Features Introduced

With Enhanced Split Tunnel you can manage the list domains, access routes, and applications that you want to include or exclude from the GlobalProtect tunnel using a split-tunnel configuration file that you host locally in your environment. This allows you to modify your split-tunnel settings without having to modify the configuration on the GlobalProtect gateway. In addition, this feature increases the number of included and excluded split-tunnel access routes and domains that you can define from 200 to 1,000. To use this capability, create the XML file and host it on a web server that your GlobalProtect endpoints can reach. To secure the XML file, you must sign it and then enable mutual TLS on the server hosting the split-tunnel configuration file. You can push the public key certificate from the portal configuration to the endpoint. The endpoint needs the certificate to authenticate to the web server.

Prisma Access now supports explicit proxy connectivity for GlobalProtect 6.2. This protects users with always-on internet security while providing on-demand access to private apps through a third-party VPN, GlobalProtect with Prisma Access, or an on-premises NGFW. This capability enables you to:

In addition to Tunnel mode, GlobalProtect Explicit Proxy supports two connectivity methods:

• Proxy Mode
• Tunnel and Proxy Mode

You can now configure the GlobalProtect app to exempt specific security patches from being reported as missing from the endpoint HIP report to prevent the endpoint from failing the HIP check in cases where patch updates happen frequently (for example some companies update their patches multiple times a day with threat updates). When you enable this feature, you can specify specific patches to exclude from the HIP report and the duration for which you want to exclude them. For certain patches, you might want to exclude them from the HIP report permanently if you don’t require them in your environment. For other patches, such as those that get updated frequently by the vendor, you might just want to exclude for a day or less to ensure that end users aren’t getting blocked from accessing the resources they need whenever a patch update happens, but you also want to verify that they’re patching their devices regularly.

You can now enable a HIP remediation script whenever a GlobalProtect endpoint fails one or more process checks to help the endpoint recover from a HIP check failures. For example, you can create a script that will run on the endpoint whenever the HIP check—such as a process check or a registry or plist check—fails. After the endpoint runs the remediation script, the GlobalProtect app resubmits the HIP report. Remediating the issue causing the HIP check failure in real time enables your users access to the resources they need without having to wait until the next hourly HIP check.

To use this feature, you must create a remediation script and deploy it to your endpoints using your Mobile Device Management (MDM) software. You then enable the new HIP Remediation Process Timeout setting to indicate the amount of time you want to give the remediation process to complete. After the remediation timeout elapses, the GlobalProtect app resubmits the HIP report.

In hybrid workplace environments where workers are moving between home and office work environments and collaborating with colleagues across the globe, the work day no longer conforms to a 9 to 5 schedule. This means that the session timeouts and expiring login lifetimes might interrupt workers in the middle of an important task. To accommodate this shift in how we work, GlobalProtect can now offer users the ability to extend their current session so that their connection doesn’t terminate at a critical moment. If you enable Allow User to Extend GlobalProtect User Session, the GlobalProtect app notifies the user when their session is about to expire and prompts them to extend the session. If the user opts to extend the session, the GlobalProtect app silently re-authenticates the user without tearing down the tunnel.