Features Introduced in GlobalProtect App 6.2


Features Introduced in GlobalProtect App 6.2

Table of Contents

Features Introduced in GlobalProtect App 6.2

Learn about the exciting new features introduced in the GlobalProtect™ App 6.2 release.
The following new features introduced in GlobalProtect app 6.2.

Conditional Connect Method for GlobalProtect

Learn how to have the GlobalProtect app dynamically change the connect method.
To improve the user experience with GlobalProtect, you can now use the Conditional Connect setting to have GlobalProtect dynamically change the connect method based on whether the user is on the internal network or working from a remote location. This is useful in environments where you require your users to connect to GlobalProtect at all times when in the office (Always On mode), but don’t require them to connect to GlobalProtect when they are away from the office except when they need access to your private apps.
With Conditional Connect, GlobalProtect uses internal host detection (IHD) to determine whether the user is on the internal network and then sets the connect method accordingly.
To configure this feature, you must deploy the
setting to the endpoint transparently to the Windows Registry or macOS plist. For the feature to work, you must also enable internal host detection and configure the endpoints to use the On-demand connect method.

Enhanced Split Tunnel Configuration

Host a split tunnel configuration file on a local web server for expanded support for domains, access routes and applications that you can update dynamically.
With Enhanced Split Tunnel you can manage the list domains, access routes, and applications that you want to include or exclude from the GlobalProtect tunnel using a split-tunnel configuration file that you host locally in your environment. This allows you to modify your split-tunnel settings without having to modify the configuration on the GlobalProtect gateway. In addition, this feature increases the number of included and excluded split-tunnel access routes and domains that you can define from 200 to 1,000. To use this capability, simply create the XML file and host it on a web server that your GlobalProtect endpoints can reach. To secure the XML file, you must sign it and then enable mutual TLS on the server hosting the split-tunnel configuration file. You can push the public key certificate that the endpoint will need to authenticate to the server to the endpoint from the portal configuration.

Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security

Learn about using GlobalProtect for explicit proxy in Prisma Access
Prisma Access now supports explicit proxy connectivity for GlobalProtect 6.2. This protects users with always-on internet security while providing on-demand access to private apps through a third-party VPN, GlobalProtect with Prisma Access, or an on-premises NGFW. This capability enables you to:
  • Easily replace 3rd-party proxy solutions
  • Seamlessly coexist with 3rd-party VPN agents
  • Secure internet traffic using browser-based and non-browser-based apps
  • Simplify proxy deployments and enforce User-ID-based policy against all traffic.
In addition to Tunnel mode, GlobalProtect Explicit Proxy supports two connectivity methods
  • Proxy Mode
  • Tunnel and Proxy Mode
This connection method enables you to use a 3rd-party VPN agent while still using Prisma Access as a secure web gateway for consistent and superior internet and SaaS security.
This mode enables you to secure access to the internet and SaaS applications through proxy mode and to secure access to private apps through tunnel mode. Whether or not the GlobalProtect tunnel for private app access is enabled, access to the internet remains secure through the proxy.
Users can access private apps through Prisma Access:
Or through an on-premises firewall:
If you don't require support for explicit proxy or 3rd-party VPNs from the GlobalProtect app, you can continue to deploy GlobalProtect in Tunnel Mode and use the split tunnel functionality to define what traffic you want to secure with Prisma Access, and which traffic can bypass the tunnel.

Host Information Profile (HIP) Exceptions for Patch Management

Exempt specific security patches from being reported as missing from the endpoint HIP report.
You can now configure the GlobalProtect app to exempt specific security patches from being reported as missing from the endpoint HIP report to prevent the endpoint from failing the HIP check in cases where patch updates happen frequently (for example some companies update their patches multiple times a day with threat updates). When you enable this feature, you can specify specific patches to exclude from the HIP report and the duration for which you want to exclude them. For certain patches, you might want to exclude them from the HIP report permanently if you don’t require them in your environment. For other patches, such as those that get updated frequently by the vendor, you might just want to exclude for a day or less to ensure that end users aren’t getting blocked from accessing the resources they need whenever a patch update happens, but you also want to verify that they’re patching their devices regularly.

Host Information Profile (HIP) Process Remediation

Enable a HIP remediation script whenever a GlobalProtect endpoint fails one or more process checks.
You can now enable a HIP remediation script whenever a GlobalProtect endpoint fails one or more process checks to help the endpoint recover from a HIP check failures. For example, you can create a script that will run on the endpoint whenever the HIP check—such as a process check or a registry or plist check—fails. After the endpoint runs the remediation script, the GlobalProtect app resubmits the HIP report. Remediating the issue causing the HIP check failure in real time enables your users access to the resources they need without having to wait until the next hourly HIP check.
To use this feature, you must create a remediation script and deploy it to your endpoints using your Mobile Device Management (MDM) software. You then enable the new HIP Remediation Process Timeout setting to indicate the amount of time you want to give the remediation process to complete. After the remediation timeout elapses, the GlobalProtect app resubmits the HIP report.

Recommended For You