlobalProtect Credential Provider, they must manually re-enter their credentials on the GlobalProtect Credential Provider logon screen (when prompted) to access the endpoint and establish the GlobalProtect connection.
Recommended For You
Recommended videos not found.