Enforce GlobalProtect Connections with FQDN Exclusions
Focus
Focus
GlobalProtect

Enforce GlobalProtect Connections with FQDN Exclusions

Table of Contents

Enforce GlobalProtect Connections with FQDN Exclusions

Configure up to 40 domain name exclusions when Enforce GlobalProtect for Network Access is enabled. Improve user experience by allowing access to specific resources when GlobalProtect is disconnected.
Software Support: Starting with GlobalProtect™ app 5.2 with Content Release version 8284-6139 or later.
OS Support: Windows and macOS running macOS Catalina 10.15.4 or later
You can now configure exclusions for specific fully qualified domain names when the Enforce GlobalProtect for Network Access feature is enabled. With the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established option that is available as an app setting in the App Configurations area of your GlobalProtect portal, you can now specify the fully qualified domain names for which you allow access when you enforce GlobalProtect connections for network access. You can configure up to 40 fully qualified domain names for which you want to allow access when you enforce GlobalProtect connections for network access and GlobalProtect cannot establish a connection. By configuring FQDN exclusions, you can improve the user experience by allowing end users to access specific resources when GlobalProtect is disconnected. For example, the endpoint can communicate with a cloud-hosted identity provider (ldP) for authentication purposes or a remote device management server even when the Enforce GlobalProtect for Network Access feature is enabled.
Due to a recent change in macOS, enforcing GlobalProtect connections with FQDN exclusions for multiple network extensions being loaded at a time does not work in certain situations, such as in environments where DnsClient.Net, GlobalProtect with the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established option enabled, and Cortex XDR are running.
  1. Configure exclusions for specific fully qualified domain names or IP addresses.
    1. Launch the Web Interface.
    2. Select NetworkGlobalProtectPortals<portal-config> Agent<agent-config> AppAllow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established.
    3. Specify up to 40 fully qualified domain names for which you want to allow access when you enforce GlobalProtect connections for network access.
      The fully qualified domain names that you provide are used only when Enforce GlobalProtect Connection for Network Access is set to Yes. Use commas to separate multiple fully qualified domain names (for example, google.com, gmail.com). Use the wildcard character (*) for domain names and make sure you include a space between wildcard entries (for example, *.gpcloudservice.com, *.cnn.com). The maximum length is 1,024 characters.
    When the Connect Before Logon (CBL) connect method is enabled for GlobalProtect app with SAML authentication and the Enforce GlobalProtect Connections for Network Access feature is configured, you must add the fully qualified domains (FQDNs) of the SAML authentication page to the exclusion list in the app settings of the GlobalProtect portal configuration.
  2. Click OK twice.
  3. Commit the configuration.