GlobalProtect
Features Introduced
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.0
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Features Introduced
The following new features are introduced in the GlobalProtect™ App 6.0
versions.
The following table describes the features introduced in GlobalProtect app 6.0 versions.
New GlobalProtect Feature | Description |
|---|---|
|
Embedded Browser Framework Upgrade
|
Starting with GlobalProtect 6.0.9, the embedded browser framework for
SAML authentication has been upgraded to Microsoft Edge WebView2
(Windows) and WebKit (macOS). This provides a consistent experience
between the embedded browser and the GlobalProtect client. WebView2
and WebKit are also compatible with FIDO2-based authentication
methods. For more information, see the Microsoft Edge WebView2
documentation.
By default, tenants using SAML authentication are configured to
utilize the embedded WebView2 (Windows) or WebKit (macOS) instead of
relying on the system's default browser. With this enhancement,
there's no need for end users to configure a SAML landing page,
eliminating the necessity to manually close the browser. This
streamlines the authentication process.
In a Microsoft entra-joined environment with SSO enabled,
users are not required to enter their credentials in order to
authenticate to Prisma Access using GlobalProtect. This seamless
experience is true whether the user is logging in to their
environment for the first time or whether they have logged in
before. If there is an error during the authentication, it is
displayed in the embedded browser. This authentication process works
across all device states.
In a non entra-joined environment with SSO enabled, users
must enter their credentials during the initial login. On subsequent
logins, the credentials are auto-filled as long as the SAML identity
provider (IdP) session is active and has not timed out.
|
Redesigned GlobalProtect App User Interface for
Windows and macOS | GlobalProtect app 6.0 for Windows and macOS
now introduces a more streamlined user interface and a more intuitive
connection process. The redesigned app features improved workflows
that enable end users to quickly understand connectivity and access
issues. With this redesign, end users can enable features that they
prefer to use from a central location. Additionally, end users can monitor
specific notifications and Host Information Profile (HIP) report submissions
sent to multiple internal gateways from a central location to help
you to quickly troubleshoot HIP related issues. |
Improved Connectivity Experience for
the GlobalProtect App for Android and iOS | To enable a better user experience, GlobalProtect
app 6.0 for Android and iOS endpoints now provides an improved connection workflow.
The GlobalProtect app now displays informative connectivity error
messages while the end user is connecting to the gateway. Additionally,
when you configure GlobalProtect with the Always On connect
method, the home screen now displays CONNECTED state
with a disconnect message to prevent end users from disconnecting
when they try to tap the Connect icon. |
Improved Authentication Experience for
the GlobalProtect App for Windows and macOS | To enable a better user experience, you
can now configure the GlobalProtect app to continue to display the status panel while
the end user is entering their credentials when logging in or cancels
the request. Available with Content Release Version 8450-6909
or later. |
SAML Authentication with Cloud Authentication Service
(Windows 10, macOS, Linux, iOS, and Android) | If you have set up the GlobalProtect portal
to authenticate users through Security Assertion Markup Language
(SAML) authentication, you can now leverage the Cloud Authentication Service to enable
users to authenticate to GlobalProtect using a cloud identity provider,
such as Onelogin or Okta. |
Security Policy Enforcement for Inactive GlobalProtect Sessions | You can now enforce a security policy rule to
track traffic from endpoints while end users are connected to GlobalProtect and
to quickly log out inactive GlobalProtect sessions. With this enhancement,
you can now enforce a shorter inactivity logout period. If a GlobalProtect
session remains inactive during the configured time period, the
session is automatically logged out and the VPN tunnel is terminated. |
GlobalProtect for ARM64-Based Windows Devices | GlobalProtect now extends native support
for ARM64-based Windows devices. This enables Palo Alto Networks
customers to secure their remote workforce using ARM64-based Windows
devices to access all features that are available on the GlobalProtect
app, and allows uniform endpoint security policy and enforcement
similar to Intel-based Windows devices. |
No Direct Access to Local Network Support
for Linux | GlobalProtect now extends support for Linux
devices to allow you to enable or disable local network access whenever
end users are connected to GlobalProtect similar to Windows and
macOS. Excluding local subnets from tunnel and allowing local subnet
access enables end users to access proxies and local resources (such
as local printers) directly without sending any local subnet traffic
through the VPN tunnel. If you do not want end users to access local
subnets, you can disable traffic to local subnets. |
GlobalProtect Certificate Delegation
for Android Devices Using Workspace ONE | (Android 8 and later releases)
You can now use a mobile device management (MDM) system such as
Workspace ONE to grant permission to the GlobalProtect app for certificate delegation.
This enables the GlobalProtect app for Android devices to select
a client certificate based on the client certificate alias without
first prompting GlobalProtect app users to manually select a certificate. |
Single Sign-On (SSO) Using Smart Card Authentication | The GlobalProtect app now supports SSO using smart card authentication to
reduce the number of times end users must enter their smart card
Personal Identification Number (PIN) when they log in to their Windows
10 endpoint or to authenticate to GlobalProtect. Leveraging the
same smart card PIN for GlobalProtect with their Windows 10 endpoint
enables end users to connect without having them to re-enter their
smart card PIN in the app for a seamless SSO experience. After the
end user successfully logs in to the Windows 10 endpoint, the app
acquires and remembers their smart card PIN to authenticate with
the portal and gateway. Available with Content Release version
8451-6911 or later. |
Endpoint Traffic Policy Enforcement (Windows
10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based
macOS 11 and later releases) | With the Endpoint Traffic Policy Enforcement feature,
GlobalProtect now provides added security to protect your remote
workforce. You can now use the Endpoint Traffic Policy feature on the
GlobalProtect endpoint to block malicious inbound connections and to
restrict any applications from bypassing the GlobalProtect tunnel. Additionally,
you can prevent end users from tampering with the routing table
to bypass the GlobalProtect tunnel. Available with Content
Release Version 8450-6909 or later. |
|
Simplified and Seamless macOS GlobalProtect App Deployment Using
Jamf MDM Integration
|
You can now use Jamf Pro to deploy the GlobalProtect app 6.0.4 and
later releases to macOS endpoints to support large-scale
GlobalProtect app deployments in on-premises and Prisma Access
environments. Administrators can also provide a seamless user
experience for macOS end users by deploying Jamf configuration
profiles that can load system and network extensions automatically,
thus preventing the user from having to respond to notifications on
the GlobalProtect app.
|
FIPS-CC Mode for GlobalProtect on (Windows and macOS,
ARM-based devices running on Windows and macOS, iOS, Android,
and Linux) (Requires GlobalProtect app 6.0.7 version. For iOS and
Android, GlobalProtect for Governments app 6.0.7
version.) | In preparation for submitting the GlobalProtect 6.0 app for
FIPS-CC certification, the GlobalProtect app for Windows and macOS
endpoints, ARM-based devices running on Windows and macOS, iOS,
Android, and Linux has been updated to meet FIPS-CC requirements.
The GlobalProtect app FIPS-CC is supported on x86 and ARM-based
platforms. With this feature, you can deploy the GlobalProtect app in FIPS-CC
mode to enforce stronger security checks for your users,
including the following:
Federal Information Processing
Standard (FIPS 140-3) and Common Criteria (CC) are security certifications
that ensure a standard set of security assurances and functionalities.
These certifications are often required by U.S. government agencies
and other domestic and international regulated industries. |
|
Deploy Certificates for Authentication to the Endpoint Without
Using Mobile Device Management (MDM)
(Requires FIPS-CC mode on
GlobalProtect for Governments app 6.0.8 iOS version.)
|
If you have set up the GlobalProtect portal or gateway to
authenticate through certificate-based authentication, you can now
directly download and deploy certificates to iOS endpoints using
third-party applications. With this enhancement, you no longer need
to configure certificates in the VPN profile and use Mobile Device
Management (MDM) software to push the certificates to the
devices.
You can enable this feature by adding the following
Key-Value pair to the Custom Data within the MDM VPN
Profile: mode-persistent-token set to Yes.
You can now deploy GlobalProtect for Governments app 6.0.8 iOS
version using Microsoft Intune.
|
|
Enhanced GlobalProtect App Log Sharing Functionality
(Requires GlobalProtect for
Governments app 6.0.9 version for iOS and Android.)
|
On iOS and Android devices, users can now choose their preferred
method of sharing the GlobalProtect app log files for
troubleshooting. Previously, users were allowed to share the app
logs only using Apple Mail on the iOS device or gmail client on the
Android device. Now, users can share GlobalProtect app log files
quickly and easily using their favorite file sharing apps.
|
|
Persistent Token Authentication Enhancements
(Requires GlobalProtect for
Governments app 6.0.12 version for iOS - FIPS-CC mode)
|
The GlobalProtect app is enhanced to improve user experience by
eliminating Token Access Requests prompts while using persistent
tokens for authentication. Users will no longer be interrupted by
prompts while authenticating to the app. They will only need to
respond to the prompt once when they authenticate and connect to the
app for the first time.
Upon the successful initial authentication to a portal or gateway,
the app will automatically cache the persistent token. This
eliminates the manual selection of the token for subsequent
authentications thereby enhancing the overall user experience with
the app.
When multiple portals or gateways request authentication
using the same certificate, and a user successfully authenticates to
one of the gateways with a cached persistent token, user will not be
prompted again while authenticating to any of the other gateways.
|
|
Deploy Certificates for Authentication to iOS Endpoints using
Mobile Device Management (MDM)
(Requires GlobalProtect for
Governments app 6.0.12 version for iOS - FIPS-CC mode)
|
Starting from GlobalProtect for Governments app 6.0.12 version,
certificate-based authentication is supported on iOS endpoints.
|