End-of-Life (EoL)

App Behavior Options

The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
Table: Customizable App Behavior Options
Portal Agent Configuration
Windows Registry/macOS Plist
Msiexec Parameter
Default
Connect Method
connect-method on-demand | pre-logon | user-logon
CONNECTMETHOD=”on-demand | pre-logon | user-logon”
user-logon
GlobalProtect App Config Refresh Interval (hours)
refresh-config-interval
<
hours
>
REFRESHCONFIGINTERVAL= ”
<
hours
>
24
Update DNS Settings at Connect (Windows Only)
flushdns yes | no
FLUSHDNS=”yes | no”
no
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
wscautodetect yes | no
WSCAUTODETECT=”yes | no”
no
Detect Proxy for Each Connection (Windows Only)
ProxyMultipleAuto Detection yes | no
ProxyMultipleAuto Detection=”yes | no”
no
Clear Single Sign-On Credentials on Logout (Windows Only)
LogoutRemoveSSO yes | no
LogoutRemoveSSO=”yes | no”
yes
Disable Single Sign-On on local machines
This setting allows you to disable the SSO feature even if it is configured on the portal. It overwrites the portal configuration when you manually add the key to the Windows registry or macOS plist and set the value as
Yes
.
For Windows endpoints, you must manually add this setting to the Windows registry:
Windows Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
Key Name/Value:
force-sso-disable yes | no
For macOS endpoints, you must manually add this setting to the macOS plist:
macOS Path:
/Library/Preferences/com.paloaltonetworks. GlobalProtect.settings.plist
Add the setting under
Palo Alto Networks > GlobalProtect > Settings
Key Name/Value:
force-sso-disable yes | no
This setting is not supported in msiexec.
n/a
Use Default Authentication on Kerberos Authentication Failure (Windows Only)
krb-auth-fail-fallback yes | no
KRBAUTHFAILFALLBACK= ”yes | no”
no
Custom Password Expiration Message (LDAP Authentication Only)
PasswordExpiryMessage
<
message
>
PasswordExpiryMessage “
<
message
>
Portal Connection Timeout (sec)
PortalTimeout
<
portaltimeout
>
PORTALTIMEOUT= ”
<
portaltimeout
>
5
TCP Connection Timeout (sec)
ConnectTimeout
<
connecttimeout
>
CONNECTTIMEOUT= ”
<
connecttimeout
>
5
TCP Receive Timeout (sec)
ReceiveTimeout
<
receivetimeout
>
RECEIVETIMEOUT= ”
<
receivetimeout
>
30
Client Certificate Store Lookup
certificate-store-lookup user | machine | user and machine | invalid
CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
user and machine
SCEP Certificate Renewal Period (days)
scep-certificate-renewal-period
<
renewalPeriod
>
n/a
7
Maximum Internal Gateway Connection Attempts
max-internal-gateway-connection-attempts
<
maxValue
>
MIGCA="
<
maxValue
>
"
0
Extended Key Usage OID for Client Certificate
ext-key-usage-oid-for-client-cert
<
oidValue
>
EXTCERTOID=”
<
oidValue
>
n/a
User Switch Tunnel Rename Timeout (sec)
user-switch-tunnel-rename-timeout
<
renameTimeout
>
n/a
0
Use Single Sign-On
(Windows Only)
use-sso yes | no
USESSO="yes | no"
yes
Not in portal
This setting specifies the default portal IP address (or hostname).
portal
<
IPaddress
>
PORTAL="
<
IPaddress
>
"
n/a
Not in portal
This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
prelogon 1
PRELOGON="1"
1
Windows only/Not in portal
This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
can-prompt-user-credential yes | no
CANPROMPTUSERCREDENTIAL= ”yes | no”
yes
Windows only/Not in portal
This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
wrap-cp-guid {third party credential provider guid}
WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
no
Windows only/Not in portal
This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
filter-non-gpcp no
n/a
n/a
Windows only/Not in portal
This setting allows you to assign static IP addresses to Windows endpoints.
reserved-ipv4
<
reserved-ipv4
>
reserved-ipv6
<
reserved-ipv6
>
RESERVEDIPV4=”
<
reserved-ipv4
>
RESERVEDIPV6=”
<
reserved-ipv6
>
n/a
For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

Recommended For You