Starting with GlobalProtect™ 6.3.3, the Windows logon and Change Password screens include a Reveal Password icon. This feature allows you to see your password as you type, helping to prevent password errors and avoid locked accounts. Click the icon while logging in or changing your password to display the entered characters.

The Windows login screen displays the GlobalProtect connection status and gateway along with the Reveal Password icon. Similarly, the Change Password dialog box shows your username, domain name, GlobalProtect connection status, and gateway in addition to the Reveal Password icon in the password field. For more information, see Reveal Password on Windows Logon Screen for GlobalProtect.

With GlobalProtect™ 6.3.3 and later versions, you can enforce SAML authentication to succeed only if the authorization request comes from trusted IP addresses. Users authenticating from untrusted IP addresses cannot access the Prisma Access portal or gateway. For more information, see Enforce SAML Authentication from Trusted IP Addresses.

You can use the GlobalProtect embedded browser for captive portal authentication. This allows the captive portal to open within the embedded browser, providing a seamless user experience and enhanced security. For more information, see Customize the GlobalProtect App.

The GlobalProtect App 6.3.2 does not include any new features.

The following new feature is introduced in GlobalProtect app 6.3.1.

GlobalProtect 6.3.1 and later releases include the Intelligent Internal Host Detection parameter. This feature applies when users use the GlobalProtect app in internal host detection mode for User-ID while using 3rd party VPN for accessing private party applications. When internal host detection takes place before the 3rd party VPN establishes a tunnel, it fails to establish the User-ID. With the Enable Intelligent Internal Host Detection parameter, the GlobalProtect app can now detect Internal Host Detection in presence of 3rd party VPN agent by re-triggering network discovery until Internal Host Detection is successful.

GlobalProtect uses a network discovery method to select the best available gateway from the multiple available gateway options. GlobalProtect attempts to communicate with all the gateways and uses criteria such as gateway priority, load, and response time from each gateway to determine which is the best available gateway. However, suboptimal endpoint conditions, such as load and high CPU usage, can impact the response time and lead to a suboptimal gateway selection.

We introduced GlobalProtect Best Gateway Selection Criteria feature to prevent suboptimal endpoint conditions impacting the result of the GlobalProtect network discovery method, which help ensure a reliable best available GlobalProtect gateway selection even in a suboptimal endpoint environment.

You can configure the best gateway selection criteria in the app settings of the GlobalProtect portal configuration so that endpoints select the best available gateway when end users connect from an external network.

After you configure these settings, the GlobalProtect app first attempts to connect to the external gateways listed in its client configuration and then it establishes a connection to the gateway with the highest priority and shortest response time.

After you enable this feature, you can configure the app to use the time it takes to get a successful TCP connection as the external gateway measurement. Them, when you select Response Time as the Best Gateway Selection Criteria in the app settings of the portal configuration, GlobalProtect will use the duration of the TCP handshake to measure the time it takes to establish an external gateway connection.

You can configure the path for the endpoint application using wildcard character (*) while configuring split-tunnel based on application, both for exclude as well as include traffic. You can add up to 200 entries to the list to exclude or include the traffic through the VPN tunnel.

When you use the wildcard character in the application path and add it in the exclude or include list for split-tunnel, GlobalProtect bypasses the application check for that particular application path even when the application path changes after a software or patch update.

For example, when you apply wildcard character to the path for third-party applications such as Symantec Web Security Service (WSS) or MicrosoftTeams, you don't need to manually update the exclude list for the application in the split-tunnel configuration each time the third-party application path changes after a software update.

The enhancements for authentication using smart card is now extended to endpoints running on macOS.

The smart card authentication method is enhanced to include an authentication fallback mechanism when the smart card is not available to authenticate users to the GlobalProtect app.

When you set smart card authentication for the end users to authenticate to the GlobalProtect app and when the configured smart card is not available, the user authentication will now fallback to any other username and password authentication methods that you have configured for the app.

The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.

You can predeploy the customized Windows Registry key values for the profile options <PIV> and <NO PIV>

When CIE (SAML) multi-authentication is configured for the GlobalProtect app as the authentication method, end users are no longer required to enter their single sign-on (SSO) credentials when they try to authenticate to the app.

You can now predeploy the registry key CASSKIPHUBPAGE (path: \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings) on the Windows endpoints to enable this feature.

After you enable this feature, end users are not prompted to enter their SAML credentials while authenticating to the app using the embedded browser or the default browser. This feature is supported only on Windows platforms.

The following new features are introduced in GlobalProtect app 6.3.0.

You can now configure the GlobalProtect app to rerun the HIP remediation script whenever the GlobalProtect endpoint fails the process check after running the configured HIP remediation process.

This feature enables the app to rerun the HIP remediation script when the process fails after the set HIP remediation timeout period to help the endpoint recover from a HIP check failure. The app reruns the remediation script after a process check failure based on the HIP Process Remediation Retry count you configure through the app settings of the GlobalProtect portal. When you enable this feature, the GlobalProtect app resubmits the HIP report only after the app reruns the HIP remediation script in case of HIP check failures.

For example, if you configure the retry count as 3 and the remediation timeout period as 5 mins in the portal configuration, then every time the endpoint fails the process check after performing the remediation process, the app runs the script three times and waits up to 5 mins before it submits the HIP report.

You can now use the GlobalProtect app with smart card and ActivClient software without entering the smart card PIN multiple times when the Connect Before Logon (CBL) connection method is configured for the GlobalProtect app.

Previously, when ActivClient software was installed on the devices and Connect Before Logon was configured for the GlobalProtect app, end users were prompted to enter the smart card PIN multiple times while trying to connect using the CBL method.

This enhancement removes the multiple smart card PIN prompts received by the end users from the Windows identity provider and ActivClient while connecting the GlobalProtect app with the smart card along with ActivClient software. The GlobalProtect app now prompts the user to enter a PIN only once and the PIN prompt is from ActivClient software.

The smart card authentication method is enhanced to include an authentication fallback mechanism when the smart card is not available to authenticate users to the GlobalProtect app.

When you set smart card authentication for the end users to authenticate to the GlobalProtect app and when the configured smart card is not available, the user authentication will now fallback to any other username and password authentication methods that you have configured for the app.

The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.

Corporate users travel between multiple countries for their work. The intelligent portal selection feature enables automatic selection of the appropriate portal when a user travels across multiple countries for seamless and secure connectivity. After you configure intelligent portal in your environment, you're automatically routed to the appropriate Prisma Access portal based on your country location. For example, when you travel to China, you are directed to the China Prisma Access portal and to the North America portal when you're in the United States. This eliminates the need for manual selection of portals and improves the end user experience.

The intelligent portal feature is supported for the Always-On and Always-On (Pre-logon) modes. It is supported for Connect Before Logon if there are no portal addresses defined.

You can deploy GlobalProtect with this feature, or add entries to the Windows Registry or macOS plist file. For more information, see Configure Intelligent Portal.

To meet Federal Government compliance regulations, you can choose to prevent GlobalProtect fallback to SSL tunnel in case IPSec tunnel fails. If IPSec is not configured on the gateway, the GlobalProtect app stays disconnected.

The existing Connect with SSL Only feature and new Connect with IPSec Only features are combined under the single unified portal configuration of Advanced Control for Tunnel Mode Behavior . For more information, see step 5 in Customize the GlobalProtect App.

Starting with GlobalProtect 6.3, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WkWebview (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 is also compatible with FIDO2-based authentication methods. For more information, refer to Microsoft Edge WebView2 documentation.

By default, tenants using SAML authentication are configured to utilize the embedded WebView2 (Windows) or WkWebview (macOS) instead of relying on the system's default browser. With this enhancement, there's no need for end users to configure a SAML landing page, eliminating the necessity to manually close the browser. This streamlines the authentication process.