Learn about the exciting new features introduced in the
GlobalProtect™ App 6.2 release.
Features Introduced in GlobalProtect App 6.2.8-c223
GlobalProtect Embedded Browser with Captive Portal
Embedded browser supported with captive portal
You can use the GlobalProtect embedded browser for captive portal authentication. This
allows the captive portal to open within the embedded browser, providing a seamless user
experience and enhanced security. For more information, see Customize the GlobalProtect App.
Features Introduced in GlobalProtect App 6.2.8
The following new feature is introduced in GlobalProtect app 6.2.8.
Checks for GlobalProtect Certificates
GlobalProtect certificate checks
Starting with GlobalProtect 6.2.8, you can use the Enable Strict Certificate
Check option on the GlobalProtect portal to enforce certificate
validation for Windows and macOS clients. For more information, see Customize the GlobalProtect app.
Features Introduced in GlobalProtect App 6.2.7
The following new feature is introduced in GlobalProtect app 6.2.7.
End User Coaching
End User Coaching allows you to immediately display an alert for end users when they
generate an incident.
End User Coaching allows you to notify and
coach end users when their actions violate a Security policy rule because it
contains sensitive data that cannot leave your corporate network. administrators can immediately notify end users through the Access Experience User Interface (UI) when
an end user uploads, downloads, or posts content that is blocked by . End user notifications are configured using the User Coaching Notification Template
created on and are associated with a DLP rule for both
File-Based and Non-File Based
traffic. The notification template allows you to fully customize the message to be
displayed in the notification and support variables to dynamically fill in DLP
incident information based on the file name, traffic direction, application, and
action. After an incident is generated, the end user who
generated the incident can view the Data Security notification to view more
details about current and past notifications.
Features Introduced in GlobalProtect App 6.2.6
The following new feature is introduced in GlobalProtect app 6.2.6.
Multi-distro Compatible CLI Version of GlobalProtect for Linux for RPM and Debian - Based Distros
Multi-distro Compatible CLI Version of GlobalProtect for Linux for RPM and Debian -
Based Distros
The multi-distro compatible CLI Version of GlobalProtect
for Linux for RPM and Debian provides Linux users with a seamless experience
of installing and using GlobalProtect on a wider array of Linux distributions based on
RPM and Debian. This increased flexibility empowers Linux users to efficiently utilize
GlobalProtect on different distros that may not have official support, while also
enabling administrators to promptly safeguard important assets.
Features Introduced in GlobalProtect App 6.2.3
The following new feature is introduced in GlobalProtect app 6.2.3.
Embedded Browser Framework Upgrade
Learn about WebView2.
Starting with GlobalProtect 6.2.3, the embedded browser framework for SAML authentication
has been upgraded to Microsoft Edge WebView2 (Windows) and WkWebview (macOS). This
provides a consistent experience between the embedded browser and the GlobalProtect
client. WebView2 is also compatible with FIDO2-based authentication methods. For more
information, refer to Microsoft Edge WebView2 documentation.
By default, tenants using SAML authentication are configured to utilize the embedded
WebView2 (Windows) or WkWebview (macOS) instead of relying on the system's default
browser. With this enhancement, there's no need for end users to configure a SAML
landing page, eliminating the necessity to manually close the browser. This streamlines
the authentication process.
Features Introduced in GlobalProtect App 6.2.1 and 6.2.2
If your Prisma Access tenant is IP Optimization enabled (available starting in
Prisma Access 5.0.1), the minimum required GlobalProtect app versions are 6.1.4
and later, 6.2.3 and later, or 6.3 and later.
Starting from GlobalProtect Linux version
6.2.1, you can use the command-line interface (CLI) to connect
to the GlobalProtect app when it is configured with SAML
authentication with default browser. Previously, the only way to connect to the
GlobalProtect app configured with SAML authentication and the default browser
was through the GUI version of the app. GlobalProtect app Linux version 6.2.1
is supported on Fedora Linux 40, as well as other Linux Platforms such as Ubuntu and Red
Hat Enterprise Linux (RHEL).
Features Introduced in GlobalProtect App 6.2.0
The following new features are introduced in GlobalProtect app 6.2.0.
Conditional Connect Method for GlobalProtect
Learn how to have the GlobalProtect app dynamically change the connect
method.
To improve the user experience with GlobalProtect, you can now use the Conditional Connect setting to have
GlobalProtect dynamically change the connect method based on whether the user is on the
internal network or working from a remote location. This is useful in environments where
you require your users to connect to GlobalProtect at all times when in the office
(Always On mode), but don’t require them to connect to GlobalProtect when they are away
from the office except when they need access to your private apps.
With Conditional Connect, GlobalProtect uses internal host detection (IHD) to determine
whether the user is on the internal network and then sets the connect method
accordingly.
To configure this feature, you must deploy the conditional-connect
setting to the endpoint transparently to the Windows Registry or macOS plist. For the
feature to work, you must also enable internal host detection and configure the
endpoints to use the On-demand connect method.
Enhanced Split Tunnel Configuration
Host a split tunnel configuration file on a local web server for expanded support for
domains, access routes and applications that you can update dynamically.
With Enhanced Split Tunnel you can manage the list
domains, access routes, and applications that you want to include or exclude from the
GlobalProtect tunnel using a split-tunnel configuration file that you host locally in
your environment. This allows you to modify your split-tunnel settings without having to
modify the configuration on the GlobalProtect gateway. In addition, this feature
increases the number of included and excluded split-tunnel access routes and domains
that you can define from 200 to 1,000. To use this capability, create the XML file and
host it on a web server that your GlobalProtect endpoints can reach. To secure the XML
file, you must sign it and then enable mutual TLS on the server hosting the split-tunnel
configuration file. You can push the public key certificate from the portal
configuration to the endpoint. The endpoint needs the certificate to authenticate to the
web server.
Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet
Security
Learn about using GlobalProtect for explicit proxy in Prisma Access
Prisma Access now supports explicit proxy connectivity for GlobalProtect 6.2.
This protects users with always-on internet security while providing on-demand access to
private apps through a third-party VPN, GlobalProtect with Prisma Access, or an
on-premises NGFW. This capability enables you to:
Easily replace 3rd-party proxy solutions
Seamlessly coexist with 3rd-party VPN agents
Secure internet traffic using browser-based and non-browser-based
apps
Simplify proxy deployments and enforce User-ID-based policy against all
traffic
In addition to Tunnel mode, GlobalProtect Explicit Proxy
supports two connectivity methods:
This connection method
enables you to use a 3rd-party VPN agent while still using Prisma Access as a secure web gateway for consistent and
superior internet and SaaS security.
This mode
enables you to secure access to the internet and SaaS applications through proxy
mode and to secure access to private apps through tunnel mode. Whether or not the
GlobalProtect tunnel for private app access is enabled, access to the internet
remains secure through the proxy.
Users can access private apps through Prisma
Access:
Or through an on-premises firewall:
If you don't require support for explicit proxy or 3rd-party VPNs from the
GlobalProtect app, you can continue to deploy GlobalProtect in Tunnel Mode and use
the split tunnel functionality to define what
traffic you want to secure with Prisma Access, and which traffic can bypass the
tunnel.
Host Information Profile (HIP) Exceptions for Patch Management
Exempt specific security patches from being reported as missing from the endpoint HIP
report.
You can now configure the GlobalProtect app to exempt specific security patches from
being reported as missing from the endpoint HIP report to prevent the endpoint from
failing the HIP check in cases where patch updates happen frequently (for example some
companies update their patches multiple times a day with threat updates). When you enable this feature, you can specify specific
patches to exclude from the HIP report and the duration for which you want to exclude
them. For certain patches, you might want to exclude them from the HIP report
permanently if you don’t require them in your environment. For other patches, such as
those that get updated frequently by the vendor, you might just want to exclude for a
day or less to ensure that end users aren’t getting blocked from accessing the resources
they need whenever a patch update happens, but you also want to verify that they’re
patching their devices regularly.
Host Information Profile (HIP) Process Remediation
Enable a HIP remediation script whenever a GlobalProtect endpoint fails one or more
process checks.
You can now enable a HIP remediation script whenever a GlobalProtect endpoint fails one
or more process checks to help the endpoint recover from a HIP check failures. For
example, you can create a script that will run on the endpoint whenever the HIP
check—such as a process check or a registry or plist check—fails. After the endpoint
runs the remediation script, the GlobalProtect app resubmits the HIP report. Remediating
the issue causing the HIP check failure in real time enables your users access to the
resources they need without having to wait until the next hourly HIP check.
To use this feature, you must create a remediation script and deploy it to your endpoints
using your Mobile Device Management (MDM) software. You then enable the new HIP Remediation Process Timeout
setting to indicate the amount of time you want to give the remediation
process to complete. After the remediation timeout elapses, the GlobalProtect app
resubmits the HIP report.
Support for Native Certificate Store for Linux Endpoints
Support for Native Certificate Store for Linux Endpoints
Client certificate authentication to the portal and gateway
GlobalProtect app log reporting
Previously the GlobalProtect app used the client certificates installed using the
GlobalProtect CLI command, which is available only in the
/opt/paloaltonetworks/globalprotect/file directory
on Linux endpoints.
You must place the certificate in the native store location of the Linux endpoints
for the app to use the certificate.
The following are the cert store locations for various Linux platforms:
Ubuntu:
Cert: /etc/ssl/certs
Key: /etc/ssl/private
Fedora:
Cert: /etc/ssl/certs
Key: /etc/ssl/private
Red Hat
Cert: /etc/pki/tls/certs
Key: /etc/pki/tls/private
The supported formats are:
.pem
.p12
Extend User Session for GlobalProtect Users
Offer users the ability to extend their current GlobalProtect session so that their
current session doesn't terminate at a critical moment.
In hybrid workplace environments where workers are moving between home and office work
environments and collaborating with colleagues across the globe, the work day no longer
conforms to a 9 to 5 schedule. This means that the session timeouts and expiring login
lifetimes might interrupt workers in the middle of an important task. To accommodate
this shift in how we work, GlobalProtect can now offer users the ability to extend their
current session so that their connection doesn’t terminate at a critical moment. If you
enable Allow User to Extend GlobalProtect User Session, the GlobalProtect app notifies
the user when their session is about to expire and prompts them to extend the session.
If the user opts to extend the session, the GlobalProtect app silently re-authenticates
the user without tearing down the tunnel.
