Use the GlobalProtect App for macOS

1. Connect to the GlobalProtect portal or gateway.
   You can determine if you are connected by checking the GlobalProtect system tray icon. If you are not connected, the icon is gray (

   ), and Disconnected appears when you hover over the icon.
   1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
   2. (Optional) If you are logging in to the GlobalProtect app for the first time, enter the FQDN or IP address of the GlobalProtect portal, and then click Connect.
   3. (Optional) If multiple portals are saved on your app, select a portal from the Portal drop-down. By default, the most recently connected portal is pre-selected from the Portal drop-down.
   4. (Optional) By default, you are automatically connected to the Best Available gateway, based on the configuration that the administrator defines and the response times of the available gateways. To connect to a different gateway, click the gateway drop-down and then use one of the following options:
      • Select a gateway manually (external gateways only). This option is only available if your administrator enables manual gateway selection.
      • Assign and automatically connect to a preferred gateway:
        1. From the status panel, click the Settings (

           ) icon to open the settings menu.
        2. Select Preferred Gateway to open the GlobalProtect: Preferred Gateway dialog.

        3. From the list of available gateways, select the gateway that you want to set as the preferred gateway and then Set as Preferred.

        4. Close the dialog.
        If you no longer want to connect to the gateway automatically, you can also remove the preferred gateway assignment:
        1. From the status panel, click the Settings (

           ) icon to open the settings menu.
        2. Select Preferred Gateway to open the GlobalProtect: Preferred Gateway dialog.
        3. From the list of available gateways, select the preferred gateway and then Remove Preferred.
        4. Close the dialog.
   5. (Optional) Depending on the connection mode, click Connect to initiate the connection.
   6. (Optional) If prompted, enter your Username and Password and then Sign In.
      If your administrator has allowed you to use biometric (fingerprint) information to sign in, you need to first sign-in with a username and password twice (once to save it and again to authenticate); you can then use biometric information to sign in.

      If your system administrator has enabled the GlobalProtect System Extensions, you must enable the system extensions in macOS that was blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.

      Users do not need administrator privileges to allow both the Network Extensions Configuration pop-up prompts. Your administrator can suppress these message prompts by using the mobile device management system (MDM) such as Jamf Pro to automatically load the network extensions without receiving these prompts. See enable system and network extensions using Jamf Pro.

      1. (macOS Catalina 10.15.4 or later and macOS Big Sur 11 or later only) If your system administrator has configured split tunnel based on domains and applications on the GlobalProtect gateway or enabled the Enforce GlobalProtect Connections for Network Access feature, select Allow in the following pop-up prompt:
         If you select Don’t Allow, the Split Tunnel feature cannot be used on the GlobalProtect app, the Enforce GlobalProtect Connections for Network Access feature will not work, and the GlobalProtect connections for network access cannot be enforced. This pop-up prompt will appear the next time you connect to the portal or gateway or until you select Allow.
      When the app connects in external mode, the GlobalProtect system tray icon displays a shield (

      ), and Connected appears when you hover over the icon. When the app connects in internal mode, the GlobalProtect system tray icon displays a house (

      ), and Internal Network appears when you hover over the icon.
2. Open the GlobalProtect app.
   Click the GlobalProtect system tray icon to launch the app interface.

   A notification appears if your administrator configured the portal to install the Autonomous DEM (ADEM) endpoint agent during the GlobalProtect app installation and has either allowed you to enable the tests or not allowed you to enable the tests. If your administrator has already installed the ADEM endpoint agent and later configured the portal to uninstall the ADEM endpoint agent, a notification appears at the next login.
3. View information about your network connection.
   After you launch the app, click the settings icon (

   ) on the status panel to open the settings menu. Select Settings to open the GlobalProtect Settings panel, and then select one of the following tabs to view information about your network connection:

   • General—Displays the username and portal(s) associated with the GlobalProtect account. You can also add, delete, or modify portals from this tab.

   • Connection—Lists the gateways configured for the GlobalProtect app and provides the following information about each gateway:
     • Gateway name
     • Tunnel status
     • Authentication status
     • Connection type
     • Gateway IP address or FQDN (only available in external mode)
     For internal mode, the Connection tab displays the entire list of available gateways. For external mode, the Connection tab displays only the gateway to which you are connected and additional details about the gateway (such as the gateway IP address, location, and uptime).

   • Host Profile—Displays the endpoint data that GlobalProtect uses to monitor and enforce security policies using the Host Information Profile (HIP). Click Resubmit Host Profile to manually resubmit HIP data to the gateway.
     If your administrator configures the Severity value for missing patches as a HIP match condition, use the following mappings between the GlobalProtect severity values and the OPSWAT severity ratings to understand what each value means:

     Severity Value Displayed on the GlobalProtect App	OPSWAT Severity Rating
     0	Low
     1	Moderate
     2	Important
     3	Critical

   • Troubleshooting—Enables you to Collect Logs, set the Logging Level, view information about the network configuration, route settings, active connections, and logs, and optionally Enable user experience tests.
     In order for the GlobalProtect app to send troubleshooting logs, diagnostic logs, or both to Cortex Data Lake for further analysis, you must configure the GlobalProtect portal to enable the GlobalProtect app log collection for troubleshooting. Additionally, you can configure the HTTPS-based destination URLs that can contain IP addresses or fully qualified domain names of the web servers/resources that you want to probe, and to determine issues such as latency or network performance on the end user’s endpoint.

   When GlobalProtect is connected, you can verify that the ADEM endpoint agent can perform user experience tests if the Enable user experience tests check box is displayed on the GlobalProtect app. Or you can verify that a message is displayed if your administrator installed the ADEM endpoint agent during the GlobalProtect app installation but does not allow you to enable or disable user experience tests from the GlobalProtect app. By default, heartbeat alerts are still forwarded to ADEM even when GlobalProtect is disabled.

   If your administrator configured the portal to install the Autonomous DEM endpoint agent during the GlobalProtect app installation and has allowed you to enable the tests, select the check box to Enable user experience tests on the GlobalProtect app. This check box does not appear if your administrator does not allow you to enable or disable user experience tests from the GlobalProtect app. Instead, a message is displayed, confirming that the app is enabled to run user experience tests.

   If you do not select the check box to Enable user experience tests, heartbeat alerts are still forwarded to ADEM.

   For details about getting started with ADEM on Panorama Managed Prisma Access, see Get Started with Autonomous DEM. For details about getting started with ADEM on Cloud Managed Prisma Access, see Get Started with Autonomous DEM.
4. (Optional) Log in using a new password.
   If your GlobalProtect administrator configures the GlobalProtect portal agent to Save User Credentials, your credentials are automatically saved to the GlobalProtect app. If your password for accessing the corporate network changes, you must log in to GlobalProtect using your new password.
   1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
   2. Click the settings icon (
      ) to open the settings menu.
   3. Select Settings to open the GlobalProtect Settings panel.
   4. On the General tab of the GlobalProtect Settings panel, Sign Out to clear your saved user credentials from the GlobalProtect app.
   5. After you clear your user credentials, you can reconnect to GlobalProtect with your new username and password.
5. (Optional) Disconnect from GlobalProtect.
   If your administrator configures GlobalProtect with the On-Demand connect method, you can disconnect from GlobalProtect by clicking Disconnect on the status panel.