End-of-Life (EoL)

Limitations

See the limitations associated with the GlobalProtect app 4.1 release.
The following table includes limitations associated with the GlobalProtect app 4.1 release.
Issue ID
Description
GPC-7772
If you configure the GlobalProtect portal or gateway to authenticate users through Kerberos single sign-on (SSO) and the SSL handshake also requires machine certificate authentication (for example, with the pre-logon connect method), Kerberos SSO authentication fails if you import the user’s machine certificate to only the machine certificate store.
Workaround
: Import the machine certificate to both the machine certificate store and user certificate store.
GPC-7226
The GlobalProtect app for Linux can import only client certificates onto connecting endpoints for certificate-based portal and gateway authentication. The app cannot import the entire certificate chain, which includes the trusted root CA certificate and the intermediate CA certificate.
Workaround
:
Import
the trusted root CA certificates and intermediate CA certificates used to sign client certificates onto your firewall (
Device
Certificate Management
Certificates
Device Certificates
), and then
Add
those
CA Certificates
to the client certificate profile (
Device
Certificate Management
Certificate Profile
<cert-profile>
).
GPC-6663
The GlobalProtect app for iOS does not support SAML authentication when you configure GlobalProtect with the
User-logon (Always On)
Connect Method
(
Network
GlobalProtect
Portals
<portal-config>
Agent
<agent-config>
App
). This limitation is due to the Apple Network Extension framework, which blocks network connections from the GlobalProtect app (where users are authenticated to their organization’s SAML identity provider) until the VPN tunnel is created.
GPC-6394
If you configure a split tunnel to exclude traffic for a specific destination domain, users with endpoints running macOS 10.13 and later releases must use one of the following options to manually enable their endpoint to allow GlobalProtect to exclude the traffic from the VPN tunnel:
  • Allow the GlobalProtect split tunnel kernel extension to load on the endpoint.
    1. From your Mac endpoint, launch
      System Preference
      .
    2. Open the
      Security & Privacy
      preferences and then select
      General
      .
    3. To modify these preferences,
      Click the lock to make changes
      .
    4. When prompted, enter your Mac
      User Name
      and
      Password
      and then
      Unlock
      the preferences.
    5. In the Allow apps downloaded from area, accept the default setting of
      Mac App Store
      .
      The following notification message appears:
      System software from developer "Palo Alto Networks" was blocked from loading.
    6. Allow
      the kernel extension to load.
    7. To save these preferences,
      Click the lock to prevent further changes
      .
  • Enable Palo Alto Network as a trusted developer.
    1. From your Mac endpoint, launch
      System Preference
      .
    2. Open the
      Security & Privacy
      preferences and then select
      General
      .
    3. To modify these preferences,
      Click the lock to make changes
      .
    4. When prompted, enter your Mac
      User Name
      and
      Password
      and then
      Unlock
      the preferences.
    5. In the Allow apps downloaded from area, select
      Mac App Store and identified developers
      .
    6. To save these preferences,
      Click the lock to prevent further changes
      .
This limitation is due to the Apple User-Approved Kernel Extension Loading feature, in which users must approve new third-party kernel extensions manually. If users do not allow the kernel extension to load or do not enable Palo Alto Networks as a trusted developer on their endpoint, traffic for the specified destination domain cannot be excluded from the VPN tunnel.
GPC-5543
On macOS endpoints, native modal notification dialogs (such as the GlobalProtect update installation dialog) open behind the GlobalProtect status panel if they overlap.
GPC-5346
When users connect to Windows 10 endpoints using the Microsoft Remote Desktop Connection, they cannot authenticate and establish a connection to GlobalProtect using single sign-on (SSO) because Remote Desktop Services (RDS)—which enables users to access and run applications on the remote desktop—does not support SSO with non-native Windows credentials.
If users initiate a remote desktop connection using credentials from the GlobalProtect Credential Provider, they must manually re-enter their credentials on the GlobalProtect Credential Provider logon screen (when prompted) to access the endpoint and establish the GlobalProtect connection.

Recommended For You