| Improved Authentication Experience for the
GlobalProtect App for Windows and macOS | (GlobalProtect app 5.2.9 and later releases)
To enable an improved authentication experience, you can now configure the
GlobalProtect app to continue to display the status panel while
the end user is entering their credentials when logging in or cancels
the request. By default, the Allow GlobalProtect UI to
Persist for User Input setting is disabled. The end user
must click outside the status panel to minimize it manually when
entering their credentials. Available with Content Release
Version 8450-6909 or later. |
| IPSec to SSL Fallback Notification | ( GlobalProtect app 5.2.6 and later releases)
To enable a better user experience, you can now configure the GlobalProtect
app to display an SSL fallback notification only
when GlobalProtect falls back to using SSL after attempting IPSec. Available
with Content Release Version 8387-6595 or later. |
| Autonomous DEM Integration for User Experience
Management (Windows 10 and macOS) | ( GlobalProtect app 5.2.6 and later releases)
To gain visibility into the user experience, application, and network performance
in your Secure Access Service Edge (SASE) environment, you can now
natively integrate the Autonomous DEM (ADEM)
service into the GlobalProtect app. With this integration, the ADEM
service enables synthetic tests for applications you specify both from
the endpoint and from the different vantage points in Prisma Access.
When you enable ADEM in the GlobalProtect app, you can now connect
to the ADEM service to perform endpoint, WiFi, and synthetic monitoring
tests. Available with Content Release Version 8393-6628 or
later. |
| GlobalProtect Native Support for ARM-Based
MacBooks | (GlobalProtect app 5.2.6 and later releases)
GlobalProtect now extends enterprise security protection to enable enforcement
of the same next-generation firewall-based policies that are enforced
within the physical perimeter to ARM devices running macOS. |
| GlobalProtect Credential Provider Support
to Delay Windows Login Before Establishing the Tunnel Connection | ( GlobalProtect app 5.2.5 and later releases)
To improve user experience with GlobalProtect single sign-on (SSO),
you can now configure the amount of time (in seconds) that the GlobalProtect credential provider waits
for the GlobalProtect tunnel to be established prior to Windows
login before submitting the Windows sign-in request. |
| Enforce GlobalProtect Credential Provider
as the Default Sign-In for Windows 10 | ( GlobalProtect ap 5.2.5 and later releases)
When GlobalProtect SSO is enabled on Windows devices, end users
can have more than one sign-in option in addition to using the GlobalProtect
credential provider options such as a third-party credential, smart
card, Windows Hello PIN, Windows Hello Password, or Windows Hello
Fingerprint. To improve user experience with GlobalProtect SSO,
you can now set the GlobalProtect credential provider to
be the default sign-in option at the next Windows login and for
subsequent logins. This reduces the frustration when end users have
to manually switch to the GlobalProtect credential provider again
to enable GlobalProtect SSO. |
| GlobalProtect App Log Collection for Troubleshooting | ( GlobalProtect app 5.2.5 and later releases)
To help you to quickly resolve mobile user connection, performance,
and access issues for Prisma Access deployments and next-generation
firewall deployments, you can now configure the GlobalProtect app
to send troubleshooting and diagnostic
logs from the end user's endpoint to Cortex Data Lake for
further analysis. When end users report an issue from the GlobalProtect
app (upon users request), the app can generate and send an easy
to read, comprehensive report to help you to quickly identify the
root cause of the remote end user issue. Additionally, you can now configure
the GlobalProtect app to run end-to-end diagnostic tests to probe
the state and performance of the network connection and the performance
of specific web applications from the remote end user’s endpoint. Available
with Content Release Version 8350-14191 or later. |
| Improved Connectivity Error Messages for
the GlobalProtect App | (GlobalProtect app 5.2.5 and later releases)
To enable a better user experience, the GlobalProtect app is now
updated to display improved connectivity error messages. With this
change, the GlobalProtect app can now provide friendly, informative
connectivity error messages to help end users resolve issues on their
endpoint themselves to reduce support calls to their Help Desk professional. |
| GlobalProtect for ARM-Based MacBooks Using
Rosetta Translation | (GlobalProtect app 5.2.5 and later releases)
GlobalProtect now extends enterprise security protection to enable enforcement
of the same next-generation firewall-based policies that are enforced
within the physical perimeter to ARM devices running macOS using
Rosetta translation. |
| Configurable Maximum Transmission Unit for
GlobalProtect Connections | ( GlobalProtect app 5.2.4 and later releases)
To optimize the connection experience for end users connecting over networks
that require maximum transmission unit (MTU)
values lower than the standard of 1500 bytes, you can now specify
the MTU value that is used by the GlobalProtect app to connect to
the gateway. By reducing the MTU size, you can eliminate performance
and connectivity issues that occur due to fragmentation when the
VPN tunnel connections go through multiple Internet Service Providers
(ISPs) and network paths with MTU lower than 1500 bytes. Available
with Content Release Version 8346-6423 or later. |
| Enforce GlobalProtect Connections with FQDN
Exclusions (Windows 10 and macOS running macOS Catalina 10.15.4 or
later) | To improve user experience when the Enforce
GlobalProtect for Network Access feature is enabled, you can now
specify the fully qualified domain names for
which you allow access when you enforce GlobalProtect connections
for network access. For example, the endpoint can communicate with
a cloud-hosted identity provider (ldP) for authentication purposes
or a remote device management server even when the Enforce GlobalProtect
for Network Access feature is enabled. Available with Content
Release Version 8284-6139 or later. |
| Split DNS (Windows 10 and macOS running
macOS Catalina 10.15.4 or later) | To enable users to access applications or local
resources, you can now specify exclusions or inclusions and send
DNS queries to a local DNS server using the physical adapter on
the endpoint. With split DNS, you can configure
which domains are resolved by the VPN assigned DNS servers and which
domains are resolved by the local DNS servers. Available with
Content Release Version 8284-6139 or later. |
| Default System Browser for SAML Authentication
(Windows 10, macOS, Linux, iOS, and Android) | If you have set up the GlobalProtect portal to
authenticate users through Security Assertion Markup Language (SAML)
authentication, end users can now connect without having to re-enter their
credentials in the GlobalProtect app, for a seamless single sign-on
(SSO) experience. End users can now leverage the same login for GlobalProtect
and their default system browser such
as Chrome, Firefox, or Safari. This enables end users to connect
to GlobalProtect and to allow single-sign on to SAML-enabled applications
on first-use only. After end users successfully authenticate, their
saved user credentials will be remembered by the default system
browser. Additionally, on any browser that supports the Web
Authentication (WebAuthn) API, you can use Universal 2nd Factor
(U2F) security tokens such as YubiKeys for multi-factor authentication (MFA)
to authenticate to identity providers (ldPs) such as Onelogin or
Okta. Available with Content Release Version 8284-6139 or
later. |
| Connect Before Logon (Windows 10) | To simplify the login process and improve your
experience, end users can now establish the VPN connection to the
corporate network before logging in to Windows endpoint using a
Smart card, authentication service such as LDAP, RADIUS, or Security
Assertion Markup Language (SAML), username/password-based authentication,
or one-time password (OTP) authentication. Connect Before Logon is
particularly useful for onboarding new users on the endpoint that
is not set up with a local profile or account for the user. Users
can log in to the Windows endpoint for the first-time without a
local administrator profile. And because Connect Before Logon enables
the user to log in to the VPN before logging into the Windows endpoint,
it reduces the frustration for users who get locked out of their
account when they fail to reset the password in time, for example. |
