App Behavior Options

The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of the GlobalProtect app.
Table: Customizable App Behavior Options
Portal Agent Configuration
Windows Registry/macOS Plist
Msiexec Parameter
Default
Connect Method
connect-method on-demand | pre-logon | user-logon
CONNECTMETHOD=”on-demand | pre-logon | user-logon”
user-logon
GlobalProtect App Config Refresh Interval (hours)
refresh-config-interval <hours>
REFRESHCONFIGINTERVAL= ”<hours>
24
Update DNS Settings at Connect (Windows Only)
flushdns yes | no
FLUSHDNS=”yes | no”
no
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
wscautodetect yes | no
WSCAUTODETECT=”yes | no”
no
Detect Proxy for Each Connection (Windows Only)
ProxyMultipleAuto Detection yes | no
ProxyMultipleAuto Detection=”yes | no”
no
Clear Single Sign-On Credentials on Logout (Windows Only)
LogoutRemoveSSO yes | no
LogoutRemoveSSO=”yes | no”
yes
Use Default Authentication on Kerberos Authentication Failure (Windows Only)
krb-auth-fail-fallback yes | no
KRBAUTHFAILFALLBACK= ”yes | no”
no
Custom Password Expiration Message (LDAP Authentication Only)
PasswordExpiryMessage <message>
PasswordExpiryMessage “<message>
Portal Connection Timeout (sec)
PortalTimeout <portaltimeout>
PORTALTIMEOUT= ”<portaltimeout>
5
TCP Connection Timeout (sec)
ConnectTimeout <connecttimeout>
CONNECTTIMEOUT= ”<connecttimeout>
5
TCP Receive Timeout (sec)
ReceiveTimeout <receivetimeout>
RECEIVETIMEOUT= ”<receivetimeout>
30
Client Certificate Store Lookup
certificate-store-lookup user | machine | user and machine | invalid
CERTIFICATESTORELOOKUP= "user | machine | user and machine | invalid"
user and machine
SCEP Certificate Renewal Period (days)
scep-certificate-renewal-period <renewalPeriod>
n/a
7
Maximum Internal Gateway Connection Attempts
max-internal-gateway-connection-attempts <maxValue>
MIGCA="<maxValue>"
0
Extended Key Usage OID for Client Certificate
ext-key-usage-oid-for-client-cert <oidValue>
EXTCERTOID=”<oidValue>
n/a
User Switch Tunnel Rename Timeout (sec)
user-switch-tunnel-rename-timeout <renameTimeout>
n/a
0
Use Single Sign-On
(Windows Only)
use-sso yes | no
USESSO="yes | no"
yes
Not in portal
This setting specifies the default portal IP address (or hostname).
portal <IPaddress>
PORTAL="<IPaddress>"
n/a
Not in portal
This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.
prelogon 1
PRELOGON="1"
1
Windows only/Not in portal
This setting is used in conjunction with single sign-on (SSO) and indicates whether or not to prompt the user for credentials if SSO fails.
can-prompt-user-credential yes | no
CANPROMPTUSERCREDENTIAL= ”yes | no”
yes
Windows only/Not in portal
This setting filters the third-party credential provider’s tile from the Windows login page so that only the native Windows tile is displayed.*
wrap-cp-guid {third party credential provider guid}
WRAPCPGUID=”{guid_value]” FILTERNONGPCP=”yes | no”
no
Windows only/Not in portal
This setting is an additional option for the setting wrap-cp-guid, and allows the third-party credential provider tile to be displayed on the Windows login page, in addition to the native Windows logon tile.*
filter-non-gpcp no
n/a
n/a
Windows only/Not in portal
This setting allows you to assign static IP addresses to Windows endpoints.
reserved-ipv4 <reserved-ipv4>
reserved-ipv6 <reserved-ipv6>
RESERVEDIPV4=”<reserved-ipv4>
RESERVEDIPV6=”<reserved-ipv6>
n/a
For detailed steps to enable these settings using the Windows registry or Windows Installer (Msiexec), see SSO Wrapping for Third-Party Credential Providers on Windows Endpoints.

Related Documentation