Agent Behavior Options

The following table lists the options that you can configure in the Windows registry and Mac plist to customize the behavior of the GlobalProtect agent.
Customizable Agent Behavior Options
Portal Agent Configuration
Windows Registry/Mac Plist
Msiexec Parameter
Default
Connect Method
connect-method on-demand | pre-logon | user-logon
CONNECTMETHOD=”on-demand | pre-logon | user-logon”
user-logon
GlobalProtect App Config Refresh Interval (hours)
refresh-config-interval <hours>
REFRESHCONFIGINTERVAL= ”<hours>”
24
Update DNS Settings at Connect (Windows Only)
flushdns yes | no
FLUSHDNS=”yes | no”
no
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
wscautodetect yes | no
WSCAUTODETECT=”yes | no”
no
Detect Proxy for Each Connection (Windows Only)
ProxyMultipleAutoDetec tion yes | no
PROXYMULTIPLEAUTODETECTION =”yes | no”
no
Clear Single Sign-On Credentials on Logout (Windows Only)
LogoutRemoveSSO yes | no
LOGOUTREMOVESSO=”yes | no”
yes
Use Default Authentication on Kerberos Authentication Failure (Windows Only)
krb-auth-fail-fallback yes | no
KRBAUTHFAILFALLBACK=”yes | no”
no
Custom Password Expiration Message (LDAP Authentication Only)
PasswordExpiryMessage <message>
PASSWORDEXPIRYMESSAGE= “<message>”
Portal Connection Timeout (sec)
PortalTimeout <portaltimeout>
PORTALTIMEOUT= ”<portaltimeout>”
30
TCP Connection Timeout (sec)
ConnectTimeout <connecttimeout>
CONNECTTIMEOUT= ”<connecttimeout>”
60
TCP Receive Timeout (sec)
ReceiveTimeout <receivetimeout>
RECEIVETIMEOUT= ”<receivetimeout>”
30
Client Certificate Store Lookup
certificate-store-lookup user | machine | user and machine | invalid
CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
user and machine
SCEP Certificate Renewal Period (days)
scep-certificate-renewal-period <renewalPeriod>
n/a
7
Maximum Internal Gateway Connection Attempts
max-internal-gateway-connection-attempts <maxValue>
MIGCA="<maxValue>"
0
Extended Key Usage OID for Client Certificate
ext-key-usage-oid-for-client-cert <oidValue>
EXTCERTOID=”<oidValue>”
n/a
User Switch Tunnel Rename Timeout (sec)
user-switch-tunnel-rename-timeout <renameTimeout>
n/a
0
Use Single Sign-On
(Windows Only)
use-sso yes | no
USESSO="yes | no"
yes
Not in portal
This setting specifies the default portal IP address (or hostname).
portal <IPaddress>
PORTAL="<IPaddress>"
n/a
Not in portal
This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
prelogon 1
PRELOGON="1"
1
Windows only/Not in portal
This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
can-prompt-user-credential yes | no
CANPROMPTUSERCREDENTIAL= ”yes | no”
yes
Windows only/Not in portal
This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
wrap-cp-guid {third party credential provider guid}
WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
no
Windows only/Not in portal
This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
filter-non-gpcp no
n/a
n/a
*For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

Related Documentation