Customize the GlobalProtect Agent
The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems or the GlobalProtect app installed on their mobile devices. You can define different agent settings for the different GlobalProtect agent configurations you create. For more information on GlobalProtect client requirements, see What Client OS Versions are Supported with GlobalProtect?
You can customize the display and behavior of the agent. For example, you can specify the following:
- What menus and views users can access.
- Whether users can disable the agent (applies to the user-logon connect method only).
- Whether to display a welcome page upon successful login. You can also configure whether or not the user can dismiss the welcome page and you can create custom welcome and help pages that explain how to use GlobalProtect within your environment. See Customize the GlobalProtect Portal Login, Welcome, and Help Pages.
- Whether agent upgrades occur automatically or whether users are prompted to upgrade.
- Prompt users if multi-factor authentication is needed to access sensitive network resources.
You can also define agent settings directly from the Windows registry or the global Mac plist. For Windows clients you can also define agent settings directly from the Windows installer (Msiexec). Settings defined in the portal agent configurations in the web interface take precedence over settings defined in the Windows registry/Msiexec or the Mac plist. For more details, see Deploy Agent Settings Transparently.
Additional options that are available through the Windows command line (Msiexec) or Windows registry only, enable you to (for more information, see Customizable Agent Settings):
- Specify whether the agent should prompt the end user for credentials if Windows SSO fails.
- Specify the default portal IP address (or hostname).
- Enable GlobalProtect to initiate a VPN connection before the user logs into the endpoint.
- Deploy scripts that run before or after GlobalProtect establishes a VPN connection or after GlobalProtect disconnects the VPN connection.
- Enable the GlobalProtect agent to wrap third-party credentials on the Windows client, allowing for SSO when using a third-party credential provider.
Use the following procedure to customize the GlobalProtect agent.
- Select theAgenttab in the agent configuration you want to customize.You can also configure most settings that are on theApptab from a group policy by adding settings to the Windows registry/Mac plist. On Windows systems, you can also set them using the Msiexec utility on the command line during the agent installation. However, settings defined in the web interface or the CLI take precedence over registry/plist settings. See Deploy Agent Settings Transparently for details.
- Selectand select the portal configuration for which you want to add an agent configuration (orNetworkGlobalProtectPortalsAdda new configuration).
- Select theAgenttab and select the configuration you want to modify (orAdda new configuration).
- Select theApptab.The App Configurations area displays the options with default values that you can customize for each agent configuration. When you change the default behavior, the web interface changes the color from gray to the default text color.
- Specify theConnect Methodthat an agent or app uses for its GlobalProtect connection.Use thePre-logon (Always On),Pre-logon then On-demand, orUser-log on (Always On)connect method to access the network using an internal gateway.In the App Configurations area, configure any of the following options:
- Select aConnect Method:
- User-logon (Always On)—The GlobalProtect agent automatically connects to the portal as soon as the user logs in to the endpoint (or domain). When used in conjunction with SSO (Windows users only), GlobalProtect login is transparent to the end user.On iOS endpoints, this setting prevents one-time password (OTP) applications from working because GlobalProtect forces all traffic to go through the tunnel.
- Pre-logon (Always On)—Authenticates the user and establishes a VPN tunnel to the GlobalProtect gateway before the user logs in to the client. This option requires that you use an external PKI solution to pre-deploy a machine certificate to each endpoint that receives this configuration. See Remote Access VPN with Pre-Logon for details about pre-logon.
- On-demand (Manual user initiated connection)—Users will have to manually launch the agent to connect to GlobalProtect. Use this connect method for external gateways only.
- Pre-logon then On-demand—Similar to thePre-logon (Always On)connect method, this connect method (which requires Content Release version 590-3397 or later) enables the GlobalProtect agent to authenticate the user and establish a VPN tunnel to the GlobalProtect gateway before the user logs in to the client. Unlike the pre-logon connection method, after the user logs in to the client, users must manually launch the agent to connect to GlobalProtect if the connection is terminated for any reason. The benefit of this option is that you can allow a user to specify a new password after password expiration or a user forgets their password but still require the user to manually initiate the connection after the user logs in.
- Specify whether to enforce GlobalProtect connections for network access.To enforce GlobalProtect for network access, we recommend that you enable this feature only for users that connect inUser-logonorPre-logonmodes. Users that connect inOn-demandmode may not be able to establish a connection within the permitted grace periods.In the App Configurations area, configure any of the following options:
These features require Content Release version 607-3486 or later.
- To force all network traffic to traverse a GlobalProtect tunnel, setEnforce GlobalProtect Connection for Network AccesstoYes. By default, GlobalProtect is not required for network access meaning users can still access the internet if GlobalProtect is disabled or disconnected. To provide instructions to users before traffic is blocked, configure aTraffic Blocking Notification Messageand optionally specify when to display the message (Traffic Blocking Notification Delay).WhenEnforce GlobalProtect Connection for Network Accessis enabled, you may want to consider allowing users to disable the GlobalProtect agent with a passcode. TheEnforce GlobalProtect Connection for Network Accessfeature enhances the network security by requiring a GlobalProtect VPN connection for network access. On rare occasions, devices may fail to connect to the VPN and require remote administrative login for troubleshooting. By disabling the GlobalProtect agent (for Windows or Mac) using the passcode provided by the administrator during the troubleshooting session, you can allow administrators to connect to your device remotely.
- To permit traffic required to establish a connection with a captive portal, specify aCaptive Portal Exception Timeout. The user must authenticate with the portal before the timeout expires. To provide additional instructions, configure aCaptive Portal Detection Message.
- Specify additional GlobalProtect connection settings.With single sign-on (SSO) enabled (the default), the GlobalProtect agent uses the user’s Windows login credentials to automatically authenticate to and connect to the GlobalProtect portal and gateway. GlobalProtect with SSO enabled also allows for the GlobalProtect agent to wrap third-party credentials to ensure that Windows users can authenticate and connect, even when a third-party credential provider is being used to wrap the Windows login credentials.In the App Configurations area, configure any of the following options:
- (Windows only) SetUse Single Sign-OntoNoto disallow GlobalProtect to use the Windows login credentials to automatically authenticate the user upon login to Active Directory.If you configure the GlobalProtect gateway to authenticate users through SAML authentication and also generate and accept cookies for authentication override, you must set theUse Single Sign-Onoption toNowhen the user’s Windows username is different from his or her SAML username (for example, the Windows username is “user” and the SAML username is “user123”) or if one username contains a fully qualified domain name (for example, the Windows username is “user” and the SAML username is “email@example.com”).
- Enter theMaximum Internal Gateway Connection Attemptsto specify the number of times the GlobalProtect agent should retry the connection to an internal gateway after the first attempt fails (range is 0-100; 4 or 5 is recommended; default is 0, which means the GlobalProtect agent does not retry the connection). By increasing the value, you enable the agent to connect to an internal gateway that is temporarily down or unreachable during the first connection attempt but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information.
- Enter theGlobalProtect App Config Refresh Interval (hours)to specify the number of hours the GlobalProtect portal waits before it initiates the next refresh of a client’s configuration (range is 1-168; default is 24).
- Specify whether toRetain Connection on Smart Card Removal. By default, the option is set toYes, meaning GlobalProtect retains the tunnel when a user removes a smart card containing a client certificate. To terminate the tunnel, set this option toNo. The decision on whether to retain the connection depends on your security requirements.This feature requires Content Release version 590-3397 or a later version.
- Configure anAutomatic Restoration of VPN Connection Timeoutto specify the action GlobalProtect takes when the tunnel is disconnected by entering a timeout value in minutes from 0 to 180; default is 30. A value of 0 disables this feature so that GlobalProtect does not attempt to reconnect after the tunnel is disconnected. When you specify a value of 1-180 minutes, GlobalProtect attempts to reestablish the tunnel connection if the tunnel is down for a period of time which does not exceed the timeout value you specify here. For example, with a timeout value of 30 minutes, GlobalProtect does not attempt to reconnect if the tunnel is disconnected for 45 minutes. However, if the tunnel is disconnected for 15 minutes, GlobalProtect attempts to reconnect because the number of minutes has not exceeded the timeout value.When you enableAutomatic Restoration of VPN Connection Timeout, you can also adjust the amount of time in seconds GlobalProtect waits between attempts to restore the connection by configuring theWait Time Between VPN Connection Restore Attempts. Range is 1 to 60 seconds; the default is 5.With Always-On VPN, if a user switches from an external network to an internal network before the timeout value expires, GlobalProtect does not perform network discovery. As a result, GlobalProtect restores the connection to the last known external gateway. To trigger internal host detection, the user must select Rediscover Network from the GlobalProtect console.
- Configure the menus and UI views that are available to users who have this agent configuration.Configure any or all of the following options:
- If you want users to be able to see only basic status information within the application, setEnable Advanced ViewtoNo. By default, the advanced view is enabled. It allows users to see detailed statistical, host, and troubleshooting information and to perform certain tasks, such as changing their password.
- If you want hide the GlobalProtect agent on end-user systems, setDisplay GlobalProtect IcontoNo. When the icon is hidden, users cannot perform other tasks such as changing passwords, rediscovering the network, resubmitting host information, viewing troubleshooting information, or performing an on-demand connection. However, HIP notification messages, login prompts, and certificate dialogs will still display as necessary for interacting with the end user.
- To prevent users from performing a network rediscovery, set theEnable Rediscover Network OptiontoNo. When you disable the option, it is grayed out in the GlobalProtect menu.
- To prevent users from manually resubmitting HIP data to the gateway, setEnable Resubmit Host Profile OptiontoNo. This option is enabled by default, and is useful in cases where HIP-based security policy prevents users from accessing resources because it allows the user to fix the compliance issue on the computer and then resubmit the HIP.
- (Windows only) To allow GlobalProtect to display notifications in the notification area (system tray), setShow System Tray NotificationstoYes.
- To create a custom message to display to users when their password is about to expire configure theCustom Password Expiration Message (LDAP Authentication Only). The maximum message length is 200 characters.
- Define what the end users with this configuration can do in their client.
- SetAllow User to Change PortalAddresstoNoto disable thePortalfield on theHometab in the GlobalProtect agent. Because the user will then be unable to specify a portal to which to connect, you must supply the default portal address in the Windows registry(HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetupwith keyPortal) or the Mac plist (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plistwith keyPortalunder dictionaryPanSetup). For more information, see Deploy Agent Settings Transparently.
- To prevent users from dismissing the welcome page, setAllow User to Dismiss Welcome PagetoNo. Otherwise, when set toYes, the user can dismiss the welcome page and prevent GlobalProtect from displaying the page after subsequent logins.
- Specify whether users can disable the GlobalProtect agent.TheAllow User to Disable GlobalProtectoption applies to agent configurations that have theConnect Methodset toUser-Logon (Always On). In user-logon mode, the agent or app automatically connects to GlobalProtect as soon as the user logs in to the endpoint. This mode is sometimes referred to as “always on,” which is why the user must override this behavior to disable GlobalProtect client.By default, this option is set toAllowwhich permits users to disable GlobalProtect without providing a comment, passcode, or ticket number.
- To prevent users with the user-logon connect method from disabling GlobalProtect, setAllow User to Disable GlobalProtecttoDisallow.
- To allow users to disable GlobalProtect if they provide a passcode, setAllow User to Disable GlobalProtecttoAllow with Passcode. Then, in the Disable GlobalProtect App area, enter (and confirm) thePasscodethat the end users must supply.
- To allow users to disconnect if they provide a ticket, setAllow User to Disable GlobalProtecttoAllow with Ticket. With this option, the disconnect action triggers the agent to generate a Request Number. The end user must then communicate the Request Number to the administrator. The administrator then clicksGenerate Ticketon thepage and enters the request number from the user to generate the ticket. The administrator then provides the ticket to the end user, who enters it into the Disable GlobalProtect dialog to enable the agent to disconnect.NetworkGlobalProtectPortals
- To limit the number of times users can disable the GlobalProtect client, enter a value in theMax Times User Can Disablefield in the Disable GlobalProtect App area. A value of 0 (the default) indicates that users are not limited in the number of times they can disable the client.This setting is applicable only with theAllow,Allow with Comment, andAllow with Passcodedisable options.If your users disable the GlobalProtect client the maximum number of times and must continue to have the ability to disable the client thereafter:
- You can increase theMax Times User Can Disablevalue in the GlobalProtect portal agent configuration (). The user must then selectNetworkGlobalProtectPortals<portal-config>Agent<agent-config>AppRediscover Networkor establish a new GlobalProtect connection in order for the new value to take effect.
- Users can reset the counter by reinstalling the client.
- To restrict how long the user may be disconnected, enter a value (in minutes) in theUser Can Disable Timeout (min)field in the Disable GlobalProtect App area. A value of 0 (the default) means that there is no restriction on how long the user can keep the client disabled.This setting is applicable only with theAllow,Allow with Comment, andAllow with Passcodedisable options.
- Configure the certificate settings and behavior for the users that receive this configuration.
- Client Certificate Store Lookup—Select which store the agent should use to look up client certificates.Usercertificates are stored in the Current User certificate store on Windows and in the Personal Keychain on Mac OS.Machinecertificates are stored in the Local Computer certificate store on Windows and in the System Keychain on Mac OS. By default, the agent looks forUser and machinecertificates in both places.
- SCEP Certificate Renewal Period (days)—With SCEP, the portal can request a new client certificate before the certificate expires. This time before the certificate expires is the optionalSCEP certificate renewal period. During a configurable number of days before a client certificate expires, the portal can request a new certificate from the SCEP server in your enterprise PKI (range is 0-30; default is 7). A value of 0 means the portal does not automatically renew the client certificate when it refreshes the agent configuration.For an agent or app to obtain the new certificate during the renewal period, the user must log in to the GlobalProtect client. For example, if a client certificate has a lifespan of 90 days, the certificate renewal period is 7 days, and the user logs in during the final 7 days of the certificate lifespan, the portal acquires a new certificate and deploys it along with a fresh agent configuration. For more information, see Deploy User-Specific Client Certificates for Authentication.
- Extended Key Usage OID for Client Certificate(Windows and Mac endpoints only)—Use this option only if you enabled client authentication, expect multiple client certificates to be present on the endpoint, and have identified a secondary purpose by which you can filter the client certificates. This option enables you to specify a secondary purpose for a client certificate using the associated object identifier (OID). For example, to display only client certificates which also have a purpose of Server Authentication, enter the OID 126.96.36.199.188.8.131.52.1. When the GlobalProtect agent finds only one client certificate which matches the secondary purpose, GlobalProtect automatically selects and authenticates using that certificate. Otherwise, GlobalProtect prompts the user to select the client certificate from the filtered list of client certificates which match the criteria. For more information including a list of common certificate purposes and OIDs, see the PAN-OS 7.1 New Feature’sGuide.
- If you do not want the agent to establish a connection with the portal when the portal certificate is not valid, setAllow User to Continue with Invalid Portal Server CertificatetoNo. Keep in mind that the portal provides the agent configuration only; it does not provide network access and therefore security to the portal is less critical than security to the gateway. However, if you have deployed a trusted server certificate for the portal, deselecting this option can help prevent man-in-the-middle (MITM) attacks.
- Specify whether users receive login prompts when multi-factor authentication is required to access sensitive network resources.For internal gateway connections, sensitive network resources (for example, financial applications or software development applications) may require additional authentication. You can configure GlobalProtect clients to display the authentication prompts required to access these resources. Refer to Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications for more information.
- SetEnable Inbound Authentication Prompts from MFA GatewaystoYes. To support multi-factor authentication (MFA), a GlobalProtect client must receive and acknowledge UDP prompts that are inbound from the gateway. SelectYesto enable a GlobalProtect client to receive and acknowledge the prompt. By default, the value is set toNomeaning GlobalProtect will block UDP prompts from the gateway.
- InNetwork Port for Inbound Authentication Prompts (UDP), specify the port number a GlobalProtect client uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number from 1 to 65535.
- InTrusted MFA Gateways, specify the list of authentication gateways a GlobalProtect client will trust for multi-factor authentication. When a GlobalProtect client receives a UDP message on the specified network port, GlobalProtect displays an authentication message only if the UDP prompt comes from a trusted gateway.
- Configure theInbound Authentication Message(for example:You have attempted to access a protectedresource that requires additional authentication. Proceed to authenticateat). When users try to access a resource that requires additional authentication, GlobalProtect receives an inbound authentication prompt and displays this message. GlobalProtect automatically appends the URL for the Authentication Portal page you specify when you configure multi-factor authentication to the inbound authentication message.
- (Windows only) Configure settings for Windows-based endpoints that receive this configuration.
- Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)— Configure the DNS resolution preferences for the GlobalProtect tunnel. SelectNoto allow Windows endpoints to send DNS queries to the DNS server set on the physical adapter if the initial query to the DNS server configured on the gateway is not resolved. This option retains the native Windows behavior to query all DNS servers on all adapters recursively but can result in long wait times to resolve some DNS queries. SelectYes(default) to allow Windows endpoints to resolve all DNS queries with the DNS servers you configure on the gateway instead of allowing the endpoint to send some DNS queries to the DNS servers set on the physical adapter.This feature does not support DNS over TCP.This feature requires Content Release version 731 or later and is available for GlobalProtect agent 4.0.3 and later.To configure DNS settings for GlobalProtect agent 4.0.2 and earlier releases, use theUpdate DNS Settings at Connectoption.
- Update DNS Settings at Connect—SelectYesto enable the Windows endpoint to resolve all DNS queries with the DNS servers you configure for the gateway instead of the DNS servers set for the physical adapter on the endpoint. When you enable this option, GlobalProtect strictly enforces the gateway DNS settings and overrides the static settings for all physical adapters. This is useful when a Windows endpoint fails to resolve a DNS query sent to the DNS server configured on the physical adapter instead of on the GlobalProtect tunnel adapter. SelectNo(the default) to allow Windows endpoints to send DNS queries to the DNS server set on the physical adapter if the initial query to the DNS server configured on the gateway is not resolved. This option retains the native Windows behavior to query all DNS servers on all adapters recursively but can result in long wait times to resolve some DNS queries.This feature is deprecated in 4.0.3 and later releases. To configure DNS resolution settings for GlobalProtect agent 4.0.3 and later releases, use theResolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)option.
- Send HIP Report Immediately if Windows Security Center (WSC) State Changes—SelectNoto prevent the GlobalProtect agent from sending HIP data when the status of the Windows Security Center (WSC) changes. SelectYes(default) to immediately send HIP data when the status of the WSC changes.
- Detect Proxy for Each Connection—SelectNoto auto-detect the proxy for the portal connection and use that proxy for subsequent connections. SelectYes(default) to auto-detect the proxy at every connection.
- Clear Single Sign-On Credentials on Logout—SelectNoto keep single sign-on credentials when the user logs out. SelectYes(default) to clear them and force the user to enter credentials upon the next login.
- Use Default Authentication on Kerberos Authentication Failure—SelectNoto use only Kerberos authentication. SelectYes(default) to retry using the default authentication method after authentication using Kerberos fails.
- If your endpoints frequently experience latency or slowness when connecting to the GlobalProtect portal or gateways, consider adjusting the portal and TCP timeout values.To allow more time for your endpoints to connect to or receive data from the portal or gateway, increase the timeout values, as needed. Keep in mind that increasing the values can result in longer wait times if the GlobalProtect agent is unable to establish the connection. In contrast, decreasing the values can prevent the GlobalProtect agent from establishing a connection when the portal or gateway does not respond before the timeout expires.Configure values for any of the following options:
- Portal Connection Timeout (sec)—The number of seconds (between 1 and 600) before a connection request to the portal times out due to no response from the portal. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 30. Starting with content version 777-4484, the default is 5.
- TCP Connection Timeout (sec)—The number of seconds (between 1 and 600) before a TCP connection request times out due to unresponsiveness from either end of the connection. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 60. Starting with content version 777-4484, the default is 5.
- TCP Receive Timeout (sec)—The number of seconds before a TCP connection times out due to the absence of some partial response of a TCP request (range is 1-600; default is 30).
- Specify whether remote desktop connections are permitted over existing VPN tunnels by specifying theUser Switch Tunnel Rename Timeout. When a new user connects to a Windows machine using Remote Desktop Protocol (RDP), the gateway reassigns the VPN tunnel to the new user. The gateway can then enforce security policies on the new user.Allowing remote desktop connections over VPN tunnels can be useful in situations where an IT administrator needs to access a remote end-user system using RDP.By default, theUser Switch Tunnel Rename Timeoutfield is set to 0 meaning the GlobalProtect gateway terminates the connection if a new user authenticates over the VPN tunnel. To modify this behavior, configure a timeout value from 1 to 600 seconds. If the new user does not log in to the gateway before the timeout value expires, the GlobalProtect gateway terminates the VPN tunnel assigned to the first user.Changing theUser Switch Tunnel Rename Timeoutvalue only affects the RDP tunnel and does not rename a pre-logon tunnel when configured.
- Specify how GlobalProtect agent upgrades occur.If you want to control when users can upgrade, you can customize the agent upgrade on a per-configuration basis. For example, if you want to test a release on a small group of users before deploying it to your entire user base, you can create a configuration that applies to users in your IT group only, thus allowing them to upgrade and test and disable upgrade in all other user/group configurations. Then, after you have thoroughly tested the new version, you can modify the agent configurations for the rest of your users to allow the upgrade.By default, theAllow User to Upgrade GlobalProtect Appfield is set topromptthe end user to upgrade. To modify this behavior, select one of the following options:
Upgrades forAllow TransparentlyandInternaloccur only if the GlobalProtect software version on the portal is more recent than the GlobalProtect software version on the endpoint. For example, a GlobalProtect 3.1.3 agent connecting to a GlobalProtect 3.1.1 portal is not upgraded.
- Allow Transparently—Upgrades occur automatically without interaction with the user. Upgrades can occur when the user is working remotely or connected from within the corporate network.
- Internal—Upgrades occur automatically without interaction with the user, provided the user is connected from within the corporate network. This setting is recommended to prevent slow upgrades in low-bandwidth situations. When a user connects outside the corporate network, the upgrade is postponed and re-activated later when the user connects from within the corporate network. You must configure internal gateways and internal host detection to use this option.
- To prevent agent upgrades, selectDisallow.
- To allow end users to initiate agent upgrades, selectAllow Manually. In this case, the user would select theCheck Versionoption in the agent to determine if there is a new agent version and then upgrade if desired. Note that this option will not work if the GlobalProtect agent is hidden from the user. See 5 for details on theDisplay GlobalProtect Iconoption.
- Specify whether to display a welcome page upon successful login.A welcome page can be a useful way to direct users to internal resources that they can only access when connected to GlobalProtect, such as your Intranet or other internal servers.By default, the only indication that the agent has successfully connected to GlobalProtect is a balloon message that displays in the system tray/menubar.To display a welcome page after a successful login selectfactory-defaultfrom theWelcome Pagedrop-down on the right. GlobalProtect displays the welcome page in the default browser on Windows, Mac, and Chromebook endpoints, or within the GlobalProtect app on mobile devices. You can also select a custom welcome page that provides information specific to your users, or to a specific group of users (based on which portal configuration gets deployed). For details on creating custom pages, see Customize the GlobalProtect Portal Login, Welcome, and Help Pages.
- Save the agent configuration settings.
- If you are done creating agent configurations, clickOKto close the Configs dialog. Otherwise, for instructions on completing the agent configurations, return to Define the GlobalProtect Agent Configurations.
- If you are done configuring the portal, clickOKto close the GlobalProtect Portal Configuration dialog.
- When you finish the portal configuration,Committhe changes.
Recommended For You
Recommended videos not found.