Customize the GlobalProtect App
The portal agent configuration allows you to customize how your end users interact with the GlobalProtect apps installed on their endpoints. You can customize the display and behavior of the app, and define different app settings for the different GlobalProtect agent configurations you create. For example, you can specify the following:
- What menus and views users can access.
- Whether users can disable the app (user-logon connect method only).
- Whether to display a welcome page upon successful login. You can also configure whether or not the user can dismiss the welcome page, and you can Customize the GlobalProtect Portal Login, Welcome, and Help Pages to explain how to use GlobalProtect within your environment.
- Whether the GlobalProtect app upgrades automatically or prompts users to upgrade manually.
- Whether to prompt users if multi-factor authentication is required to access sensitive network resources.
You can also define app settings in the Windows Registry, Windows Installer (Msiexec), and global macOS plist. Settings that are defined in the web interface (portal agent configuration) take precedence over settings that are defined in the Windows Registry, Msiexec, and macOS plist. For more details, see Deploy App Settings Transparently.
Additional settings that are available only through the Windows Registry or Windows Installer (Msiexec) enable you to:
- Specify whether the app prompts the end user for credentials when Windows SSO fails.
- Specify the default portal IP address (or hostname).
- Enable GlobalProtect to initiate a connection before the user logs into the endpoint.
- Deploy scripts that run before or after GlobalProtect establishes a connection or after GlobalProtect disconnects.
- Configure the GlobalProtect app to wrap third-party credentials on Windows endpoints, enabling SSO when using a third-party credential provider.
For more information, see Customizable App Settings.
- Select the agent configuration that you want to customize.You can also configure most app settings from the Windows Registry, Windows Installer (Msiexec), and Mac plist. However, settings that are defined in the web interface take precedence over settings that are defined in the Windows Registry, Msiexec, and macOS plist. See Deploy App Settings Transparently for more details.
- Select the portal on which you want to add the agent configuration, orAdda new one.
- On theAgenttab, select the agent configuration that you want to modify, orAdda new one.
- Select theApptab.The App Configurations area displays the app settings with default values that you can customize for each agent configuration. When you change the default behavior, the text color changes from gray to the default color.
- Specify theConnect Methodthat an app uses for its GlobalProtect connection.Use thePre-logon (Always On),Pre-logon then On-demand, orUser-log on (Always On)connect method to access the network using an internal gateway.In the App Configurations area, select one of the followingConnect Methodoptions:
- User-logon (Always On)—The GlobalProtect app automatically connects to the portal as soon as the user logs in to the endpoint (or domain). When used in conjunction with SSO (Windows endpoints only), GlobalProtect login is transparent to the end user.On iOS endpoints, this setting prevents one-time password (OTP) applications from working because GlobalProtect forces all traffic to go through the tunnel.
- Pre-logon (Always On)—The GlobalProtect app authenticates the user and establishes a VPN tunnel to the GlobalProtect gateway before the user logs in to the endpoint. This option requires that you use an external PKI solution to pre-deploy a machine certificate to each endpoint that receives this configuration. See Remote Access VPN with Pre-Logon for details about pre-logon.
- On-demand (Manual user initiated connection)—Users must manually launch the app to connect to GlobalProtect. Use this connect method for external gateways only.
- Pre-logon then On-demand—Similar to thePre-logon (Always On)connect method, this connect method (which requires Content Release version 590-3397 or later) enables the GlobalProtect app to authenticate the user and establish a VPN tunnel to the GlobalProtect gateway before the user logs in to the endpoint. Unlike the pre-logon connect method, after the user logs in to the endpoint, users must manually launch the app to connect to GlobalProtect if the connection is terminated for any reason. The benefit of this option is that you can allow users to specify a new password after their password expires or they forget their password, but still require users to manually initiate the connection after they log in.
- Specify whether to enforce GlobalProtect connections for network access.To enforce GlobalProtect for network access, we recommend that you enable this feature only for users that connect inUser-logonorPre-logonmodes. Users that connect inOn-demandmode may not be able to establish a connection within the permitted grace periods.In the App Configurations area, configure any of the following options:
These options require Content Release version 607-3486 or later. TheCaptive Portal Notification Delay (sec)option requires Content Release version 8118-5277 or later. TheAutomatically Launch Webpage in Default Browser Upon Captive Portal Detectionoption requires Content Release version _________ and later.
- To force all network traffic to traverse a GlobalProtect tunnel, setEnforce GlobalProtect Connection for Network AccesstoYes. By default, GlobalProtect is not required for network access, meaning users can still access the Internet when GlobalProtect is disabled or disconnected. To provide instructions to users before traffic is blocked, configure GlobalProtect toDisplays Traffic Blocking Notification Message, and optionally specify when to display the message (Traffic Blocking Notification Delay).WhenEnforce GlobalProtect Connection for Network Accessis enabled, you may want to consider allowing users to disable the GlobalProtect app with a passcode. TheEnforce GlobalProtect Connection for Network Accessfeature enhances the network security by requiring a GlobalProtect connection for network access. On rare occasions, endpoints may fail to connect to the VPN and require remote administrative login for troubleshooting. By disabling the GlobalProtect app (for Windows or macOS) using the passcode provided by the administrator during the troubleshooting session, you can allow administrators to connect to your endpoint remotely.
- If your users must log in to a captive portal to access the Internet, specify aCaptive Portal Exception Timeout (sec)to indicate the amount of time (in seconds) within which users can log in to the captive portal (range is 0 to 3600 seconds; default is 0 seconds). If users do not log in within this time period, the captive portal login page times out and users will be blocked from using the network.To enable the GlobalProtect app to display a notification message when it detects a captive portal, set theDisplay Captive Portal Detection MessagetoYes. In theCaptive Portal Notification Delay (sec)field, enter the amount of time (in seconds) after which the GlobalProtect app displays this message (range is 1 to 120 seconds; default is 5 seconds). GlobalProtect initiates this timer after the captive portal has been detected but before the Internet becomes reachable. You can also provide additional instructions by configuring aCaptive Portal Detection Message.To automatically launch your default web browser upon captive portal detection so that users can log in to the captive portal seamlessly, in theAutomatically Launch Webpage in Default Browser Upon Captive Portal Detectionfield, enter the fully qualified domain name (FQDN) or IP address of the website that you want to use for the initial connection attempt that initiates web traffic when the default web browser launches (maximum length is 256 characters). The captive portal then intercepts this website connection attempt and redirects the default web browser to the captive portal login page. If this field is empty (default), GlobalProtect does not launch the default web browser automatically upon captive portal detection.
- Specify additional GlobalProtect connection settings.When single sign-on (SSO) is enabled (default), the GlobalProtect app uses the user’s Windows login credentials to automatically authenticate and connect to the GlobalProtect portal and gateway. This also allows the GlobalProtect app to wrap third-party credentials to ensure that Windows users can authenticate and connect even with a third-party credential provider.In the App Configurations area, configure any of the following options:
- (Windows only) Set theUse Single Sign-Onoption toNoto prevent GlobalProtect from using the Windows login credentials to automatically authenticate the user upon Active Directory login.If you configure the GlobalProtect gateway to authenticate users through SAML authentication and also generate and accept cookies for authentication override, you must set theUse Single Sign-Onoption toNowhen the user’s Windows username is different from his or her SAML username (for example, the Windows username is “user” and the SAML username is “user123”) or if one username contains a fully qualified domain name (for example, the Windows username is “user” and the SAML username is “firstname.lastname@example.org”).
- Enter theMaximum Internal Gateway Connection Attemptsto specify the number of times the GlobalProtect app can retry the connection to an internal gateway after the first attempt fails (range is 0-100; 4 or 5 is recommended; the default value of 0 indicates that the GlobalProtect app does not retry the connection). By increasing this value, you can enable the app to connect to an internal gateway that is temporarily down or unreachable but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information.
- Enter theGlobalProtect App Config Refresh Intervalto specify the number of hours that the GlobalProtect portal waits before it initiates the next refresh of a client’s configuration (range is 1-168; default is 24).
- (Windows only) Depending on your security requirements, specify whether toRetain Connection on Smart Card Removal. By default, this option is set toYes, meaning GlobalProtect retains the tunnel when a user removes a smart card containing a client certificate. To terminate the tunnel, set this option toNo.This feature requires Content Release version 590-3397 or a later version.
- Configure anAutomatic Restoration of VPN Connection Timeoutto specify the action GlobalProtect takes when the tunnel is disconnected. Set this option toYesto allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected. Set this option toNoto prevent GlobalProtect from attempting to reconnect after the tunnel is disconnected. Configure theWait Time Between VPN Connection Restore Attemptsto adjust the amount of time (in seconds) that GlobalProtect waits between attempts to restore the connection (range is 1 to 60 seconds; default is 5).With the Always On connect method, if a user switches from an external network to an internal network before the timeout value expires, GlobalProtect does not perform network discovery. As a result, GlobalProtect restores the connection to the last known external gateway. To trigger internal host detection, the user must selectRefresh Connectionfrom the settings menu on the GlobalProtect status panel.
- Configure the menus and UI views that are available to users who have this agent configuration.In the App Configurations area, configure any of the following options:
- If you want users to see only basic status information within the application, setEnable Advanced ViewtoNo. When you disable this option, users can view information from the following tabs:
Yes. When you enable this option, users can view the following additional tabs:
- General—Displays the username and portal(s) associated with the GlobalProtect account.
- Notification—Displays any GlobalProtect notifications.
- Connection—Lists the gateways configured for the GlobalProtect app and information about each gateway.
- Host Profile—Displays the endpoint data that GlobalProtect uses to monitor and enforce security policies using HIP.
- Troubleshooting—Displays information about the network configuration, route settings, active connections, and logs. You can also collect logs generated by GlobalProtect and set the logging level.
- If you want hide the GlobalProtect system tray icon on endpoints, setDisplay GlobalProtect IcontoNo. When the icon is hidden, users cannot perform tasks such as changing saved passwords, rediscovering the network, resubmitting host information, viewing troubleshooting information, or initiating on-demand connections. However, HIP notification messages, login prompts, and certificate dialogs still display as necessary.
- To prevent users from performing network discovery, set theEnable Rediscover Network OptiontoNo. When you disable this option, theRefresh Connectionoption is grayed out in the settings menu of the GlobalProtect status panel.
- To prevent users from manually resubmitting HIP data to the gateway, setEnable Resubmit Host Profile OptiontoNo. This option, which is enabled by default, is useful in cases where HIP-based security policy prevents users from accessing resources because it allows the user to fix the compliance issue on the computer before resubmitting the HIP data.
- (Windows only) To allow GlobalProtect to display notifications in the system tray, setShow System Tray NotificationstoYes.
- To create a custom message to display to users when their passwords are about to expire, enter aCustom Password Expiration Message (LDAP Authentication Only). The maximum message length is 200 characters.
- To create a custom message to specify password policies or requirements when users change their Active Directory (AD) password, enter aChange Password Message. The maximum message length is 255 characters.
- Define what end users with this configuration can do in their app.
- SetAllow User to Change Portal AddresstoNoto disable thePortalfield on the status panel of the GlobalProtect app. Because the user will not be able to specify the portal to which to connect, you must supply the default portal address in the Windows Registry(HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetupwith keyPortal) or the macOS plist (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plistwith keyPortalunder dictionaryPanSetup). For more information, see Deploy App Settings Transparently.
- To prevent users from dismissing the welcome page, setAllow User to Dismiss Welcome PagetoNo. When this option is set toYes, the user can dismiss the welcome page and prevent GlobalProtect from displaying the page after subsequent logins.
- Specify whether users can disable the GlobalProtect app.TheAllow User to Disable GlobalProtectoption applies to agent configurations with theUser-Logon (Always On)Connect Method. In user-logon mode, the app automatically connects as soon as the user logs in to the endpoint. This mode is sometimes referred to as “always on”, which is why the user must override this behavior to disable the GlobalProtect app.By default, this option is set toAllow, which permits users to disable GlobalProtect without providing a comment, passcode, or ticket number.If the GlobalProtect system tray icon is not visible, users cannot disable the GlobalProtect app. See step 5 for more details.
- To prevent users with the user-logon connect method from disabling GlobalProtect, setAllow User to Disable GlobalProtecttoDisallow.
- To allow users to disable GlobalProtect only if they provide a passcode, setAllow User to Disable GlobalProtecttoAllow with Passcode. Then, in the Disable GlobalProtect App area, enter (and confirm) thePasscodethat the end users must supply.
- To allow users to disable GlobalProtect only if they provide a ticket, setAllow User to Disable GlobalProtecttoAllow with Ticket. With this option, the disable action triggers the app to generate a Request Number, which the end user must communicate to the administrator. The administrator then clicksGenerate Ticketon thepage and enters the request number from the user to generate the ticket. The administrator provides the ticket to the end user, who enters it into the Disable GlobalProtect dialog to disable the app.NetworkGlobalProtectPortals
- To limit the number of times users can disable the GlobalProtect app, specify theMax Times User Can Disablevalue in the Disable GlobalProtect App area. A value of 0 (default) indicates that users are not limited in the number of times they can disable the app.This setting is applicable only with theAllow,Allow with Comment, andAllow with Passcodedisable options.If your users disable the GlobalProtect app the maximum number of times and must continue to have the ability to disable the app thereafter:
- You can increase theMax Times User Can Disablevalue in the GlobalProtect portal agent configuration (). The user must then selectNetworkGlobalProtectPortals<portal-config>Agent<agent-config>AppRefresh Connectionfrom the settings menu of the GlobalProtect status panel or establish a new GlobalProtect connection in order for the new value to take effect.
- Users can reset the counter by reinstalling the app.
- To restrict the amount of time for which the app can be disabled, enter aDisable Timeout (min)value in the Disable GlobalProtect App area. A value of 0 (default) indicates that there is no restriction for how long the user can keep the app disabled.This setting is applicable only with theAllow,Allow with Comment, andAllow with Passcodedisable options.
- Configure the certificate settings and behavior for the users that receive this configuration.In the App Configurations area, configure any of the following options:
- Client Certificate Store Lookup—Select which store the app should use to look up client certificates.Usercertificates are stored in the Current User certificate store on Windows and in the Personal Keychain on macOS.Machinecertificates are stored in the Local Computer certificate store on Windows and in the System Keychain on macOS. By default, the app looks forUser and machinecertificates in both places.
- SCEP Certificate Renewal Period (days)—With SCEP, the portal can request a new client certificate before the certificate expires. This time before the certificate expires is the optional SCEP certificate renewal period. During a configurable number of days before a client certificate expires, the portal can request a new certificate from the SCEP server in your enterprise PKI (range is 0-30; default is 7). A value of 0 means the portal does not automatically renew the client certificate when it refreshes the agent configuration.For the GlobalProtect app to obtain the new certificate during the renewal period, the user must log in to the app. For example, if a client certificate has a lifespan of 90 days, the certificate renewal period is 7 days, and the user logs in during the final 7 days of the certificate lifespan, the portal acquires a new certificate and deploys it along with a fresh agent configuration. For more information, see Deploy User-Specific Client Certificates for Authentication.
- Extended Key Usage OID for Client Certificate(Windows and macOS endpoints only)—Use this option only if you enabled client authentication, expect multiple client certificates to be present on the endpoint, and have identified a secondary purpose by which you can filter the client certificates. This option enables you to specify a secondary purpose for a client certificate using the associated object identifier (OID). For example, to display only client certificates that also have a purpose of Server Authentication, enter the OID 188.8.131.52.184.108.40.206.1. When the GlobalProtect app finds only one client certificate that matches the secondary purpose, GlobalProtect automatically selects and authenticates using that certificate. Otherwise, GlobalProtect prompts the user to select the client certificate from the list of filtered client certificates that match the criteria. For more information, including a list of common certificate purposes and OIDs, see the PAN-OS 7.1 New Features Guide.
- If you do not want the app to establish a connection with the portal when the portal certificate is not valid, setAllow User to Continue with Invalid Portal Server CertificatetoNo. Keep in mind that the portal provides the agent configuration only; it does not provide network access. Therefore, security to the portal is less critical than security to the gateway. However, if you have deployed a trusted server certificate for the portal, disabling this option can help prevent man-in-the-middle (MITM) attacks.
- Specify whether users receive login prompts when multi-factor authentication is required to access sensitive network resources.For internal gateway connections, sensitive network resources (such as financial applications or software development applications) may require additional authentication. You can Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications that are required to access these resources.In the App Configurations area, configure any of the following options:
- SetEnable Inbound Authentication Prompts from MFA GatewaystoYes. To support multi-factor authentication (MFA), the GlobalProtect app must receive and acknowledge UDP prompts that are inbound from the gateway. SelectYesto enable GlobalProtect apps to receive and acknowledge the prompt. By default, the value is set toNo, meaning GlobalProtect will block UDP prompts from the gateway.
- Specify theNetwork Port for Inbound Authentication Prompts (UDP)that the GlobalProtect app uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number from 1 to 65535.
- Specify theTrusted MFA Gatewaysthat the GlobalProtect app can trust for multi-factor authentication. When a GlobalProtect app receives a UDP message on the specified network port, GlobalProtect displays an authentication message only if the UDP prompt comes from a trusted gateway.
- Configure theInbound Authentication Message(for example,You have attempted to access a protectedresource that requires additional authentication. Proceed to authenticateat). When users attempt to access a resource that requires additional authentication, GlobalProtect receives and displays an inbound authentication message. GlobalProtect automatically appends the URL for the Authentication Portal page that you specify when you configure mul