Use the GlobalProtect App for macOS

This chapter applies to you only if your setup requires you to enter your GlobalProtect login credentials after you have logged into your endpoint (single sign-on is disabled).
We typically recommend that organizations allow its GlobalProtect users to log in transparently following app installation. After you log in to an endpoint with transparent GlobalProtect login, the GlobalProtect app automatically initiates and connects to the corporate network without further user intervention.
After the installation is complete, the
System Extension Blocked
notification message appears, prompting users to enable the system extensions in macOS that was blocked from loading. If the
GlobalProtect System Extensions
option is not selected during the installation, this notification message appears once users connect to the gateway. This notification appears if your administrator has configured either split tunnel on the GlobalProtect gateway, enforced GlobalProtect connections for network access on the GlobalProtect portal (see GlobalProtect App Customization), or both. Both features require users to enable the system extensions.
If your setup requires you to enter your GlobalProtect credentials, follow the applicable steps below.
  1. Connect to the GlobalProtect portal or gateway.
    You can determine if you are connected by checking the GlobalProtect system tray icon. If you are not connected, the icon is gray ( ), and
    Disconnected
    appears when you hover over the icon.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. (
      Optional
      ) If you are logging in to the GlobalProtect app for the first time, enter the FQDN or IP address of the GlobalProtect portal, and then click
      Connect
      .
    3. (
      Optional
      ) If multiple portals are saved on your app, select a portal from the
      Portal
      drop-down. By default, the most recently connected portal is pre-selected from the
      Portal
      drop-down.
    4. (
      Optional
      ) By default, you are automatically connected to the
      Best Available
      gateway, based on the configuration that the administrator defines and the response times of the available gateways. To connect to a different gateway, click the gateway drop-down and then use one of the following options:
      • Select a gateway manually (external gateways only). This option is only available if your administrator enables manual gateway selection.
      • Assign and automatically connect to a preferred gateway:
        1. From the status panel, click the Settings ( ) icon to open the settings menu.
        2. Select
          Preferred Gateway
          to open the GlobalProtect: Preferred Gateway dialog.
        3. From the list of available gateways, select the gateway that you want to set as the preferred gateway and then
          Set as Preferred
          .
        4. Close
          the dialog.
        If you no longer want to connect to the gateway automatically, you can also remove the preferred gateway assignment:
        1. From the status panel, click the Settings ( ) icon to open the settings menu.
        2. Select
          Preferred Gateway
          to open the GlobalProtect: Preferred Gateway dialog.
        3. From the list of available gateways, select the preferred gateway and then
          Remove Preferred
          .
        4. Close
          the dialog.
    5. (
      Optional
      ) Depending on the connection mode, click
      Connect
      to initiate the connection.
    6. (
      Optional
      ) If prompted, enter your
      Username
      and
      Password
      and then
      Sign In
      .
      If your administrator has allowed you to use biometric (fingerprint) information to sign in, you need to first sign-in with a username and password twice (once to save it and again to authenticate); you can then use biometric information to sign in.
      If your system administrator has enabled the
      GlobalProtect System Extensions
      , you must enable the system extensions in macOS that was blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.
      Users do not need administrator privileges to allow both the
      Network Extensions Configuration
      pop-up prompts. Your administrator can suppress these message prompts by using the mobile device management system (MDM) such as Jamf Pro to automatically load the network extensions without receiving these prompts. Refer to the knowledge base article at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8 for information on how to enable system and network extensions using Jamf Pro.
      1. (
        macOS Catalina 10.15.4 or later only
        ) If your system administrator has configured split tunnel based on domains and applications on the GlobalProtect gateway, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Split Tunnel feature cannot be used on the GlobalProtect app. This pop-up prompt will appear the next time you connect to the portal or gateway.
      2. (
        macOS Catalina 10.15.4 or later only
        ) If your system administrator has enabled the Enforce GlobalProtect Connections for Network Access feature, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Enforce GlobalProtect Connections for Network Access feature will not work and the GlobalProtect connections for network access cannot be enforced. This pop-up prompt will appear until you select
        Allow
        .
      3. (
        macOS Big Sur 11 or later only
        ) If your system administrator has configured split tunnel based on domains and applications on the GlobalProtect gateway and enabled the Enforce GlobalProtect Connections for Network Access feature, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Split Tunnel feature cannot be used on the GlobalProtect app, the Enforce GlobalProtect Connections for Network Access feature will not work, and the GlobalProtect connections for network access cannot be enforced. This pop-up prompt will appear the next time you connect to the portal or gateway or until you select
        Allow
        .
      When the app connects in external mode, the GlobalProtect system tray icon displays a shield ( ), and
      Connected
      appears when you hover over the icon. When the app connects in internal mode, the GlobalProtect system tray icon displays a house ( ), and
      Internal Network
      appears when you hover over the icon.
  2. Open the GlobalProtect app.
    Click the GlobalProtect system tray icon to launch the app interface.
  3. View information about your network connection.
    After you launch the app, click the settings icon ( ) on the status panel to open the settings menu. Select
    Settings
    to open the
    GlobalProtect Settings
    panel, and then select one of the following tabs to view information about your network connection:
    • General
      —Displays the username and portal(s) associated with the GlobalProtect account. You can also add, delete, or modify portals from this tab.
    • Connection
      —Lists the gateways configured for the GlobalProtect app and provides the following information about each gateway:
      • Gateway name
      • Tunnel status
      • Authentication status
      • Connection type
      • Gateway IP address or FQDN (only available in external mode)
      For internal mode, the
      Connection
      tab displays the entire list of available gateways. For external mode, the
      Connection
      tab displays only the gateway to which you are connected and additional details about the gateway (such as the gateway IP address, location, and uptime).
      Connection Tab When In Internal Mode
      Connection Tab When In External Mode
    • Host Profile
      —Displays the endpoint data that GlobalProtect uses to monitor and enforce security policies using the Host Information Profile (HIP). Click
      Resubmit Host Profile
      to manually resubmit HIP data to the gateway.
      If your administrator configures the
      Severity
      value for missing patches as a HIP match condition, use the following mappings between the GlobalProtect severity values and the OPSWAT severity ratings to understand what each value means:
      Severity Value Displayed on the GlobalProtect App
      OPSWAT Severity Rating
      0
      Low
      1
      Moderate
      2
      Important
      3
      Critical
    • Troubleshooting
      —Enables you to
      Collect Logs
      and set the
      Logging Level
      .
  4. (
    Optional
    ) Log in using a new password.
    If your GlobalProtect administrator configures the GlobalProtect portal agent to
    Save User Credentials
    , your credentials are automatically saved to the GlobalProtect app. If your password for accessing the corporate network changes, you must log in to GlobalProtect using your new password.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. Click the settings icon ( ) to open the settings menu.
    3. Select
      Settings
      to open the
      GlobalProtect Settings
      panel.
    4. On the
      General
      tab of the
      GlobalProtect Settings
      panel,
      Sign Out
      to clear your saved user credentials from the GlobalProtect app.
    5. After you clear your user credentials, you can reconnect to GlobalProtect with your new username and password.
  5. (
    Optional
    ) Disconnect from GlobalProtect.
    If your administrator configures GlobalProtect with the
    On-Demand
    connect method, you can disconnect from GlobalProtect by clicking
    Disconnect
    on the status panel.

Recommended For You