Features Introduced in GlobalProtect Cloud Service

The following table describes the new features introduced in the Cloud Services plugin version 1.3.1.
This release has changes to default behavior for mobile users regional IP pools when you upgrade that might affect your deployment. See Changes to Default Behavior for a list of the changes.
Feature
Description
Region Selection
When you onboard mobile users, this release includes the ability to specify one or more locations in a region in order to exclude deployment in all regions. This feature provide more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. You select the locations in the region from locations on a map during the onboarding process.
This release changes the method of onboarding mobile users, because you now must select one or more locations. See Changes to Default Behavior for details.
Reduced IP Address Pool Requirement for Mobile Users
You can now specify a minimum IP address pool of a /23 subnet (512 addresses) for a single region when you onboard mobile users. The lowered IP pool requirement is useful in proof of concept or evaluation situations when you don’t have a large available block of private IP addresses. After you onboard a single region, you can then onboard additional regions in stages and add more IP address pools for those regions.
Pre-defined IPSec Tunnel Configurations
GlobalProtect cloud service includes pre-defined IPSec tunnel profiles for some common third-party IPSec and SD-WAN devices. These profiles expedite and simplify the onboarding of service connections and remote network connections that use one of these devices to terminate the connection.
Clientless VPN Portal
This GlobalProtect cloud service release supports Clientless VPN.
Clientless VPN Reverse Proxy for SaaS Security
GlobalProtect cloud service allows you to control unsanctioned and employee-owned device access to your network and redirect device traffic to GlobalProtect cloud service for inspection without putting your network or data at risk. Unsanctioned device access control utilizes SAML redirection by proxy instead of directly exposing the SaaS app on your network, removing all possible vulnerabilities to data exfiltration and malware propagation.
New location Paris Available for Mobile Users, Remote Networks, and Service Connections
An additional location, Europe (Paris), is added to the list of available locations.
Existing deployments with all gateways specified do not have this region added automatically; to add it, select PanoramaCloud ServicesConfigurationMobile UsersConfigureLocations and select the Paris location in the map that displays.
Additional Bandwidth Choices for Remote Networks
To better accommodate larger networks, additional remote network bandwidth choices of 500 Mbps or 1000 Mbps (1000 Mbps) is added. All existing remote network bandwidth choices are retained.
This feature is being deployed in Preview Mode for 1.3.1. We will deliver up to 500 Mbps or 1000 Mbps of throughput on a best-effort basis during the preview. The actual performance will vary depending upon the traffic mix.
Support for Overlapping Subnet - Internet Outbound
You can deploy remote network locations with overlapping subnets in the same region (for example, for a guest network at a retail store) for internet outbound only. Prior to this release, you had to specify separate regions for any remote networks that have overlapping subnets.
Configuring remote networks with overlapping subnets changes the behavior of the remote network; see Remote Network Locations with Overlapping Subnets in the GlobalProtect Cloud Service Administrator’s Guide for details. Other remote networks in your deployment without overlapping subnets are not affected.

Related Documentation