GlobalProtect App 5.0 Known Issues

See the list of the known issues in GlobalProtect app 5.0.
The following table describes known issues in the GlobalProtect app 5.0 releases.
Issue ID
When the split tunnel settings are configured to exclude application traffic such as Microsoft Teams and Skype, some excluded traffic are still forwarded through the tunnel.
When you configure a split tunnel based on the destination domain on macOS Catalina 10.15.4 endpoints, all Safari-based traffic and all Mac App Store-based traffic that are defined in the split tunnel configuration would be dropped. The same issue also occurred when you configured a split tunnel based on the applications downloaded from the Mac App Store. All traffic that was created for the configured applications would be dropped.
: Use Chrome instead of Safari so that traffic defined in the split tunnel configuration will not be dropped.
(An upcoming version of the GlobalProtect app will address this issue.)
If you configure the GlobalProtect portal or gateway to authenticate users through Kerberos single sign-on (SSO) and the SSL handshake also requires machine certificate authentication (for example, with the pre-logon connect method), Kerberos SSO authentication fails if you import the user’s machine certificate to only the machine certificate store. 
: Import the machine certificate to both the machine certificate store and user certificate store.
This issue is now resolved. See GlobalProtect App 5.0.1 Addressed Issues.
When users launch GlobalProtect app 5.0 for Mac endpoints for the first time, the following notification message appears, prompting users to enter their Mac password so that GlobalProtect can access and use client certificates from the login keychain:
PanGPS wants to use your confidential information stored in “Configuration Profiles” in your keychain. To allow this, enter the "login" keychain password.
: Enter your Mac
and then
Always Allow
GlobalProtect to use the password.
This issue is now resolved. See GlobalProtect App 5.0.1 Addressed Issues.
In some instances, when the GlobalProtect app for iOS connects to a GlobalProtect portal, the Cannot Verify Server Identity dialog appears even if a valid server certificate is sent from the portal.
: Tap
to proceed with the GlobalProtect connection.
When users run the GlobalProtect app for Android on their Chromebooks, the app cannot connect to GlobalProtect gateways based on the source IP address of the user because it runs within the Android container on Chrome OS. The Android container uses a network bridge to connect the app to the network, so it is assigned a different IP address from the source IP address of the Chromebook user.
: Ensure that gateway selection for the Android operating system is not based on the source IP address of the user by leaving both the
IP Address
fields empty in the config selection criteria for your client settings configuration (
Client Settings
Config Selection Criteria
This issue is now resolved. See GlobalProtect App 5.0.2 Addressed Issues.
If you use AirWatch to push an updated VPN profile to managed iOS endpoints that are currently connected to GlobalProtect, the endpoints continue to use the old version of the VPN profile even after they successfully receive the updated VPN profile.
When users run the GlobalProtect app for Android on their Chromebooks, the app cannot connect to GlobalProtect portals using IPv6 because it runs within the Android container in Chrome OS, which does not currently support IPv6.
: Set the
IP Address Type
for your GlobalProtect portal to
IPv4 Only
The GlobalProtect app does not support portal hostnames with non-English characters.
When users establish a GlobalProtect connection for the first time on iPads running iOS 11.1, and they
Don’t Allow
GlobalProtect to send them notifications, the
Settings -> GlobalProtect
link on subsequent notification permission reminders does not open.
: Upgrade your iPad to iOS 11.3 or a later version.
If you remain on iOS 11.1, you can enable GlobalProtect to send you notifications by going to the GlobalProtect notification settings on your iPad (
) and then selecting
Allow Notifications
On macOS endpoints, the GlobalProtect app can’t detect the following
information for the HIP Match log details of the Gatekeeper security feature (
HIP Match
  • Engine Version
  • Definition Version
  • Date
  • Last Scanned
Proxies are disabled after you establish the GlobalProtect connection on macOS endpoints because proxy settings are not copied from the physical network adapter of the endpoint to the virtual network adapter of the endpoint, and the virtual network adapter becomes the primary adapter from which the macOS endpoint receives proxy settings.
When a user first logs in to a GlobalProtect VPN that uses SAML authentication with pre-logon enabled, the tunnel rename (from pre-logon to user logon) fails, the pre-logon tunnel is disconnected, and the user is prompted to re-authenticate.
The firewall does not generate a notification for the GlobalProtect app when the firewall denies an unencrypted TLS session due to an authentication policy match.

Recommended For You