When the split tunnel settings are configured to exclude application traffic such as Microsoft Teams and Skype, some excluded traffic are still forwarded through the tunnel.

When you configure a split tunnel based on the destination domain on macOS Catalina 10.15.4 endpoints, all Safari-based traffic and all Mac App Store-based traffic that are defined in the split tunnel configuration would be dropped. The same issue also occurred when you configured a split tunnel based on the applications downloaded from the Mac App Store. All traffic that was created for the configured applications would be dropped.

Workaround

: Use Chrome instead of Safari so that traffic defined in the split tunnel configuration will not be dropped.

If you configure the GlobalProtect portal or gateway to authenticate users through Kerberos single sign-on (SSO) and the SSL handshake also requires machine certificate authentication (for example, with the pre-logon connect method), Kerberos SSO authentication fails if you import the user’s machine certificate to only the machine certificate store. 

Workaround

: Import the machine certificate to both the machine certificate store and user certificate store.

When users launch GlobalProtect app 5.0 for Mac endpoints for the first time, the following notification message appears, prompting users to enter their Mac password so that GlobalProtect can access and use client certificates from the login keychain:

Workaround

: Enter your Mac

Password

and then

Always Allow

GlobalProtect to use the password.

In some instances, when the GlobalProtect app for iOS connects to a GlobalProtect portal, the Cannot Verify Server Identity dialog appears even if a valid server certificate is sent from the portal.

Workaround

: Tap

Continue

to proceed with the GlobalProtect connection.

When users run the GlobalProtect app for Android on their Chromebooks, the app cannot connect to GlobalProtect gateways based on the source IP address of the user because it runs within the Android container on Chrome OS. The Android container uses a network bridge to connect the app to the network, so it is assigned a different IP address from the source IP address of the Chromebook user.

Workaround

: Ensure that gateway selection for the Android operating system is not based on the source IP address of the user by leaving both the

Region

and

IP Address

fields empty in the config selection criteria for your client settings configuration (

Network

GlobalProtect

Gateways

<gateway-config>

Agent

Client Settings

<client-settings-config>

Config Selection Criteria

).

If you use AirWatch to push an updated VPN profile to managed iOS endpoints that are currently connected to GlobalProtect, the endpoints continue to use the old version of the VPN profile even after they successfully receive the updated VPN profile.

When users run the GlobalProtect app for Android on their Chromebooks, the app cannot connect to GlobalProtect portals using IPv6 because it runs within the Android container in Chrome OS, which does not currently support IPv6.

Workaround

: Set the

IP Address Type

for your GlobalProtect portal to

IPv4 Only

(

Network

GlobalProtect

Portals

<<portal-config>

General

).

The GlobalProtect app does not support portal hostnames with non-English characters.

When users establish a GlobalProtect connection for the first time on iPads running iOS 11.1, and they

Don’t Allow

GlobalProtect to send them notifications, the

Settings -> GlobalProtect

link on subsequent notification permission reminders does not open.

Workaround

: Upgrade your iPad to iOS 11.3 or a later version.

If you remain on iOS 11.1, you can enable GlobalProtect to send you notifications by going to the GlobalProtect notification settings on your iPad (

Settings

Notifications

GlobalProtect

) and then selecting

Allow Notifications

.

When a user first logs in to a GlobalProtect VPN that uses SAML authentication with pre-logon enabled, the tunnel rename (from pre-logon to user logon) fails, the pre-logon tunnel is disconnected, and the user is prompted to re-authenticate.

On macOS endpoints, the GlobalProtect app can’t detect the following

Anti-Malware

information for the HIP Match log details of the Gatekeeper security feature (

Monitor

Logs

HIP Match

<hip-match-log>

):

Proxies are disabled after you establish the GlobalProtect connection on macOS endpoints because proxy settings are not copied from the physical network adapter of the endpoint to the virtual network adapter of the endpoint, and the virtual network adapter becomes the primary adapter from which the macOS endpoint receives proxy settings.