GlobalProtect
Known Issues
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.0
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Known Issues
See the list of the known issues in GlobalProtect app
6.0.
The following table lists the known issues in GlobalProtect app 6.0 versions for Android, iOS,
Chrome, Windows, Windows 10 UWP, macOS, and Linux.
Issue | Description |
---|---|
GPC-21829
|
After upgrading or downgrading the GlobalProtect client to version
6.0.10, SAML authentication fails when using the embedded browser
along with enforcer without any exceptions.
Workaround: Configure an enforcer exception for the SAML
authentication service.
|
GPC-21558
|
After disabling and re-enabling extensions on macOS Sequoia, the
Enforcer fails to block traffic as expected when the GlobalProtect
client is disconnected, allowing traffic to flow improperly.
|
GPC-21554
|
If enforcer is configured, the Connect Before Logon connection fails
with a portal unreachable error.
|
GPC-20108
|
The GlobalProtect app upgrade from version 6.0.9 and earlier to
version 6.0.10 and later may fail for some users when the agent app
configuration parameter on the portal is set to Allow
with prompt.
Workaround: Use the transparent upgrade method.
|
GPC-18964
|
The GlobalProtect tunnel disconnects after 10 minutes on app versions
6.0.8 and 6.2.1, when SAML authentication is used and the
GlobalProtect app is running on macOS devices.
|
GPC-18467
|
In 6.0.8, when SAML authenticates a user that is not in the allow
list, authentication fails. However, the SAML assertion is still
used for subsequent authentication.
|
GPC-17226
|
After upgrade to GlobalProtect app version 6.0.5, macOS Ventura users
are unable to refresh the connection when connected to an external
gateway because the refresh menu disappears when the user hovers
over it.
|
GPC-17099
Fixed in GlobalProtect app 6.0.5-c35 and GlobalProtect app
6.0.7
|
When the GlobalProtect app for Windows is upgraded to GlobalProtect
app version 6.0.5, devices with Driver Verifier enabled and
configured to monitor the PAN virtual adapter driver (pangpd.sys)
display the
DRIVER_VERIFIER_DETECTED_VIOLATION
Blue Screen error.
|
GPC-15088 | When the GlobalProtect app is installed on
Android devices, the GlobalProtect notification is persistent and
continues to stay on the screen even when the app is closed. This issue
is not applicable for Android devices with Android 13 and later
version. Fixed the issue where the GlobalProtect notification
displayed on the screen was unresponsive and this is listed under
the Addressed Issues section. |
GPC-14820 | If you change the setting for Connect
with SSL Only in the portal configuration, when the
user views the Preferences in the GlobalProtect app, the Connect
with SSL setting retains the previous setting. |
GPC-14819 | The first time end users connect using the
GlobalProtect 6.0 app they may see an authentication failed message
if their SSO credentials are different from
the credentials they used to log in to their computer. |
GPC-14705
Fixed in GlobalProtect app
6.0.5 | On macOS endpoints, when connected to an
internal gateway the endpoint may not send a HIP report or receive
HIP notifications, and the HIP reports are not available on the Host Information Profile tab
in the app. |
GPC-14640 Fixed in GlobalProtect app
6.0.1 | In pre-logon deployments,
the GlobalProtect enforcer remains enabled even after disabling GlobalProtect. |
GPC-14578 Fixed in GlobalProtect app
6.0.3 | After connecting to GlobalProtect using Connect Before Logon (CBL) with
SAML authentication, the GlobalProtect app keeps opening and closing
after the user logs in. |
GPC-14453 Fixed in GlobalProtect app
6.0.1 | In some cases, TCP Option lookup for IP fragmented
TCP packets can cause the endpoint to lose access to internal resources. |
GPC-14329 Fixed in GlobalProtect app
6.0.1 | macOS devices are able to bypass the GlobalProtect
tunnel using the physical adapter even when No direct
access to local network is enabled. |
GPC-14063 | In cases where the GlobalProtect gateway
does not push a DNS suffix to the endpoint,
the endpoint incorrectly pushes the DNS suffix from the physical
adapter to the virtual adapter. |
GPC-13998 | When connected to GlobalProtect with Resolve
All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only) set
to Yes in the App Configurations area of
the GlobalProtect portal configuration, performance is slow in the Windows
Active Directory Users and Computers console. Workaround: Set Resolve
All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only) to No. |
GPC-13970 Fixed in GlobalProtect app
6.0.1 | DNS queries for excluded domains are sent out on both the GlobalProtect app virtual adapter and
the device's physical adapter when the Split-Tunnel
Option is set to Both Network Traffic and
DNS in the App Configurations area of
the GlobalProtect portal configuration. |
GPC-13774 Fixed in GlobalProtect app
6.0.1 | In some cases the GlobalProtect tunnel cannot send traffic after the system wakes up from sleep
mode. |
GPC-13757 | In a configuration where the Welcome
Page is set to None and Have
User Accept Terms Of Use before Creating Tunnel is set
to Yes, the endpoint gets stuck in the connecting
state. Workaround: Enable the Welcome Page or set Have
User Accept Terms Of Use before Creating Tunnel to No. |
GPC-13575 | When the user is prompted to select a certificate to
use to connect to GlobalProtect, if the user instead clicks Cancel
without selecting a client certificate the app shows the no network connectivity error
message. |
GPC-13106 | If the end user sets a preferred gateway in the GlobalProtect app and the administrator later
disables the manual gateway option in
the portal configuration, the app will still display the option to
set a gateway as preferred after the end user refreshes the
connection even though manual gateway selection is no longer an
available option. |
GPC-16597 |
The GlobalProtect app stops working when the app is upgraded from
version 5.2.8 to 6.0.3.
|
GPC-10557 | Users cannot install the GlobalProtect app
on Linux devices with Ubuntu 20.04 LTS. Workaround:
Install the GlobalProtect app on Linux devices using the dpkg utility
of the Debian package along with the apt-get utility. To
install the GlobalPtotect app CLI, use $ sudo dpkg -i <gp-app-pkg>.
For example: $ sudo dpkg -i GlobalProtect_deb-5.3.3.0-3.deb. |