Learn about the exciting new features introduced in the
GlobalProtect™ App 6.2 release.
The following new features introduced in GlobalProtect app 6.2.
Conditional Connect Method for GlobalProtect
Learn how to have the GlobalProtect app dynamically change the connect
method.
To improve the user experience with GlobalProtect, you can now use the Conditional Connect setting to have
GlobalProtect dynamically change the connect method based on whether the user is on the
internal network or working from a remote location. This is useful in environments where
you require your users to connect to GlobalProtect at all times when in the office
(Always On mode), but don’t require them to connect to GlobalProtect when they are away
from the office except when they need access to your private apps.
With Conditional Connect, GlobalProtect uses internal host detection (IHD) to determine
whether the user is on the internal network and then sets the connect method
accordingly.
To configure this feature, you must deploy the conditional-connect
setting to the endpoint transparently to the Windows Registry or macOS plist.
Enhanced Split Tunnel Configuration
Host a split tunnel configuration file on a local web server for expanded support for
domains, access routes and applications that you can update dynamically.
With Enhanced Split Tunnel you can manage the list
domains, access routes, and applications that you want to include or exclude from the
GlobalProtect tunnel using a split-tunnel configuration file that you host locally in
your environment. This allows you to modify your split-tunnel settings without having to
modify the configuration on the GlobalProtect gateway. In addition, this feature
increases the number of included and excluded split-tunnel access routes and domains
that you can define from 200 to 1,000. To use this capability, simply create the XML
file and host it on a web server that your GlobalProtect endpoints can reach. To secure
the XML file, you must sign it and then enable mutual TLS on the server hosting the
split-tunnel configuration file. You can push the public key certificate that the
endpoint will need to authenticate to the server to the endpoint from the portal
configuration.
Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet
Security
Learn about using GlobalProtect for explicit proxy in Prisma Access
The GlobalProtect app now includes native support for Prisma Access explicit proxy to
provide always-on internet security and seamless co-existence with third-party VPNs.
This solution secures internet-bound traffic from your mobile users, even if users
disconnect the GlobalProtect app. To achieve this, the GlobalProtect app now provides
two new modes:
Proxy mode—The GlobalProtect app forwards
internet traffic, including SaaS application traffic, to Prisma Access for explicit
proxy, based on the forwarding rules you define. By enabling explicit proxy
functionality directly from the GlobalProtect app you get all of the advantages
Prisma Access provides, including consistent rule enforcement to ensure that users
are only accessing approved SaaS apps and sites, as well as continuous security
inspection. In this mode, you can use a third-party VPN for private app access.
Proxy and Tunnel mode—In this mode, the
GlobalProtect app first evaluates the explicit proxy forwarding rules you have
defined and sends all internet-bound traffic to the Prisma Access explicit proxy.
For all other traffic, the app determines which traffic to send through the tunnel
to the GlobalProtect gateway, and which traffic to exclude from the tunnel, based on
any split tunnel rules you have defined.
These new modes complement the existing GlobalProtect app Tunnel mode, which continues to function the
same way it always has, providing secure access for internet, SaaS app, and private app
access via a tunnel to Prisma Access for policy enforcement and security inspection.
Host Information Profile (HIP) Exceptions for Patch Management
Exempt specific security patches from being reported as missing from the endpoint HIP
report.
You can now configure the GlobalProtect app to exempt specific security patches from
being reported as missing from the endpoint HIP report to prevent the endpoint from
failing the HIP check in cases where patch updates happen frequently (for example some
companies update their patches multiple times a day with threat updates). When you enable this feature, you can specify specific
patches to exclude from the HIP report and the duration for which you want to exclude
them. For certain patches, you might want to exclude them from the HIP report
permanently if you don’t require them in your environment. For other patches, such as
those that get updated frequently by the vendor, you might just want to exclude for a
day or less to ensure that end users aren’t getting blocked from accessing the resources
they need whenever a patch update happens, but you also want to verify that they’re
patching their devices regularly.
Host Information Profile (HIP) Process Remediation
Enable a HIP remediation script whenever a GlobalProtect endpoint fails one or more
process checks.
You can now enable a HIP remediation script whenever a GlobalProtect endpoint fails one
or more process checks to help the endpoint recover from a HIP check failures. For
example, you can create a script that will run on the endpoint whenever the HIP
check—such as a process check or a registry or plist check—fails. After the endpoint
runs the remediation script, the GlobalProtect app resubmits the HIP report. Remediating
the issue causing the HIP check failure in real time enables your users access to the
resources they need without having to wait until the next hourly HIP check.
To use this feature, you must create a remediation script and deploy it to your endpoints
using your Mobile Device Management (MDM) software. You then enable the new HIP Remediation Process Timeout
setting to indicate the amount of time you want to give the remediation
process to complete. After the remediation timeout elapses, the GlobalProtect app
resubmits the HIP report.
