The following new features are introduced in GlobalProtect app 6.3.
Enhanced HIP Remediation Process Improvements
Enhanced HIP remediation process improvements
You can now configure the GlobalProtect app to rerun the HIP remediation script
whenever the GlobalProtect endpoint fails the process check after running the configured
This feature enables the app to rerun the HIP remediation script when the
process fails after the set HIP remediation timeout period to help the endpoint recover
from a HIP check failure. The app reruns the remediation script after a process check
failure based on the HIP Process Remediation Retry count you configure through the app
settings of the GlobalProtect portal. When you enable this feature, the GlobalProtect
app resubmits the HIP report only after the app reruns the HIP remediation script in
case of HIP check failures.
For example, if you configure the retry count as 3 and the remediation timeout period as
5 mins in the portal configuration, then every time the endpoint fails the process check
after performing the remediation process, the app runs the script three times and waits
up to 5 mins before it submits the HIP report.
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN
Prompts
Previously, when ActivClient software was installed on the devices and Connect Before
Logon was configured for the GlobalProtect app, end users were prompted to enter the
smart card PIN multiple times while trying to connect using the CBL method.
This enhancement removes the multiple smart card PIN prompts received by the end users
from the Windows identity provider and ActivClient while connecting the GlobalProtect
app with the smart card along with ActivClient software. The GlobalProtect app now
prompts the user to enter a PIN only once and the PIN prompt is from ActivClient
software.
Enhancements for Authentication Using Smart Cards-Authentication Fallback
Enhancements for Authentication Using Smart Cards-Authentication Fallback
When you set smart card authentication for the end users to authenticate to the
GlobalProtect app and when the configured smart card is not available, the user
authentication will now fallback to any other username and password authentication
methods that you have configured for the app.
The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client
Certificate option while configuring the GlobalProtect gateway and portal.
This option defines whether users can authenticate to the portal or gateway using
credentials and/or client certificates.
Intelligent Portal
Learn how to get routed to the appropriate Prisma Access portal based on your
location.
Corporate users travel between multiple countries for their work. The intelligent portal
selection feature enables automatic selection of the appropriate portal when a user
travels across multiple countries for seamless and secure connectivity. After you
configure intelligent portal in your environment, you're automatically routed to the
appropriate Prisma Access portal based on your country location. For example, when you
travel to China, you are directed to the China Prisma Access portal and to the North
America portal when you're in the United States. This eliminates the need for manual
selection of portals and improves the end user experience.
The intelligent portal feature is supported for the Always-On and Always-On (Pre-logon)
modes. It is supported for Connect Before Logon if there are no portal addresses
defined.
You can deploy GlobalProtect with this feature, or add entries to the Windows Registry or
macOS plist file. For more information, see Configure Intelligent Portal.
Connect to GlobalProtect App with IPSec Only
Learn how to choose the connection option for the GlobalProtect app.
To meet Federal Government compliance regulations, you can choose to prevent
GlobalProtect fallback to SSL tunnel in case IPSec tunnel fails. If IPSec is not
configured on the gateway, the GlobalProtect app stays disconnected.
The existing
Connect with SSL Only
feature and new
Connect with IPSec Only
features are combined under the
single unified portal configuration of
Starting with GlobalProtect 6.3, the embedded browser framework for SAML authentication
has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides
a consistent experience between the embedded browser and the GlobalProtect client.
WebView2 and WebKit are also compatible with FIDO2-based authentication methods.
By default, tenants using SAML authentication are configured to utilize the embedded
WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser.
With this enhancement, there's no need for end users to configure a SAML landing page,
eliminating the necessity to manually close the browser. This streamlines the
authentication process.
In a Microsoft entra-joined environment with SSO enabled, users are not
required to enter their credentials in order to authenticate to Prisma Access using
GlobalProtect. This seamless experience is true whether the user is logging in to their
environment for the first time or whether they have logged in before. If there is an
error during the authentication, it is displayed in the embedded browser. This
authentication process works across all device states.
In a non entra-joined environment with SSO enabled, users must enter their
credentials during the initial login. On subsequent logins, the credentials are
auto-filled as long as the SAML identity provider (IdP) session is active and has not
timed out. For more information, see CIE (SAML) Authentication using Embedded
Web-view.
