Configure a GlobalProtect Gateway

Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users.
After you complete the prerequisite tasks, configure the GlobalProtect Gateways.
  1. Add a gateway.
    1. Add
      a new gateway (
      Network
      GlobalProtect
      Gateways
      ).
    2. Name
      the gateway. The gateway name should have no spaces and, as a best practice, should include the location or other descriptive information to help users and administrators identify the gateway.
    3. (
      Optional
      ) Select the virtual system
      Location
      to which this gateway belongs.
  2. Specify the network information that enables endpoints to connect to the gateway.
    If it does not already exist, create the network interface for the gateway.
    Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH to the interface where you configure; doing so enables access to your management interface from the internet. Follow Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.
    1. Select the
      Interface
      for the endpoints to use when communicating with the gateway.
    2. Specify the
      IP Address Type
      and
      IP Address
      for the gateway web service:
      • Set the
        IP Address Type
        to
        IPv4 Only
        ,
        IPv6 Only
        , or
        IPv4 and IPv6.
        Use
        IPv4 and IPv6
        if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
      • The IP address must be compatible with the IP address type. For example,
        172.16.1.0
        for IPv4 addresses or
        21DA:D3:0::2F3b
        for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
  3. Specify how the gateway authenticates users.
    If an SSL/TLS service profile for the gateway does not already exist, Deploy Server Certificates to the GlobalProtect Components.
    If authentication profiles or certificate profiles do not already exist, use the authentication setup task to configure these profiles for the gateway.
    Configure any of the following gateway
    Authentication
    settings (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Authentication
    ):
    • To secure communication between the gateway and the GlobalProtect app, select the
      SSL/TLS Service Profile
      for the gateway.
      To provide the strongest security, set the
      Min Version
      of the SSL/TLS service profile to
      TLSv1.2
      .
    • To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP),
      Add
      a
      Client Authentication
      configuration with the following settings:
      • Specify a
        Name
        to identify the client authentication configuration.
      • Identify the type of
        OS
        (operating system) to which this configuration applies. By default, the configuration applies to
        Any
        operating system.
      • Select or add an
        Authentication Profile
        to authenticate endpoints seeking access to the gateway.
      • Enter a custom
        Username Label
        for gateway login (for example,
        Email Address (username@domain)
        .
      • Enter a custom
        Password Label
        for gateway login (for example,
        Passcode
        for two-factor, token-based authentication).
      • Enter an
        Authentication Message
        to help end-users understand which credentials to use during login. The message can be up to 256 characters in length (default is
        Enter login credentials
        ).
      • Select one of the following options to define whether users can authenticate to the gateway using credentials and/or client certificates:
        • To require users to authenticate to the gateway using both user credentials AND a client certificate, set the
          Allow Authentication with User Credentials OR Client Certificate
          option to
          No (User Credentials AND Client Certificate Required)
          (default).
        • To allow users to authenticate to the gateway using either user credentials OR a client certificate, set the
          Allow Authentication with User Credentials OR Client Certificate
          option to
          Yes (User Credentials OR Client Certificate Required)
          .
          When you set this option to
          Yes
          , the gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the gateway using his or her user credentials.
    • To authenticate users based on a client certificate or a smart card/CAC, select the corresponding
      Certificate Profile
      . You must pre-deploy the client certificate or Deploy User-Specific Client Certificates for Authentication using the Simple Certificate Enrollment Protocol (SCEP).
      • If you want to require users to authenticate to the gateway using both their user credentials and a client certificate, you must specify both a
        Certificate Profile
        and an authentication profile
      • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you specify an
        Authentication Profile
        for user authentication, then the
        Certificate Profile
        is optional.
      • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you don’t select an
        Authentication Profile
        for user authentication, then the
        Certificate Profile
        is required.
      • If you do not configure any
        Authentication Profile
        that matches a specific OS, then the
        Certificate Profile
        is required.
      If you allow users to authenticate to the gateway using either user credentials or a client certificate, do not select a
      Certificate Profile
      that has the
      Username Field
      configured as
      None
      .
    • To use two-factor authentication, select both an
      Authentication Profile
      and a
      Certificate Profile
      . This requires the user to authenticate successfully using both methods to gain access.
      (
      Chrome only
      ) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks:
      1. Log in to the Google Admin console and select
        Device management
        Chrome management
        User settings
        .
      2. In the Client Certificates section, enter the following URL pattern to
        Automatically Select Client Certificate for These Sites
        :
        {"pattern": "https://[*.]","filter":{}}
      3. Click
        Save
        . The Google Admin console deploys the policy to all devices within a few minutes.
  4. Enable tunneling and then configure the tunnel parameters.
    Tunnel parameters are required for an external gateway; they are optional for an internal gateway.
    To force the use of SSL-VPN tunnel mode, disable (clear) the
    Enable IPSec
    option. By default, SSL-VPN is used only if the endpoint fails to establish an IPSec tunnel.
    Extended authentication (X-Auth) is supported only on IPSec tunnels.
    If you
    Enable X-Auth Support
    , GlobalProtect IPSec Crypto profiles are not used.
    For more information on supported cryptographic algorithms, refer to GlobalProtect App Cryptographic Functions.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Tunnel Settings
      .
    2. Enable
      Tunnel Mode
      to enable split tunneling.
    3. Select the
      Tunnel Interface
      that you defined when you created the network interface for the gateway.
    4. (
      Optional
      ) Specify the maximum number of users (
      Max User
      ) that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect app updates. The range of values is displayed when the field is empty and varies based on the platform.
    5. Enable IPSec
      and then select a
      GlobalProtect IPSec Crypto
      profile to secure the VPN tunnels between the GlobalProtect app and the gateway. The
      default
      profile uses AES-128-CBC encryption and sha1 authentication.
      You can also create a
      New GlobalProtect IPSec Crypto
      profile (
      GlobalProtect IPSec Crypto
      drop-down) and then configure the following settings:
      1. Specify a
        Name
        to identify the profile.
      2. Add
        the
        Authentication
        and
        Encryption
        algorithms that VPN peers can use to negotiate the keys for securing data in the tunnel:
        • Encryption
          —If you don’t know what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows:
          aes-256-gcm
          ,
          aes-128-gcm
          ,
          aes-128-cbc
          . The peers will negotiate the strongest algorithm to establish the tunnel.
        • Authentication
          —Select the authentication algorithm (
          sha1
          ) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting only to the AES-CBC cipher (
          aes-128-cbc
          ). If you use an AES-GCM encryption algorithm (
          aes-256-gcm
          or
          aes-128-gcm
          ), the setting is ignored because these ciphers provide native ESP integrity protection.
      3. Click
        OK
        to save the profile.
    6. (
      Optional
      )
      Enable X-Auth Support
      if any endpoint must connect to the gateway using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the
      Group
      name and
      Group Password
      (if the endpoint requires it). By default, the user is not required to re-authenticate if the key that establishes the IPSec tunnel expires. To require users to re-authenticate, disable the option to
      Skip Auth on IKE Rekey
      .
      To
      Enable X-Auth Support
      for strongSwan endpoints, you must also disable the option to
      Skip Auth on IKE Rekey
      because these endpoints require re-authentication during IKE SA negotiation. In addition, you must add the
      closeaction=restart
      setting to the
      conn %default
      section of the strongSwan IPSec configuration file. (See Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints for more information on the StrongSwan IPSec configuration.)
      Although X-Auth access is supported on iOS and Android endpoints, it provides limited GlobalProtect functionality on these endpoints. Instead, use the GlobalProtect app for simplified access to all security features that GlobalProtect provides on iOS and Android endpoints. The GlobalProtect app for iOS is available in the Apple App Store. The GlobalProtect app for Android is available in Google Play.
  5. (
    Tunnel Mode Only
    ) Specify selection criteria for your client settings configurations.
    The gateway uses the selection criteria to determine which configuration to deliver to the GlobalProtect apps that connect. If you have multiple configurations, you must make sure to order them correctly. As soon as the gateway finds a match (based on the
    Source User
    ,
    OS
    , and
    Source Address
    ), it delivers the associated configuration to the user. Therefore, more specific configurations must precede more general ones. See step 13 for instructions on ordering the list of configurations for client settings.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Configure the following
      Config Selection Criteria
      :
      • To deploy this configuration to specific users or user groups,
        Add
        the
        Source User
        (or user group). To deploy this configuration only to users with apps in pre-logon mode, select
        pre-logon
        from the
        Source User
        drop-down; to deploy this configuration to all users, select
        any
        .
        To deploy the configuration to specific groups, you must first map users to groups as described when you Enable Group Mapping.
      • To deploy this configuration based on the endpoint operating system,
        Add
        an
        OS
        (such as Android or Chrome). To deploy this configuration to all operating systems, select
        Any
        .
      • To deploy this configuration based on user location,
        Add
        a source
        Region
        or
        IP address
        (IPv4 and IPv6). To deploy this configuration to all user locations, do not specify the
        Region
        or
        IP Address
        .
    4. Click
      OK
      to save your configuration selection criteria.
  6. (
    Tunnel Mode Only
    ) Configure authentication override settings to enable the gateway to generate and accept secure, encrypted cookies for user authentication. This capability allows the user to provide login credentials only once during the specified period of time (for example, every 24 hours).
    By default, gateways authenticate users with an authentication profile and optional certificate profile. When authentication override is enabled, GlobalProtect caches the result of a successful login and uses the cookie to authenticate the user instead of prompting the user for credentials. For more information, see Cookie Authentication on the Portal or Gateway. If client certificates are required, the endpoint must also provide a valid certificate to gain access.
    If you must immediately block access to a device whose cookie has not expired (for example, if the device is lost or stolen), you can immediately Block Endpoint Access by adding the device to a block list.
    1. On the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Configure the following
      Authentication Override
      settings:
      • Name
        —Identifies the configuration.
      • Generate cookie for authentication override
        —Enables the gateway to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
      • Accept cookie for authentication override
        —Enables the gateway to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, the gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user.
        The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to the portal or gateway for user authentication.
        (
        Windows only
        ) If you set the Use Single Sign-On option to
        Yes
        (SSO is enabled) in the portal agent configuration (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>.
        App
        ), the GlobalProtect app uses the Windows username to retrieve the local authentication cookie for the user. If you set the
        Use Single Sign-On
        option to
        No
        (SSO is disabled), you must enable the GlobalProtect app to Save User Credentials in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
        (
        Mac only
        ) Because Mac endpoints do not support single sign-on, you must enable the GlobalProtect app to
        Save User Credentials
        in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
      • Cookie Lifetime
        —Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1 to 72; for weeks is 1 to 52; and for days is 1 to 365. After the cookie expires, the user must re-enter their login credentials and then the gateway subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the
        Cookie Lifetime
        that you configure for the portal.
      • Certificate to Encrypt/Decrypt Cookie
        —Selects the RSA certificate used to encrypt and decrypt the cookie. You must use the same certificate on the portal and gateway.
        As a best practice, configure the RSA certificate to use the strongest digest algorithm that your network supports.
        The portal and gateway use the RSA encrypt padding scheme PKCS#1 V1.5 to generate the cookie (using the public certificate key) and to decrypt the cookie (using the private certificate key).
  7. (
    Tunnel Mode only
    Optional
    ) Configure client level IP pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway.
    You must only either the client level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    GlobalProtect Gateway Configuration
    Agent
    Client Settings
    <client-setting>
    Configs
    IP Pools
    ) or the gateway level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    GlobalProtect Gateway Configuration
    Agent
    Client IP Pool
    ).
    IP pools and split tunnel settings are not required for internal gateway configurations in non-tunnel mode because apps use the network settings assigned to the physical network adapter.
    Using address objects when configuring gateway IP address pools is not supported.
    1. On the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Configure any of the following
      IP Pools
      settings:
      • To specify the authentication server IP address pool for endpoints that require static IP addresses, enable the option to
        Retrieve Framed-IP-Address attribute from authentication server
        and then
        Add
        the subnet or IP address range to the
        Authentication Server IP Pool
        . When the tunnel is established, an interface is created on the remote user’s computer with an address in the subnet or IP range that matches the Framed-IP attribute of the authentication server.
        The authentication server IP address pool must be large enough to support all concurrent connections. IP address assignment is static and retained even after the user disconnects.
      • To specify the
        IP Pool
        used to assign IPv4 or IPv6 addresses to the endpoints that connect to the gateway,
        Add
        the IP address subnet/range. You can add IPv4 or IPv6 subnets or ranges, or a combination of the two.
        To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
    4. Click
      OK
      to save the IP pool configuration.
  8. (
    Tunnel Mode only
    Optional
    ) Disable split tunneling to ensure that all traffic (including local subnet traffic) goes through the VPN tunnel for inspection and policy enforcement.
    Local routes take precedence over routes sent from the gateway. When you enable split tunneling, users can reach proxies and local resources (such as local printers) directly without sending any local subnet traffic through the VPN tunnel. By disabling the split tunnel, you can force all traffic to go through the VPN tunnel for inspection and policy enforcement whenever users are connected to GlobalProtect.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Select
      Split Tunnel
      Access Route
      and then enable the
      No direct access to local network
      option. If you enable this option, split tunneling is disabled and users cannot send traffic directly to proxies or local resources while connected to GlobalProtect.
      Consider the following IPv4 and IPv6 traffic behavior based on whether you enable or disable the
      No direct access to local network
      option:
      IPv4 Traffic Behavior
      IPv4 Traffic to Local Subnet
      No Direct Access to Local Network is Enabled
      No Direct Access to Local Network is Disabled
      Before the tunnel is established
      After the tunnel is established
      Before the tunnel is established
      After the tunnel is established
      New Incoming Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is sent through the VPN tunnel.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      New Outgoing Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is sent through the VPN tunnel.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Existing Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is terminated.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      IPv6 Traffic Behavior
      IPv6 Traffic to Local Subnet
      No Direct Access to Local Network is Enabled
      No Direct Access to Local Network is Disabled
      Before the tunnel is established
      After the tunnel is established
      Before the tunnel is established
      After the tunnel is established
      New Incoming Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      New Outgoing Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Existing Traffic
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
      Traffic is allowed on the local subnet through the physical adapter.
  9. (
    Tunnel Mode only
    Optional
    ) Configure split tunnel settings based on the access route. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
    When configuring access routes, keep the following in mind:
    • More specific access routes take precedence over less specific routes.
    • Avoid specifying the same access route as both an include and an exclude access route; doing so results in a misconfiguration.
    To route only some traffic—likely traffic destined for your LAN—to GlobalProtect, specify the destination subnets or address object (of type
    IP Netmask
    ) that must be included or excluded from the tunnel. In this case, traffic that is not destined for a specified access route will be routed through the physical adapter on the endpoint instead of through the virtual adapter (the tunnel).
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Configure any of the following access route-based
      Split Tunnel
      settings (
      Split Tunnel
      Access Route
      ):
      • To define which destination subnets are routed through the tunnel, enter the following routes under the
        Access Route
        tab:
        • (
          Optional
          ) In the
          Includes
          section,
          Add
          the destination subnets or address object (of type IP Netmask) to route only certain traffic—likely traffic destined for your LAN—to GlobalProtect. These are the routes that the gateway pushes to the remote users’ endpoints to specify what traffic the users’ endpoints can send through the VPN connection. You can include IPv6 or IPv4 subnets.
          The number of access routes the firewall supports varies by PAN-OS release version:
          • PAN-OS 8.0.0 and PAN-OS 8.0.1—Up to 100 include access routes unless combined with GlobalProtect app 4.0.2 or a later release—then up to 200 include access routes.
          • PAN-OS 8.0.2 and later releases—Up to 100 include access routes unless combined with GlobalProtect app 4.0.2 or later releases—then up to 1,000 include access routes.
        • (
          Optional
          ) In the
          Excludes
          section,
          Add
          the destination subnets or address object (of type IP Netmask) that you want the app to exclude. These routes are sent through the phys8ical adapter on the endpoint instead of through the virtual adapter (the tunnel). Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than intended. You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100 exclude access routes unless combined with GlobalProtect app 4.0 and later releases—then up to 200 exclude access routes.
    4. Click
      OK
      to save the split tunnel configuration.
    Excluding routes is not supported on Android. Only IPv4 routes are supported on Chrome.
  10. (
    Tunnel Mode only
    Optional
    ) Configure split tunnel settings based on the destination domain. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
    This feature is supported only on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
    When you configure a split tunnel based on the destination domain, all traffic going to that specific domain and port (optional) is either sent through the tunnel for inspection and policy enforcement or sent directly to the physical adapter on the endpoint without inspection. This option enables you to configure a split tunnel for an entire domain without specifying a destination IP address subnet, which extends split tunnel capability to domains and applications with dynamic public IP addresses, such as SaaS and public cloud applications.
    Both IPv4 and IPv6 traffic is supported.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. (
      Optional
      )
      Add
      the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (
      Split Tunnel
      Domain and Application
      Include Domain
      ). You can add up to 200 entries to the list. For example, add
      *.office365.com
      to allow all Office 365 traffic to go through the VPN tunnel.
    4. (
      Optional
      )
      Add
      the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (
      Split Tunnel
      Domain and Application
      Exclude Domain
      ). You can add up to 200 entries to the list. For example, add
      *.engadget.com
      to exclude all Engadget traffic from the VPN tunnel.
    5. Click
      OK
      to save the split tunnel settings.
  11. (
    Tunnel Mode only
    Optional
    ) Configure split tunnel settings based on the application process name. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
    This feature is supported only on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
    When you configure a split tunnel based on the application process name, all traffic for that application is either sent through the tunnel for inspection and policy enforcement or sent directly to the physical adapter on the endpoint without inspection. This option enables you to configure a split tunnel without specifying a destination IP address subnet, which extends split tunnel capability to applications with dynamic public IP addresses, such as SaaS and public cloud applications.
    Both IPv4 and IPv6 traffic is supported.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. (
      Optional
      )
      Add
      the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (
      Split Tunnel
      Domain and Application
      Include Client Application Process Name
      . You can add up to 200 entries to the list. For example, add
      /Application/Safari.app/Contents/MacOS/Safari
      to allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.
    4. (
      Optional
      )
      Add
      the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (
      Split Tunnel
      Domain and Application
      Exclude Client Application Process Name
      ). You can add up to 200 entries to the list. For example, add
      /Applications/Microsoft Lync.app/Contents/MacOS/Microsoft Lync
      to exclude all Microsoft Lync application traffic from the VPN tunnel.
    5. Click
      OK
      to save the split tunnel settings.
  12. (
    Tunnel Mode only
    Optional
    ) Configure DNS settings for a client settings configuration.
    If you configure at least one DNS server or DNS suffix in the client settings configuration (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-settings-config>
    Network Services
    ), the gateway sends the configuration for both the DNS server and DNS suffix to the endpoint. This occurs even when you configure global (gateway level) DNS servers and DNS suffixes.
    If you do not configure any DNS servers or DNS suffixes in the client settings configuration, the gateway sends the global DNS servers and DNS suffixes to the endpoint, if configured (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Network Services
    ).
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Select an existing client settings configuration or
      Add
      a new one.
    3. Configure any of the following
      Network Services
      settings:
      • Specify the IP address of the
        DNS Server
        to which the GlobalProtect app with this client settings configuration sends DNS queries. You can add up to 10 DNS servers by separating each IP address with a comma.
      • Specify the
        DNS Suffix
        that the endpoint should use locally when encountering an unqualified hostname, which the endpoint cannot resolve.
  13. (
    Tunnel Mode Only
    ) Arrange the gateway agent configurations so that the proper configuration is deployed to each GlobalProtect app.
    When an app connects, the gateway compares the source information in the packet against the agent configurations you defined (
    Agent
    Client Settings
    ). As with security rule evaluation, the gateway looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
    • To move a gateway configuration up in the list of configurations, select the configuration and
      Move Up
      .
    • To move a gateway configuration down in the list of configurations, select the configuration and
      Move Down
      .
  14. (
    Tunnel Mode Only
    Optional
    ) Configure the global IP address pools used to assign IPv4 or IPv6 addresses to the virtual network adapters on all endpoints that connect to the gateway.
    This option enables you to simplify the configuration by defining IP pools at the gateway level instead of defining IP pools for each client setting in the gateway configuration.
    You must configure IP pools only at either the gateway level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client IP Pool
    ) or the client level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-setting>
    IP Pools
    ).
    Using address objects when configuring gateway IP address pools is not supported.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client IP Pool
      .
    2. Add
      the IP address subnet or range used to assign IPv4 or IPv6 addresses to all endpoints that connect to the gateway. You can add IPv4 or IPv6 subnets or ranges, or a combination of the two.
      To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN. We recommend that you use a private IP addressing scheme.
  15. (
    Tunnel Mode Only
    ) Specify the network configuration settings for the endpoint.
    Network settings are not required for internal gateway configurations in non-tunnel mode because the GlobalProtect app uses the network settings assigned to the physical network adapter.
    In the GlobalProtect Gateway Configuration dialog, select
    Agent
    Network Services
    and then configure any of the following network configuration settings:
    • If the firewall has an interface that is configured as a DHCP client, set the
      Inheritance Source
      to that interface so the GlobalProtect app is assigned the same settings as the DHCP client. You can also enable the option to
      Inherit DNS Suffixes
      from the inheritance source.
    • Manually assign the
      Primary DNS
      server,
      Secondary DNS
      server,
      Primary WINS
      server,
      Secondary WINS
      server, and
      DNS Suffix
      . You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.
      The
      DNS Suffix
      cannot contain any non-ASCII characters.
  16. (
    Optional
    ) Modify the default timeout settings for endpoints.
    In the GlobalProtect Gateway Configuration dialog, select
    Agent
    Connection Settings
    and then configure the following in the Timeout Configuration area:
    • Modify the maximum
      Login Lifetime
      for a single gateway login session (default is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the
      Inactivity Logout
      period. After this time, the login session ends automatically.
    • Modify the
      Inactivity Logout
      period to specify the amount of time after which an inactive session is automatically logged out (default is 3 hours). Users are logged out of GlobalProtect if the gateway does not receive a HIP check from the endpoint during the configured time period.
    • Modify the
      Disconnect on Idle
      setting to specify the number of minutes after which idle users are logged out of GlobalProtect (default is 180 minutes). Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel within the configured time period. This setting applies only to GlobalProtect apps that use the On-Demand connect method.
  17. (
    Optional
    ) Configure automatic restoration of SSL VPN tunnels.
    If the GlobalProtect connection is lost due to network instability or a change in the endpoint state, you can allow or prevent the GlobalProtect app from automatically reestablishing the VPN tunnel for specific gateways by configuring automatic restoration of SSL VPN tunnels.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Connection Settings
      .
    2. Configure one of the following options for Authentication Cookie Usage Restrictions:
      • To prevent the GlobalProtect app from automatically reestablishing the VPN tunnel for this gateway,
        Disable Automatic Restoration of SSL VPN
        .
      • To allow the GlobalProtect app to automatically reestablish the VPN tunnel for this gateway, disable (clear) the option to
        Disable Automatic Restoration of SSL VPN
        (default).
  18. (
    Optional
    ) Configure source IP address enforcement for authentication cookies.
    You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Connection Settings
      .
    2. In the Authentication Cookie Usage Restrictions section,
      Restrict Authentication Cookie Usage (for Automatic Restoration of VPN tunnel or Authentication Override)
      and then configure one of the following conditions:
      • If you select
        The original Source IP for which the authentication cookie was issued
        , the authentication cookie is valid only if the public source IP address of the endpoint that is attempting to use the cookie is the same public source IP address of the endpoint to which the cookie was originally issued.
      • If you select
        The original Source IP network range
        , the authentication cookie is valid only if the public source IP address of the endpoint attempting to use the cookie is within the designated network IP address range. Enter a
        Source IPv4 Netmask
        or
        Source IPv6 Netmask
        to define the subnet mask of the network IP address range for which the authentication cookie is valid (for example,
        32
        or
        128
        ).
  19. (
    Tunnel Mode Only
    ) Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel.
    This feature is supported only on Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
    By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
    All video traffic types are redirected for the following video-streaming applications:
    • YoutTube
    • Dailymotion
    • Netflix
    If you exclude any other video-streaming applications from the VPN tunnel, only the following video traffic types are redirected for those applications:
    • MP4
    • WebM
    • MPEG
    The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.
    If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video-streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway. In this case, ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses (
    Network
    GlobalProtect
    Gateways
    Agent
    Client IP Pool
    or
    Client Settings
    IP Pools
    ).
    If you exclude video streaming traffic from the VPN tunnel (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Video Traffic
    ), do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-setting>
    Split Tunnel
    Domain and Application
    ). This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.
    To exclude Sling TV app traffic from the VPN tunnel, use application-based split tunneling (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-setting-config>
    Split Tunnel
    Domain and Application
    Exclude Client Application Process Name
    ).
    1. In the GlobalProtect Gateway Configuration dialog, select
      Agent
      Video Traffic
      .
    2. Enable the option to
      Exclude video applications from the tunnel
      .
      If you enable this option but do not exclude specific video-streaming applications from the VPN tunnel, all video-streaming traffic is excluded.
    3. (
      Optional
      )
      Browse
      the
      Applications
      list to view all of the video-streaming applications that you can exclude from the VPN tunnel. Add (
      add_icon.png
      ) the applications that you want to exclude. For example, add
      directv
      to exclude DIRECTV video
    4. (
      Optional
      )
      Add
      the video-streaming applications you want to exclude from the VPN tunnel using the
      Applications
      drop-down—a shortened version of the
      Applications
      list. For example, select
      youtube-streaming
      to exclude all YouTube-based video streaming traffic from the VPN tunnel.
  20. (
    Optional
    ) Define the notification messages that end users see when a security rule with a host information profile (HIP) is enforced.
    This step applies only if you created host information profiles and added them to your security policies. See Host Information for details on configuring the HIP feature and information about creating HIP notification messages.
    1. On the GlobalProtect Gateway Configuration dialog, select
      Agent
      HIP Notification
      .
    2. Select an existing HIP notification configuration or
      Add
      a new one.
    3. Configure the following settings:
      • Select the
        Host Information
        object or profile to which this message applies.
      • Depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when the profile is not matched, select
        Match Message
        or
        Not Match Message
        and then
        Enable
        notifications. You can create messages for both a match and a non-match instance based on the objects on which you are matching and what your objectives are for the policy. For the
        Match Message
        , you can also enable the option to
        Include Mobile App List
        to indicate what applications can trigger the HIP match.
      • Select whether you want to display the message as a
        System Tray Balloon
        or as a
        Pop Up Message
        .
      • Enter and format the text of your message (
        Template
        ) and then click
        OK
        .
      • Repeat these steps for each message you want to define.
  21. Save the gateway configuration.
    1. Click
      OK
      to save the settings.
    2. Commit
      the changes.
  22. (
    Optional
    ) To configure the GlobalProtect app to display a label that identifies the location of this gateway when end users are connected, specify the physical location of the firewall on which you configured this gateway.
    When end users experience unusual behavior, such as poor network performance, they can provide this location information to their support or Help Desk professionals to assist with troubleshooting. They can also use this location information to determine their proximity to the gateway. Based on their proximity, they can evaluate whether they need to switch to a closer gateway.
    If you do not specify a gateway location, the GlobalProtect app displays an empty location field.
    • In the CLI
      —Use the following CLI command to specify the physical location of the firewall on which you configured the gateway:
      <username@hostname>
      set deviceconfig setting global-protect location
      <location>
    • In the XML API
      —Use the following XML API to specify the physical location of the firewall on which you configured the gateway:
      • devices
        —name of the firewall on which you configured the gateway
      • location
        —location of the firewall on which you configured the gateway
      curl -k -F file=@
      filename.txt
      -g 'https://
      <firewall>
      /api/?key=
      <apikey>
      &type=config&action=set&xpath=/config/devices/entry[@name='
      <device-name>
      ']/deviceconfig/setting/global-protect&element=<location>
      location-string
      </location>'

Related Documentation