Configure a GlobalProtect Gateway

Add a gateway.
Select
Network
GlobalProtect
Gateways
, and then
Add
a new gateway.
Enter a
Name
for the gateway. The gateway name should have no spaces and, as a best practice, should include the location or other descriptive information to help users and administrators identify the gateway.
(
Optional
) Select the virtual system to which this gateway belongs from the
Location
field.
Specify the network information that enables endpoints to connect to the gateway.
If you have not created the network interface for the gateway, Create Interfaces and Zones for GlobalProtect.
Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have configured a GlobalProtect portal or gateway because this enables access to your management interface from the Internet. Follow the Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.
Select the
Interface
that the endpoints will use for communication with the gateway.
Specify the
IP Address Type
and
IP Address
for the gateway web service:
You can set the
IP Address Type
to
IPv4 Only
,
IPv6 Only
, or
IPv4 and IPv6.
Use
IPv4 and IPv6
if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
The IP address must be compatible with the IP address type. For example,
172.16.1/0
for IPv4 addresses or
21DA:D3:0:2F3B
for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
Specify how the gateway authenticates users.
If you have not created an SSL/TLS service profile for the gateway, Deploy Server Certificates to the GlobalProtect Components.
If you have not set up the authentication profiles or certificate profiles, see Authentication for instructions.
Configure any of the following gateway
Authentication
settings (
Network
GlobalProtect
Gateways
<gateway-config>
Authentication
):
To secure communication between the gateway and the GlobalProtect app, select the
SSL/TLS Service Profile
for the gateway.
To provide the strongest security, set the
Min Version
of the SSL/TLS service profile to
TLSv1.2
.
To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP),
Add
a
Client Authentication
configuration with the following settings:
Enter a
Name
to identify the client authentication configuration.
Identify the type of
OS
(operating system) to which this configuration applies. By default, the configuration applies to
Any
operating system.
Select or add an
Authentication Profile
to authenticate endpoints seeking access to the gateway.
Enter a custom
Username Label
for gateway login (for example,
Email Address (username@domain
).
Enter a custom
Password Label
for gateway login (for example,
Passcode
for two-factor, token-based authentication).
Enter an
Authentication Message
to help end-users understand which credentials to use during login. The message can be up to 256 characters in length (default is
Enterlogin credentials
).
To authenticate users based on a client certificate or a smart card/CAC, select the corresponding
Certificate Profile
. You must pre-deploy the client certificate or Deploy User-Specific Client Certificates for Authentication using the Simple Certificate Enrollment Protocol (SCEP).
To use two-factor authentication, select both an authentication profile and a certificate profile. The user must authenticate successfully using both methods in order to be granted access.
(
Chrome only
) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks:
Log in to the Google Admin console and select
Device management
Chrome management
User settings
.
In the Client Certificates section, enter the following URL pattern to
Automatically Select Client Certificate for These Sites
:
{"pattern": "https://[*.]","filter":{}}
Click
Save
. The Google Admin console deploys the policy to all devices within a few minutes.
Enable tunneling, and then configure the tunnel parameters.
Tunnel parameters are required if you are configuring an external gateway. If you are configuring an internal gateway, they are optional.
If you want to force the use of SSL-VPN tunnel mode, clear the
Enable IPSec
check box. By default, SSL-VPN is only used if the endpoint fails to establish an IPSec tunnel.
Extended authentication (X-Auth) is only supported on IPSec tunnels. If you
Enable X-Auth Support
, GlobalProtect IPSec Crypto profiles are not applicable.
For more information on supported cryptographic algorithms, see Reference: GlobalProtect App Cryptographic Functions.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Tunnel Settings
.
Enable
Tunnel Mode
to enable split tunneling.
Select the
Tunnel Interface
that you defined in step 2 of Create Interfaces and Zones for GlobalProtect.
(
Optional
) Enter a
Max User
value to specify the maximum number of users that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect app updates. The range of values is displayed when the field is empty and varies based on the platform.
Enable IPSec
, and then select a
GlobalProtect IPSec Crypto
profile to secure the VPN tunnels between the GlobalProtect app and gateway. The
default
profile uses AES-128-CBC encryption and sha1 authentication.
IPSec is not supported with Windows 10 UWP endpoints.
You can also create a new IPSec crypto profile by selecting
New GlobalProtect IPSec Crypto
from the
GlobalProtect IPSec Crypto
drop-down, and then configuring the following settings:
Enter a
Name
to identify the profile.
Add
the
Authentication
and
Encryption
algorithms that VPN peers can use to negotiate the keys for securing the data in the tunnel:
Encryption
—If you are not certain of what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows:
aes-256-gcm
,
aes-128-gcm
,
aes-128-cbc
. The peers negotiate the strongest algorithm to establish the tunnel.
Authentication
—Select the authentication algorithm (
sha1
) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting only applies to the AES-CBC cipher (
aes-128-cbc
). If you use an AES-GCM encryption algorithm (
aes-256-gcm
or
aes-128-gcm
), the setting is ignored since these ciphers provide native ESP integrity protection.
Click
OK
to save the profile.
(
Optional
)
Enable X-Auth Support
if any endpoint must connect to the gateway using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the
Group
name and
Group Password
(if the endpoint requires it). By default, the user is not required to re-authenticate if the key that establishes the IPSec tunnel expires. To require users to re-authenticate, disable the option to
Skip Auth on IKE Rekey
.
To
Enable X-Auth Support
for strongSwan endpoints, you must also disable the option to
Skip Auth on IKE Rekey
because these endpoints require re-authentication during IKE SA negotiation. In addition, you must add the
closeaction=restart
setting
to the
conn %default
section of the strongSwan IPSec configuration file. See Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints for more information on the StrongSwan IPSec configuration.
Although X-Auth access is supported on iOS and Android endpoints, it provides limited GlobalProtect functionality on these endpoints. Instead, use the GlobalProtect app for simplified access to all the security features that GlobalProtect provides on iOS and Android endpoints. The GlobalProtect app for iOS is available in the Apple App Store. The GlobalProtect app for Android is available in Google Play.
(
Optional
) Modify the default timeout settings for endpoints.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Timeout Settings
, and then configure the following:
Modify the maximum
Login Lifetime
for a single gateway login session (default login lifetime is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the
Inactivity Logout
period. After this time, the login session ends automatically.
Modify the
Inactivity Logout
period to specify the amount of time after which an inactive session is automatically logged out (default period is 3 hours). Users are logged out of GlobalProtect if the gateway does not receive a HIP check from the endpoint during the configured time period.
Modify the
Disconnect on Idle
to specify the number of minutes after which idle users are logged out of GlobalProtect (default period is 180 minutes). Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel within the configured time period. This setting applies to GlobalProtect apps that use the On-Demand connect method only.
(
Tunnel Mode Only
) (
Optional
) Configure the global IP pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on all endpoints that connect to the gateway.
This option enables you to simplify the configuration by defining IP pools at the gateway level instead of defining IP pools for each client setting in the gateway configuration.
You must only configure IP pools at either the gateway level (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client IP Pool
) or the client level (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting>
IP Pools
).
Using address objects when configuring gateway IP address pools or access routes is not supported.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client IP Pool
.
Add
the IP address subnet/range used to assign IPv4 or IPv6 addresses to all endpoints that connect to the gateway. To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
(
Tunnel Mode Only
) Configure authentication override settings to enable the gateway to generate and accept secure, encrypted cookies for user authentication.
This capability allows the user to provide login credentials only once during the specified period of time (for example, every 24 hours).
By default, gateways authenticate users with an authentication profile and optional certificate profile. When authentication override is enabled, GlobalProtect caches the result of a successful login and uses the cookie to authenticate the user instead of prompting the user for credentials. For more information, see Cookie Authentication on the Portal or Gateway. If client certificates are required, the endpoint must also provide a valid certificate to be granted access.
If you must immediately block access to a device whose cookie has not yet expired (for example, if the device is lost or stolen), you can immediately Block Endpoint Access by adding the device to a block list.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Configure the following
Authentication Override
settings (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting>
Authentication Override
):
Name
—Identifies the configuration.
Generate cookie for authentication override
—Enables the gateway to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
The authentication cookie includes the following fields:
user
—Username that is used to authenticate the user.
domain
—Domain name of the user.
os
—Application name that is used on the device.
hostID
—Unique ID that is assigned by GlobalProtect to identify the host.
gen time
—Date and time that the authentication cookie was generated.
ip
—IP address of the device that is used to successfully authenticate to GlobalProtect and to obtain the cookie.
Accept cookie for authentication override
—Enables the gateway to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, the gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user.
The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to the portal or gateway for user authentication.
(
Windows only
) If you set the Use Single Sign-On option to
Yes
(SSO is enabled) in the portal agent configuration (
Network
GlobalProtect
Portals
<portal-config>
Agent
<agent-config>.
App
), the GlobalProtect app uses the Windows username to retrieve the local authentication cookie for the user. If you set the
Use Single Sign-On
option to
No
(SSO is disabled), you must enable the GlobalProtect app to Save User Credentials in order for the app to retrieve the authentication cookie for the user. Set the
Save User Credentials
option to
Yes
to save both the username and password or
Save Username Only
to save only the username.
(
Mac only
) Because Mac endpoints do not support single sign-on, you must enable the GlobalProtect app to
Save User Credentials
in order for the app to retrieve the authentication cookie for the user. Set the
Save User Credentials
option to
Yes
to save both the username and password or
Save Username Only
to save only the username.
Cookie Lifetime
—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1–72; weeks, 1–52; and days, 1–365. After the cookie expires, the user must re-enter the login credentials, and then the gateway subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the
Cookie Lifetime
that you configure for the portal.
Certificate to Encrypt/Decrypt Cookie
—Selects the RSA certificate used to encrypt and decrypt the cookie. You must use the same certificate on the portal and gateway.
As a best practice, configure the RSA certificate to use the strongest digest algorithm that your network supports.
The portal and gateway use the RSA encrypt padding scheme PKCS#1 V1.5 to generate the cookie (using the public certificate key) and decrypt the cookie (using the private certificate key).
(
Tunnel Mode Only
) Configure the user (or user group) and the endpoint OS to which the agent configuration applies.
The gateway uses the user/user group settings to determine which configuration to deliver to the GlobalProtect apps that connect. If you have multiple configurations, you must make sure to order them properly. As soon as the gateway finds a match, it delivers the configuration. Therefore, more specific configurations must precede more general ones. See step 13 for instructions on ordering the list of agent configurations.
Network settings are not required in internal gateway configurations in non-tunnel mode since the GlobalProtect app uses the network settings assigned to the physical network adapter.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Configure the following
User/User Group
settings (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting>
User/User Group
):
To deliver the configuration to apps running on a specific operating system,
Add
the
OS
to which this configuration applies. To deploy the configuration based on user/user group only, select the check box for
Any
.
To restrict this configuration to a specific user and/or user group,
Add
a
Source User
, and then select the user or user group from the drop-down. Repeat this step for each user/user group you want to add.
Before you can restrict the configuration to specific groups, you must map users to groups as described in Enable Group Mapping.
To restrict the configuration to users who have not yet logged in to their systems, select
pre-logon
from the
Source User
drop-down.
To apply the configuration to any user regardless of login status (both pre-logon and logged in users), select
any
from the
Source User
drop-down.
Click
OK
to save the user/user group configuration.
(
Tunnel Mode only
) (
Optional
) Configure client-level IP pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway.
You must only configure IP pools at either the client level (
Network
GlobalProtect
Gateways
<gateway-config>
GlobalProtect Gateway Configuration
Agent
Client Settings
<client-setting>
Configs
IP Pools
) or the gateway level (
Network
GlobalProtect
Gateways
<gateway-config>
GlobalProtect Gateway Configuration
Agent
Client IP Pool
).
IP pools and split tunnel settings are not required for internal gateway configurations in non-tunnel mode since apps use the network settings assigned to the physical network adapter.
Using address objects when configuring gateway IP address pools or access routes is not supported.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Configure any of the following
IP Pools
settings (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting>
IP Pools
):
To specify the authentication server IP address pool for endpoints that require static IP addresses, select the
Retrieve Framed-IP-Address attribute from authentication server
check box, and then
Add
the subnet or IP address range to
Authentication Server IP Pool
. When the tunnel is established, an interface is created on the remote user’s computer with an address in the subnet or IP range that matches the Framed-IP attribute of the authentication server.
The authentication server IP address pool must be large enough to support all concurrent connections. IP address assignment is static and retained even after the user disconnects.
To specify the
IP Pool
used to assign IPv4 or IPv6 addresses to the endpoints that connect to the gateway,
Add
the IP address subnet or range. To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
Click
OK
to save the IP pool configuration.
(
Tunnel Mode only
) (
Optional
) Configure split tunnel settings based on the access route. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
When configuring access routes, keep in mind the following:
More specific access routes take precedence over less specific routes.
Avoid specifying the same access route as both an include and exclude access route as this leads to a misconfiguration.
To route only some traffic—likely traffic destined for your LAN—to GlobalProtect, specify the destination subnets or address object (of type
IP Netmask
) that must be included or excluded from the tunnel. In this case, traffic that is not destined for a specified access route will be routed through the endpoint’s physical adapter rather than through the virtual adapter (the tunnel).
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Configure any of the following access route-based
Split Tunnel
settings (
Split Tunnel
Access Route
):
To disable split tunneling, including direct access to local networks on Windows and macOS endpoints, enable
No direct access to local network
. If this option is enabled, users cannot send traffic to proxies or local resources while connected to GlobalProtect.
To define which destination subnets to route through the tunnel, enter the following routes under the
Access Route
tab:
(
Optional
) In the
Includes
section,
Add
the destination subnets or address object (of type IP Netmask) to route only certain traffic—likely traffic destined for your LAN—to GlobalProtect. These are the routes that the gateway pushes to the remote users’ endpoint, and thereby determines what traffic the users’ endpoint can send through the VPN connection. You can include IPv6 or IPv4 subnets, and up to 1000 access routes.
(
Optional
) In the
Excludes
section,
Add
the destination subnets or address object (of type IP Netmask) that you want the app to exclude. These routes are sent through the endpoint’s physical adapter rather than the virtual adapter (the tunnel). Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than you intended. You can exclude IPv6 or IPv4 subnets, and up to 200 access routes.
You cannot exclude access routes for endpoints running Android on Chromebooks.
Click
OK
to save the split tunnel configuration.
Excluding routes is not supported on Android. Only IPv4 routes are supported on Chrome.
(
Tunnel Mode only
) (
Optional
) For Windows and macOS endpoints, configure split tunnel settings based on the destination domain. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
This feature is supported on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
When you configure a split tunnel based on the destination domain, all traffic going to that specific domain and port (optional) is either sent through the tunnel for inspection and policy enforcement or sent directly to the physical adapter on the endpoint without inspection. This option enables you to configure a split tunnel for an entire domain without having to specify a destination IP address subnet, thereby extending the split tunnel capability to domains and applications with dynamic public IP addresses, such as SaaS and public cloud applications.
Both IPv4 and IPv6 traffic is supported.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Disable the
No direct access to local network
option (
Split Tunnel
Access Route
). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks.
(
Optional
)
Add
the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (
Split Tunnel
Domain and Application
Include Domain
). You can add up to 200 entries to the list. For example, add
*.office365.com
to allow all Office 365 traffic to go through the VPN tunnel.
(
Optional
)
Add
the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (
Split Tunnel
Domain and Application
Exclude Domain
). You can add up to 200 entries to the list. For example, add
*.engadget.com
to exclude all Engadget traffic from the VPN tunnel.
Click
OK
to save the split tunnel settings.
(
Tunnel Mode only
) (
Optional
) For Windows and macOS endpoints, configure split tunnel settings based on the application process name. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
This feature is supported on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
When you configure a split tunnel based on the application process name, all traffic for that application is either sent through the tunnel for inspection and policy enforcement or sent directly to the physical adapter on the endpoint without inspection. This option enables you to configure a split tunnel without having to specify a destination IP address subnet, thereby extending the split tunnel capability to applications with dynamic public IP addresses, such as SaaS and public cloud applications.
Both IPv4 and IPv6 traffic is supported.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Client Settings
.
Select an existing client settings configuration or
Add
a new one.
Disable the
No direct access to local network
option (
Split Tunnel
Access Route
). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks.
(
Optional
)
Add
the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (
Split Tunnel
Domain and Application
Include Client Application Process Name
. You can add up to 200 entries to the list. For example, add
/Application/Safari.app/Contents/MacOS/Safari
to allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.
(
Optional
)
Add
the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (
Split Tunnel
Domain and Application
Exclude Client Application Process Name
). You can add up to 200 entries to the list. For example, add
/Applications/Microsoft Lync.app/Contents/MacOS/Microsoft Lync
to exclude all Microsoft Lync application traffic from the VPN tunnel.
Click
OK
to save the split tunnel settings.
(
Tunnel Mode Only
) Arrange the gateway agent configurations so that the proper configuration is deployed to each GlobalProtect app.
When an app connects, the gateway compares the source information in the packet against the agent configurations you have defined (
Agent
Client Settings
). As with security rule evaluation, the gateway looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
To move a gateway configuration up on the list of configurations, select the configuration and click
Move Up
.
To move a gateway configuration down on the list of configurations, select the configuration and click
Move Down
.
(
Tunnel Mode Only
) Specify the network configuration settings for the endpoints.
Network settings are required for internal gateway configurations in tunnel mode because in non-tunnel mode, the GlobalProtect app uses the network settings assigned to the physical network adapter.
On the GlobalProtect Gateway Configuration dialog, select
Agent
Network Services
, and then configure the network configuration settings in one of the following ways:
If the firewall has an interface that is configured as a DHCP client, set the
Inheritance Source
to that interface so the GlobalProtect app is assigned the same settings received by the DHCP client. You can also enable the check box to
Inherit DNS Suffixes
from the inheritance source.
Manually assign the
Primary DNS
server,
Secondary DNS
server,
Primary WINS
server,
Secondary WINS
server, and
DNS Suffix
. You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.
The
DNS Suffix
cannot contain any non-ASCII characters.
(
Tunnel Mode Only
) For Windows and macOS endpoints, exclude HTTP/HTTPS video streaming traffic from the VPN tunnel.
This feature is supported on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
All video traffic types are redirected for the following video streaming applications:
Youtube
Dailymotion
Netflix
If you exclude any other video streaming applications from the VPN tunnel, only the following video traffic types are redirected for those applications:
MP4
WebM
MPEG
The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.
If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway. In this case, ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses (
Network
GlobalProtect
Gateways
Agent
Client IP Pool
or
Client Settings
IP Pools
).
If you exclude video streaming traffic from the VPN tunnel (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Video Traffic
), do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting>
Split Tunnel
Domain and Application
). This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.
To exclude Sling TV app traffic from the VPN tunnel, use application-based split tunneling (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-setting-config>
Split Tunnel
Domain and Application
Exclude Client Application Process Name
).
On the GlobalProtect Gateway Configuration dialog, select
Agent
Video Traffic
.
Enable the option to
Exclude video applications from the tunnel
.
If you enable this option but do not select specific video streaming applications to exclude from the VPN tunnel, all video streaming traffic is excluded.
(
Optional
)
Browse
the
Applications
list to view all of the video streaming applications that you can exclude from the VPN tunnel. Click the add icon (

) for the application(s) that you want to exclude. For example, click the add icon for
directv
to exclude DIRECTV video streaming traffic from the VPN tunnel.
(
Optional
)
Add
the video streaming applications that you want to exclude from the VPN tunnel using the
Applications
drop-down—a shortened version of the
Applications
list that contains some of the most popular video streaming applications. You can add up to 200 video application entries to the list. For example, select
youtube-streaming
from the
Applications
drop-down to exclude all YouTube-based video streaming traffic from the VPN tunnel.
(
Optional
) Define the notification messages end-users see when a security rule with a host information profile (HIP) is enforced.
This step only applies if you have created host information profiles and added them to your security policies. For details on configuring the HIP feature and information about creating HIP notification messages, see Host Information.
On the GlobalProtect Gateway Configuration dialog, select
Agent
HIP Notification
.
Select an existing HIP notification configuration or
Add
a new one.
Configure the following settings:
Select the
Host Information
object or profile to which this message applies.
Depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when it is not matched, select
Match Message
or
Not Match Message
, and then
Enable
notifications. In some cases, you might want to create messages for both a match and a non-match, based on the objects on which you are matching and what your objectives are for the policy. For the
Match Message
, you can also enable the option to
Include Mobile App List
to indicate what applications can trigger the HIP match.
Select whether you want to display the message as a
System Tray Balloon
or as a
Pop Up Message
.
Enter and format the text of your message in the
Template
text box, and then click
OK
.
Repeat these steps for each message you want to define.
Save the gateway configuration.
Click
OK
to save the settings.
Commit
the changes.