Fixed an issue where users on trusted networks were incorrectly receiving a captive portal detection message and being redirected to a separate browser tab. This occurred because the GlobalProtect app was not properly handling captive portal detection response.

Fixed an issue where GlobalProtect app got stuck in a connecting state when using GlobalProtect version 6.2.8-h4. The issue was seen when saml-logout and enforcer was enabled.

Fixed an issue where, after upgrading to GlobalProtect agent 6.2.8 on macOS, users were unable to select a different portal. Clicking "Change Portal" would initiate a reconnection attempt instead of displaying the portal selection menu.

Fixed an issue where GlobalProtect agents in proxy-only mode would intermittently get stuck in a connecting state after upgrading from version 6.2.8 to 6.3.3-676. The agent would become stuck in the "Discovering external network" phase, and restarting the GlobalProtect process would temporarily resolve the issue.

Fixed an issue where, when Endpoint Traffic Policy Enforcement was enabled with "No Direct Access to Local Network" on GlobalProtect, Xcode running on macOS was unable to recognize iPhones connected via USB-C. This issue occurred because traffic enforcement blocked communication between Xcode and the iPhone.

Fixed an issue where GlobalProtect clients prompted a window to select a certificate with the error "The parameter is incorrect" because the client certificate request originated from a portal or gateway Access Control Server (ACS) and was not required.

Fixed an issue where GlobalProtect apps installed on on Dell Vostro 15 3515 laptops were unable to connect to the GlobalProtect service with the following error: "Could not connect to the GlobalProtect service. If the issue persists, contact your administrator."

Fixed an issue where the HIP check did not correctly detect the status of the ESET firewall on Windows hosts.

Fixed an issue where the captive portal opened in the embedded browser, but when the user tried to connect to the internet, it redirected to the default browser and was blocked.

Fixed an issue where the GlobalProtect app would become unresponsive when system extensions and a PAC file were enabled simultaneously.

Fixed an issue where GlobalProtect app displayed a "No Network Connectivity" error and failed to initiate a network connection, preventing access to applications.

Fixed an issue where IPv6 traffic on Windows 11 24H2 did not work as expected with GlobalProtect app.

Fixed an issue where the GlobalProtect app running on macOS devices would stuck in a connecting loop indefinitely if the user did not complete authentication, requiring manual cancellation of the connection.

Fixed an issue where the GlobalProtect enforcer blocked network traffic on Windows endpoints even after the tunnel was successfully connected.

Fixed an issue where the GlobalProtect (GP) agent briefly disconnected when a user logged on to Windows, even when the 'Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)' setting was set to -1, with the error "server cert verification failed".

Fixed an issue where the SAML authentication window in the GlobalProtect client on macOS devices running version 6.2.6 or higher would sometimes display an incomplete or blank screen after the device woke up from sleep mode. This issue affects devices using the embedded browser for SAML authentication and with GlobalProtect set to always-on mode with enforcer enabled.

Fixed an issue where on macOS Ventura and Sequoia, manually changing the portal address using the GlobalProtect app UI would fail and revert back to the last connected portal. This issue occurred even when "Allow User to Change Portal Address" was enabled in the agent configuration.

Fixed an issue where, when the GlobalProtect app was installed on devices running Windows OS and macOS, the Captive Portal detection message briefly appeared and disappeared when the Captive Portal exception timeout was set to 0.

Fixed an issue where agent disable logs were not being logged to Gateway System Logs on the firewall. The GlobalProtect agent reset the authentication code, which falsely indicated that the gateway was not fully authenticated, and the agent did not send the message.

Fixed an issue where tool tips were not available for the Add, Edit, and Delete buttons on the GlobalProtect application's settings page on Windows devices.

Fixed an issue where the hamburger menu button was disabled in the Refresh connection screen, which made it inaccessible when using a keyboard.

Fixed an issue where, after upgrading the GlobalProtect app, external users on Windows 11 computers with multiple Azure Entra accounts were unable to authenticate to the portal using SAML with Azure Entra as the Identity Provider (IdP). The new WebView2 embedded browser automatically used the user's default Windows credential for Single Sign-On (SSO), preventing them from selecting the correct account for authentication.

To resolve this issue a new registry key 'entra-sso' has been introduced. You can add the registry key using two methods and set it to no to disable SSO.

1. For pre-deployment, use 'msiexec.exe /i globalprotect64.msi ENTRASSO="no"

or

2. Add key "entra-sso" and set it to "no" under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings. If the "entra-sso" key does not exist under this path, the GlobalProtect agent's default behavior is to 'Allow' Entra SSO.

(GP App 6.3.1 enabled with FIPS-CC only) Fixed an issue where the OCSP request did not send the Host header, causing the X509v3 certificate validation to fail when accessing the OCSP or CRL.

Fixed an issue where, when using conditional-connect on macOS Sequoia with GlobalProtect client version 6.2.6, manually switching gateways caused the client to display a "Not connected" status for approximately 10 seconds while establishing a connection to the second gateway.