Client Settings Tab
- NetworkGlobalProtectGateways<gateway-config>Agent<agent-config>Client Settings
Select the
Client Settings
tab to configure
settings for the virtual network adapter on the endpoint when the
GlobalProtect app establishes a tunnel with the gateway.Some Client Settings options are available only after you
enable tunnel mode and define a tunnel interface on the Tunnel Settings Tab.
GlobalProtect Gateway Client
Settings and Network Configuration | Description |
|---|---|
Config Selection Criteria
tab | |
Name | Enter a name to identify the client settings configuration
(up to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores. |
Source User | Add the specific
users or user groups to which this configuration applies.You
must configure group mapping ( Device User Identification Group Mapping Settings To deploy this
configuration to all users, select any from
the Source User drop-down. To deploy this
configuration only to users with GlobalProtect apps in pre-logon
mode, select pre-logon from the Source
User drop-down.The client settings configuration
is deployed to users only if the user matches the criteria for Source
User , OS , AND Source Address . |
OS | To deploy this configuration based on the
operating system of the endpoint, Add an OS
(Android , Chrome , iOS , IoT , Linux , Mac , Windows , WindowsUWP ).
Alternatively, you can set this value to Any so that
configuration deployment is based only on the user or user group
and not on the operating system of the endpoint.The
client settings configuration is deployed to users only if the user
matches the criteria for Source User , OS ,
AND Source Address . |
Source Address | To deploy this configuration based on user
location, Add a source Region or
local IP Address (IPv4 and IPv6). To deploy
this configuration to all user locations, do not specify a Region or IP Address .
You must also leave these fields empty if your users are running
GlobalProtect app 4.0 and earlier releases, as this feature is not
supported on older GlobalProtect app releases.The Source Address match
is successful if the location of a connecting user matches either
the Region or the IP Address that
you configure.The client settings configuration
is deployed to users only if the user matches the criteria for Source
User , OS , AND Source Address . |
Authentication Override tab | |
Authentication Override | Enable the gateway to use secure, device-specific, encrypted
cookies to authenticate the user after the user first authenticates
using the authentication scheme specified by the authentication
or certificate profile.
Ensure that the gateway and portal both
use the same certificate to encrypt and decrypt cookies. |
IP Pools tab | |
Retrieve Framed-IP-Address attribute from
authentication server | Select this option to enable the GlobalProtect gateway
to assign fixed IP addresses by use of an external authentication
server. When this option is enabled, the GlobalProtect gateway allocates
the IP address for connecting to devices by using the Framed-IP-Address attribute
from the authentication server. |
Authentication Server IP Pool | Add a subnet or range
of IP addresses to assign to remote users. When the tunnel is established,
the GlobalProtect gateway allocates the IP address in this range
to connecting devices using the Framed-IP-Address attribute from
the authentication server. You can add IPv4 addresses (such as 192.168.74.0/24
and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).You
can enable and configure Authentication Server IP Pool only
if you enable Retrieve Framed-IP-Address attribute from
authentication server .The authentication
server IP pool must be large enough to support all concurrent connections.
IP address assignment is fixed and is retained after the
user disconnects. Configure multiple ranges from different subnets
to allow the system to offer clients an IP address that does not
conflict with other interfaces on the client. The servers
and routers in the networks must route the traffic for this IP pool
to the firewall. For example, for the 192.168.0.0/16 network, a
remote user can receive the address 192.168.0.10. |
IP Pool | Add a range of IP addresses
to assign to remote users. When the tunnel is established, an interface
is created on the remote user’s endpoint with an address in this
range. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100)
or IPv6 addresses (such as 2001:aa::1-2001:aa::10).To
avoid conflicts, the IP pool must be large enough to support all
concurrent connections. The gateway maintains an index of clients
and IP addresses so that the client automatically receives the same
IP address the next time it connects. Configuring multiple ranges
from different subnets allows the system to offer clients an IP address
that does not conflict with other interfaces on the client. The
servers and routers in the networks must route the traffic for this
IP pool to the firewall. For example, for the 192.168.0.0/16 network,
a remote user may be assigned the address 192.168.0.10. |
Split Tunnel tab | |
Access Route tab | |
No direct access to local network | Select this option to disable split tunneling,
including direct access to local networks on Windows, macOS, and Linux
endpoints (Linux endpoints must be running GlobalProtect app version
6.0.0 or later). This function prevents a user from sending traffic
to proxies or local resources, such as a home printer. When the
tunnel is established, all traffic is routed through the tunnel
and is subject to policy enforcement by the firewall. |
Include | Add routes to include
in the VPN tunnel. These are the routes the gateway pushes to the
remote users’ endpoint to specify what user endpoints can send through
the VPN connection.To include all destination subnets
or address objects, Include 0.0.0.0/0 and
::/0 as access routes. |
Exclude | Add routes
to exclude from the VPN tunnel. These routes are sent through the
physical adapter on endpoints rather than through the virtual adapter
(the tunnel).You can define the routes you send through the
VPN tunnel as routes you include in the tunnel, routes you exclude
from the tunnel, or a combination of both. For example, you can
set up split tunneling to allow remote users to access the internet
without going through the VPN tunnel. Excluded routes should be
more specific than the included routes to avoid excluding more traffic
than you intend to exclude. If you don’t include or exclude
routes, every request is routed through the tunnel (no split tunneling).
In this case, each internet request passes through the firewall and
then out to the network. This method can prevent the possibility
of an external party accessing user endpoints and gaining access
to the internal network (with a user endpoint acting as a bridge). |
Domain and Application
tab | |
Include Domain | Add the software as a service
(SaaS) or public cloud applications that you want to include in
the VPN tunnel using the domain and port (optional). These are the applications
the gateway pushes to the remote users’ endpoint to specify what
user endpoints can send through the VPN connection. You
can configure a list of ports for each domain. If no ports are configured,
all ports for the specified domain are subject to this policy. |
Exclude Domain | Add the software as a service
(SaaS) or public cloud applications that you want to exclude from
the VPN tunnel using the domain and port (optional). These applications are
sent through the physical adapter on endpoints rather than the virtual
adapter (the tunnel). You can configure a list of ports
for each domain. If no ports are configured, all ports for the specified
domain are subject to this policy. If you do not include
or exclude any domains, every request is routed through the tunnel
(no split tunneling). In this case, each Internet request passes
through the firewall and out to the network. This method can prevent external
parties from accessing user endpoints to gain access to the internal
network. |
Include Client Application Process
Name | Add the software as a service
(SaaS) or public cloud applications that you want to include in
the VPN tunnel using the application process name. These are the applications
the gateway pushes to the endpoints of remote users to specify what
those user endpoints can send through the VPN connection. |
Exclude Client Application Process
Name | Add the software as a service
(SaaS) or public cloud applications that you want to exclude from
the VPN tunnel using the application process name. These applications
are sent through the physical adapter on endpoints rather than the
virtual adapter (the tunnel). If you do not include or exclude
any applications, every request is routed through the tunnel (no
split tunneling). In this case, each Internet request passes through
the firewall and out to the network. This method can prevent external
parties from accessing user endpoints to gain access to the internal
network. |
Network Services
tab | |
DNS Server | Specify the IP address of the
DNS server to which the GlobalProtect app with this client setting
configuration sends DNS queries. You can add multiple DNS servers
by separating each IP address with a comma. |
DNS Suffix | Specify the DNS suffix that the endpoint
should use locally when an unqualified hostname is entered that
the endpoint cannot resolve. You can enter multiple DNS suffixes
(up to 100) by separating each suffix with a comma. |
Recommended For You
Recommended Videos
Recommended videos not found.
