GlobalProtect Portals Agent App Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
GlobalProtect Portals Agent App Tab
- NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App
Select the App tab to specify how end users interact with the
GlobalProtect apps installed on their systems. You can define different app settings for
the different GlobalProtect configurations you create. See the GlobalProtect Administrator’s Guide to learn
more about the latest updates on the GlobalProtect App Customization settings.
GlobalProtect App Configuration
Settings | Description |
---|---|
Welcome Page | Select a welcome page to present to end users after they connect to GlobalProtect. You can select
the factory-default page or
Import a custom page. The default is
None. |
App Configurations | |
Connect Method |
|
GlobalProtect
App Config Refresh Interval (hours) | Specify the number of hours the GlobalProtect portal waits before it initiates the next refresh
of an app’s configuration (range is from 1 to 168; default is
24). |
Allow User to Disconnect GlobalProtect App | Specifies whether users are allowed to disconnect the GlobalProtect app and, if so, what—if
anything—they must do before they can disconnect the app:
|
Display the following reasons to disconnect GlobalProtect (Always-on
mode)
|
Specifies reasons for disconnecting from GlobalProtect (Always on
mode).
Configuration criteria:
|
Allow User to Uninstall GlobalProtect App
(Windows Only) | Specifies whether users are allowed to uninstall
the GlobalProtect app and, if so, what—if anything—they must do
before they can uninstall the app:
This option requires release version 8196-5685 and later. |
Allow User to
Upgrade GlobalProtect App | Specifies whether end users can upgrade the GlobalProtect app software and, if they can, whether
they can choose when to upgrade:
|
Allow User to Sign Out from GlobalProtect
App (Windows, macOS, iOS, Android, and Chrome Only) | Specifies whether users are permitted to manually sign out of the GlobalProtect app:
This option requires release version 8196-5685 and later. |
Use Single Sign-On (Windows) | Select No to disable
single sign-on (SSO). With SSO enabled (default), the GlobalProtect
app automatically uses the Windows login credentials to authenticate
and then connect to the GlobalProtect portal and gateway. GlobalProtect
can also wrap third-party credentials to ensure that Windows users can
authenticate and connect even when a third-party credential provider
is used to wrap the Windows login credentials. |
Use Single Sign-On for Smart Card PIN (Windows) (Windows
10 or later) Requires release version 8451-6911 or later and GlobalProtect app version 6.0.0 or later. | Use this setting to allow end users who authenticate through single sign-on (SSO) using a smart
card to connect without having to reenter their smart card Personal
Identification Number (PIN) in the GlobalProtect app for a seamless
SSO experience. Note that GlobalProtect can only cache the PIN if
the smart card provider allows it. Set the predeployed setting on the end-user endpoints before you can enable Use SSO for smartcard
PIN. Then, to enable this setting select
Yes. |
Use Single Sign-On (macOS) | Select No to disable
single sign-on (SSO). With SSO enabled (default), the GlobalProtect
app automatically uses the macOS login credentials to authenticate
and then connect to the GlobalProtect portal and gateway. This option requires release version 8196-5685 and later. |
Clear Single Sign-On Credentials on Logout (Windows Only) | Select No to keep
single sign-on credentials when the user logs out. Select Yes (default)
to clear them and force the user to enter credentials upon the next login. |
Use Default Authentication on Kerberos Authentication Failure | Select No to use
only Kerberos authentication. Select Yes (default)
to retry authentication by using the default authentication method after
a failure to authenticate with Kerberos. This feature is supported
for Mac and Windows endpoints only. |
Use Default Browser for SAML Authentication (Requires GlobalProtect app 5.2 or later with release version 8284-6139 or later) | If you have configured the GlobalProtect portal to authenticate end users through Security
Assertion Markup Language (SAML) authentication, select
Yes to enable users to leverage the same
login for GlobalProtect with their saved user credentials on the
default system browser
such as Chrome, Firefox, or Safari to connect to SAML-enabled
applications. You must enable this setting if you're using SAML with
the Cloud Authentication Service. If you enable this setting, you must alsochange the pre-deployment
settings to enable the default browser on Windows, macOS,
Linux, Android, and iOS endpoints to use the default system browser
for SAML authentication. To prevent each connection from opening a new
tab in the default browser, configure an authentication override. |
Automatic Restoration of VPN Connection
Timeout | Enter a timeout value, in minutes, from
0 to 180 to specify the action the GlobalProtect app takes when
the tunnel is disconnected due to network instability or endpoint
state changes by entering; default is 30.
|
Wait Time Between VPN Connection Restore
Attempts (min) | Enter the amount of time, in seconds, the GlobalProtect app waits between attempts to reestablish
the connection with the last-connected gateway when you enable
Automatic Restoration of VPN Connection
Timeout. Specify a longer or shorter wait time
depending on your network conditions. The range is from 1 to 60
seconds; the default is 5. |
Endpoint Traffic Policy Enforcement (Windows
10 or later and macOS 11 and later only) Requires Content
Release version 8450-6909 or later and GlobalProtect app 6.0.0 or later | Configure endpoint traffic policy enforcement
to prevent traffic on the physical adapter when the endpoint is
connected to GlobalProtect. This protects against attempts to thwart
security, such as malicious inbound connections, applications that
bypass the tunnel by binding to the physical adapter, and end users
tampering with the routing table to bypass the GlobalProtect tunnel. Select
one of the following options to configure Endpoint Traffic Policy
Enforcement:
|
Enforce GlobalProtect Connection for Network
Access | Select Yes to force
all network traffic to traverse a GlobalProtect tunnel. Select No (default)
if GlobalProtect is not required for network access and users can
still access the internet even when GlobalProtect is disabled or disconnected. To
provide instructions to users before traffic is blocked, configure
a Traffic Blocking Notification Message and
optionally specify when to display the message (Traffic Blocking
Notification Delay). To permit traffic required
to establish a connection with a captive portal, specify a Captive Portal
Exception Timeout. The user must authenticate with the
portal before the timeout expires. To provide additional instructions,
configure a Captive Portal Detection Message and
optionally specify when to display the message (Captive
Portal Notification Delay). In most cases,
use the default selection No. Selecting Yes blocks
all network traffic to and from the endpoint until the app connects
to an internal gateway inside the enterprise or to an external gateway outside
the enterprise network. |
Allow traffic to specified hosts/networks
when Enforce GlobalProtect Connection for Network Access is enabled
and GlobalProtect Connection is not established | If desired, you can configure up to ten IP addresses or network segments for which you want to allow access when you enforce GlobalProtect for network access but the connection is not established. Separate multiple values with commas and do not add a space between entries. Exclusions can improve the user experience by allowing users to access local resources when GlobalProtect is disconnected. For example, when GlobalProtect is not connected, GlobalProtect can exclude link-local addresses to allow access to a local network segment or broadcast domain. |
Allow traffic to specified FQDN when Enforce
GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection
is not established (Windows and macOS 10.15.4 or later) Requires
Content Release version 8284-6139 or later and GlobalProtect app
5.2 or later. | Specify the fully qualified domain names
(FQDNs) for which you allow access when you enforce GlobalProtect connections
for network access. You can configure up to 40 fully qualified domain
names for which you want to allow access when you enforce GlobalProtect
connections for network access and GlobalProtect cannot establish
a connection. By configuring FQDN exclusions, you can improve the
user experience by allowing end users to access specific resources
when GlobalProtect is disconnected. For example, the endpoint can
communicate with a cloud-hosted identity provider (ldP) for authentication
purposes or a remote device management server even when the Enforce
GlobalProtect for Network Access feature is enabled. Due to a recent change
in macOS, enforcing GlobalProtect connections with FQDN exclusions for
multiple network extensions being loaded at a time does not work
in certain situations, such as in environments where DnsClient.Net,
GlobalProtect with the Allow traffic to specified FQDN
when Enforce GlobalProtect Connection for Network Access is enabled
and GlobalProtect Connection is not established setting
enabled, and Cortex XDR are running. |
Captive Portal Exception Timeout (sec) | To enforce GlobalProtect for network access
but provide a grace period to allow users enough time to connect
to a captive portal, specify the timeout in seconds (range is 0
to 3600). For example, a value of 60 means the user must log in
to the captive portal within one minute after GlobalProtect detects
the captive portal. A value of 0 means GlobalProtect does not allow
users to connect to a captive portal and immediately blocks access. |
Automatically Launch Web Page in Default Browser Upon Captive Portal Detection | To automatically launch your default web
browser upon captive portal detection so that users can log in to the
captive portal seamlessly, enter the fully qualified domain name
or IP address of the website that you want to use for the initial
connection attempt that initiates web traffic when the default web
browser launches (maximum length is 256 characters). The captive
portal then intercepts this website connection attempt and redirects the
default web browser to the captive portal login page. If this field
is empty (default), GlobalProtect does not launch the default web
browser automatically upon captive portal detection. |
Traffic Blocking Notification Delay (sec) | Specify a value, in seconds, to determine
when to display the notification message. GlobalProtect starts the countdown
to display the notification after the network is reachable (range
is 5 to 120; default is 15). |
Display Traffic Blocking Notification Message | Specifies whether a message appears when GlobalProtect
is required for network access. Select No to
disable the message. Select Yes to enable
the message (GlobalProtect displays the message when GlobalProtect
is disconnected but detects that the network is reachable.) |
Traffic Blocking Notification Message | Customize a notification message to display
to users when GlobalProtect is required for network access. GlobalProtect
displays the message when GlobalProtect is disconnected but detects
the network is reachable. The message can indicate the reason for
blocking the traffic and provide instructions on how to connect.
For example: To access the network, you much first connect to GlobalProtect. The
message must be 512 or fewer characters. |
Allow User to Dismiss Traffic Blocking Notifications | Select No to always
display traffic blocking notifications. By default the value is
set to Yes meaning users are permitted to
dismiss the notifications. |
Display Captive Portal Detection Message | Specifies whether a message appears when GlobalProtect
detects a captive portal. Select Yes to display
the message. Select No (default) to suppress the
message (GlobalProtect does not display a message when GlobalProtect
detects a captive portal). If you enable
a Captive Portal Detection Message, the message appears 85 seconds before
the Captive Portal Exception Timeout. So if the Capture Portal Exception
Timeout is 90 seconds or less, the message appears 5 seconds after
a captive portal is detected. |
Captive Portal Detection Message | Customize a notification message to display
to users when GlobalProtect detects the network which provides additional
instructions for connecting to a captive portal. For example: GlobalProtect has temporarily permitted network access for you to connect to the internet. Follow instructions from your internet provider. If you let the connection time out, open GlobalProtect and click Connect to try again. The
message must be 512 or fewer characters. |
Captive Portal Notification Delay (sec) | If you enable a Captive Portal Detection Message, you can specify the delay in seconds after captive portal detection at which GlobalProtect displays the detection message (range is 1 to 120; default is 5). |
Client Certificate Store Lookup | Select the type of certificate or certificates
that an app looks up in its personal certificate store. The GlobalProtect
app uses the certificate to authenticate to the portal or a gateway
and then establish a VPN tunnel to the GlobalProtect gateway.
It is recommended to use user and machine store for
pre-logon user profile if you want to use the user store after
login. Pre-logon users will only use the machine store, but
setting this parameter to machine only will prevent the user
from using the user store until the app gets configuration from
the GlobalProtect portal.
|
SCEP Certificate Renewal Period (days) | This mechanism is for renewing a SCEP-generated certificate
before the certificate actually expires. You specify the maximum
number of days before certificate expiry that the portal can request
a new certificate from the SCEP server in your PKI system (range
is 0 to 30; default is 7). A value of 0 means that the portal does
not automatically renew the client certificate when it refreshes a
client configuration. For an app to get the new certificate,
the user must log in during the renewal period (the portal does
not request the new certificate for a user during this renewal period
unless the user logs in). For example, suppose that a client
certificate has a lifespan of 90 days and this certificate renewal
period is 7 days. If a user logs in during the final 7 days of the certificate
lifespan, the portal generates the certificate and downloads it
along with a refreshed client configuration. See GlobalProtect
App Config Refresh Interval (hours). |
Extended Key Usage OID for Client Certificate (Windows
and macOS only) | Use this option to provide an object identifier
(OID) that you want GlobalProtect to use to determine which client
certificate to select to simplify and improve the certificate selection
process when your macOS or Windows endpoints have multiple certificates
installed. By default, GlobalProtect automatically filters
the certificates for those that specify a Client Authentication purpose
(OID 1.3.6.1.5.5.7.3.2) so it is not necessary to specify the OID
associated with Client Authentication. However, if you want to use
a different OID to distinguish the certificate you want GlobalProtect
to select, you can specify a different certificate usage when you
create the certificate and then set the Extended Key Usage
OID for Client Certificate to the corresponding OID.
Some of the most commonly used OIDs are:
|
Retain Connection on Smart Card Removal (Windows Only)
| Select Yes to retain
the connection when a user removes a smart card containing a client
certificate. Select No (default) to terminate
the connection when a user removes a smart card. |
Enable Advanced View | Select No to restrict
the user interface on the app to the basic, minimum view (enabled
by default). |
Allow User to Dismiss Welcome Page | Select No to force
the Welcome Page to appear each time a user initiates a connection.
This restriction prevents a user from dismissing important information,
such as terms and conditions that may be required by your organization
to maintain compliance. |
Have User Accept Terms of Use before Creating
Tunnel | Select Yes to require
the end user to accept terms of use to comply with corporate policies
and to see a page to review your company’s terms of service before
connecting to GlobalProtect. Before you set this option to Yes,
you must configure the GlobalProtect Welcome page through NetworkGlobalProtectPortals<portal_configGeneral). |
Enable Rediscover Network Option | Select No to prevent
users from manually initiating a network rediscovery. |
Enable Resubmit Host Profile Option | Select No to prevent
users from manually triggering resubmission of the latest HIP. |
Allow User to Change Portal Address | Select No to disable
the Portal field on the Home tab
in the GlobalProtect app. However, because the user will then be
unable to specify a portal to which to connect, you must supply
the default portal address in the Windows registry or Mac plist:
For more
information about pre-deploying the portal address, see Customizable App Settings in the
GlobalProtect Administrator’s Guide. |
Allow User to Continue with Invalid Portal
Server Certificate | Select No to prevent
the app from establishing a connection with the portal if the portal
certificate is not valid. |
Display GlobalProtect Icon | Select No to hide
the GlobalProtect icon on the endpoint. If the icon is hidden, users
cannot perform certain tasks, such as viewing troubleshooting information,
changing passwords, rediscovering the network, or performing an
on-demand connection. However, HIP notification messages, login prompts,
and certificate dialogs do display when user interaction is necessary. |
User Switch Tunnel Rename Timeout (sec) (Windows only) | Specify the number of seconds that a remote
user has to be authenticated by a GlobalProtect gateway after logging
into an endpoint by using Microsoft’s Remote Desktop Protocol (RDP)
(range is 0 to 600; default is 0). Requiring the remote user to
authenticate within a limited amount of time maintains security. After
authenticating the new user and switching the tunnel to the user,
the gateway renames the tunnel. A value of 0 means that the
current user’s tunnel is not renamed but, instead, is immediately
terminated. In this case, the remote user gets a new tunnel and
has no time limit for authenticating to a gateway (other than the configured
TCP timeout). |
Pre-Logon Tunnel Rename Timeout (sec) (Windows Only) | This setting controls how GlobalProtect
handles the pre-logon tunnel that connects an endpoint to the gateway. A
value of -1 means the pre-logon tunnel does not time out after a
user logs on to the endpoint; GlobalProtect renames the tunnel to
reassign it to the user. However, the tunnel persists even if the
renaming fails or if the user does not log in to the GlobalProtect gateway. A
value of 0 means when the user logs on to the endpoint, GlobalProtect
immediately terminates the pre-logon tunnel instead of renaming
it. In this case, GlobalProtect initiates a new tunnel for the user
instead of allowing the user to connect over the pre-logon tunnel. Typically,
this setting is most useful when you set the Connect
Method to Pre-logon then On-demand, which
forces the user to manually initiate the connection after the initial
logon. A value of 1 to 7200 indicates the number of seconds
in which the pre-logon tunnel can remain active after a user logs
on to the endpoint. During this time, GlobalProtect enforces policies
on the pre-logon tunnel. If the user authenticates with the GlobalProtect
gateway within the timeout period, GlobalProtect reassigns the tunnel
to the user. If the user does not authenticate with the GlobalProtect
gateway before the timeout, GlobalProtect terminates the pre-logon
tunnel. |
Preserve Tunnel on User Logoff Timeout (sec) | To enable GlobalProtect to preserve the
existing VPN tunnel after users log out of their endpoint, specify
a Preserve Tunnel on User Logoff Timeout value
(range is 0 to 600 seconds; default is 0 seconds). If you accept
the default value of 0, GlobalProtect does
not preserve the tunnel following user logout. |
Custom Password Expiration Message (LDAP
Authentication Only) | Create a custom message to display to users
when their password is about to expire. The maximum message length
is 200 characters. |
Automatically Use SSL When IPSec Is Unreliable
(hours) | Specify the amount of time (in hours) during
which you want the GlobalProtect app to Automatically
Use SSL When IPSec Is Unreliable (range is 0-168 hours).
If you configure this option, the GlobalProtect app does not attempt
to establish an IPSec tunnel during the specified time period. This
timer initiates each time an IPSec tunnel goes down due to a tunnel
keepalive timeout. If you accept the default value of 0,
the app does not fall back to establishing an SSL tunnel if it can
establish an IPSec tunnel successfully. It falls back to establishing
an SSL tunnel only when the IPSec tunnel cannot be established. |
Display IPSec to SSL Fallback Notification Requires
content release version 8387-6595 or later and GlobalProtect app
version 6.0 or later. | Select No if you
do not want users to see a notification message indicating that their
connection has changed from IPSec to SSL. By default users will
be notified. |
Connect with SSL Only Requires GlobalProtect
app version 6.0 or later. | Select Yes if you
want users to be able to choose to use SSL instead of IPSec. |
GlobalProtect Connection MTU (bytes) | Enter the GlobalProtect connection maximum transmission
unit (MTU) value between 1000 to 1420 bytes that is used by the
GlobalProtect app to connect to the gateway. The default value is
1400 bytes. You can optimize the connection experience for end users connecting
over networks that require MTU values lower than the standard of
1500 bytes. By reducing the MTU size, you can eliminate performance
and connectivity issues that occur due to fragmentation when the
VPN tunnel connections go through multiple Internet Service Providers
(ISPs) and network paths with MTU lower than 1500 bytes. |
Maximum Internal Gateway Connection Attempts | Enter the maximum number of times the GlobalProtect app should retry the connection to an
internal gateway after the first attempt fails (range is 0 to 100;
default is 0, which means the GlobalProtect app does not retry the
connection). By increasing the value, you enable the app to
automatically connect to an internal gateway that is temporarily
down or unreachable during the first connection attempt but comes
back up before the specified number of retries are exhausted.
Increasing the value also ensures that the internal gateway receives
the most up-to-date user and host information. |
Enable Advanced Internal Host Detection | To add an extra security layer while performing internal
host detection by the GlobalProtect app. With the advanced internal
host detection, the app validates the server certificate of the
internal gateways in addition to performing a reverse DNS lookup
of the internal host to determine whether the app is inside the
enterprise network. Select Yes to enable
the GlobalProtect app to validate the server certificate of the internal
gateways in addition to performing a reverse DNS lookup of the internal
host during internal host detection. Select No (default)
for GlobalProtect app to perform internal host detection without
validating the server certificate of the internal gateways. |
Portal Connection Timeout (sec) | The number of seconds (between 1 and 600)
before a connection request to the portal times out due to no response
from the portal. When your firewall is running Applications and
Threats content versions earlier than 777-4484, the default is 30.
Starting with Content Release version 777-4484, the default is 5. |
TCP Connection Timeout (sec) | The number of seconds (between 1 and 600)
before a TCP connection request times out due to unresponsiveness
from either end of the connection. When your firewall is running
Applications and Threats content versions earlier than 777-4484,
the default is 60. Starting with Content Release version 777-4484,
the default is 5. |
TCP Receive Timeout (sec) | The number of seconds before a TCP connection times
out due to the absence of some partial response of a TCP request
(range is 1 to 600; default is 30). |
Allow User to Extend GlobalProtect User Session
|
To extend the login lifetime session of the GlobalProtect app before
it expires so that users can avoid abrupt app session logout.
Select Yes to allow users to extend the login
lifetime session of the GlobalProtect app before it expires to
prevent abrupt app session logout.
Select No (default) if you do not want users
to be able to extend the login lifetime session of the GlobalProtect
app before it expires.
|
HIP Remediation Process Timeout (sec)
Requires Content Release version 8699-7991or later and GlobalProtect
app 6.2.0 or later.
|
Set the HIP Remediation Process Timeout (sec)
to configure a timeout period during which the GlobalProtect app can
run a HIP process remediation
script if it fails a HIP process check.
By default, this field is set to 0, indicating that the feature is
disabled. Enter a value from 1-600 seconds to indicate the amount of
time you want to allow for the remediation script to finish.
|
Enhanced Split Tunnel Client Certificate Public Key
Requires Content Release version 8699-7991or later and GlobalProtect
app 6.2.0 or later.
|
Specify the Enhanced Split Tunnel Client Certificate
Public Key that the endpoint can use to connect to
the web server hosting the split tunnel configuration
file.
|
Split-Tunnel Option | Specify whether to enable split-tunnel domain and/or
split DNS feature for the traffic based on the exclude or include
domains configured on the GlobalProtect gateway under Network > GlobalProtect > Gateway > Agent > Client Setting
> (Client Config) > Split Tunnel > Domain and Application. Network
Traffic Only—Select this option to enable only split-tunnel
domain for the traffic as per include or exclude domains configured
on the GlobalProtect gateway under Network
> GlobalProtect > Gateway > Agent > Client Setting > (Client Config)
> Split Tunnel > Domain and Application. Both
Network Traffic and DNS—Select this option to enable
both split-tunnel domain and split DNS for the traffic as per include
or exclude domains configured on the GlobalProtect gateway under Network > GlobalProtect > Gateway > Agent > Client Setting
> (Client Config) > Split Tunnel > Domain and Application. This
option requires a Content Release version of 8284-6139 or later. |
Resolve All FQDNs Using DNS Servers Assigned
by the Tunnel (Windows Only) | (GlobalProtect 4.0.3 and later releases) Configure
the DNS resolution preferences when the GlobalProtect tunnel is
connected on Windows endpoints:
To
configure DNS settings for GlobalProtect app 4.0.2 and earlier releases,
use the Update DNS Settings at Connect option. |
Agent Mode for Prisma Access
Requires Content Release version 8700-7994 or later and GlobalProtect
app 6.2.0 or later. Requires Prisma Access 4.0 Preferred or
later.
|
By default, the Agent Mode for Prisma Access is set to
Tunnel mode, which means that the
GlobalProtect app establishes a tunnel to GlobalProtect to secure
internet and private app access, based on any split-tunnel rules you
have defined. If you want to enable explicit proxy functionality in
the GlobalProtect app to enable always-on security for internet
traffic while providing on-demand access to private apps
through GlobalProtect or a third-party VPN, you can configure one of
the following agent modes:
Select Proxy to enable the GlobalProtect app
to proxy traffic to Prisma Access based on forwarding rules defined
in the PAC file. You can then secure access to your private apps
using a third-party VPN.
Select Tunnel and Proxy to enable the
GlobalProtect app to send the internet traffic to the explicit proxy
based on rules you define in the PAC file. For the remaining
traffic, the GlobalProtect app uses the split tunneling rules you
have defined to determine which traffic to send through the
tunnel.
|
Update DNS Settings at Connect (Windows
Only) (Deprecated) | (GlobalProtect 4.0.2 and earlier releases) Configure
the DNS server preferences for the GlobalProtect tunnel:
To
configure DNS settings for GlobalProtect app 4.0.3 and later releases,
use the Resolve All FQDNs Using DNS Servers Assigned
by the Tunnel option. |
Proxy Auto-Configuration (PAC) File URL | Select Yes to push
the URL for your proxy auto-configuration (PAC) files from the GlobalProtect
app to your endpoints. Specify the Proxy Auto-Configuration
(PAC) File URL that you want to push to the endpoint to configure
proxy settings. The maximum URL length is 256 characters. The following
Proxy Auto-Configuration (PAC) File URL methods are supported:
|
Detect Proxy for Each Connection (Windows only) | Select No to auto-detect the
proxy for the portal connection and use that proxy for subsequent
connections. Select Yes (default) to auto-detect
the proxy at every connection. |
Set Up Tunnel Over Proxy (Windows &
Mac Only) | Specify whether GlobalProtect must use or
bypass proxies. Select No to require GlobalProtect
to bypass proxies. Select Yes to require
GlobalProtect to use proxies. Based on the GlobalProtect proxy use, endpoint
OS, and tunnel type, network traffic will behave
differently. |
Send HIP Report Immediately if Windows Security
Center (WSC) State Changes (Windows Only) | Select No to prevent
the GlobalProtect app from sending HIP data when the status of the
Windows Security Center (WSC) changes. Select Yes (default)
to immediately send HIP data when the status of the WSC changes. |
Enable Inbound Authentication Prompts from
MFA Gateways | To support multi-factor authentication (MFA),
a GlobalProtect endpoint must receive and acknowledge UDP prompts
that are inbound from the gateway. Select Yes to
enable a GlobalProtect endpoint to receive and acknowledge the prompt.
Select No (default) for GlobalProtect to block
UDP prompts from the gateway. |
Network Port for Inbound Authentication
Prompts (UDP) | Specifies the port number a GlobalProtect
endpoint uses to receive inbound authentication prompts from MFA gateways.
The default port is 4501. To change the port, specify a number from
1 to 65535. |
Trusted MFA Gateways | Specifies the list of firewalls or authentication gateways
a GlobalProtect endpoint trusts for multi-factor authentication.
When a GlobalProtect endpoint receives a UDP message on the specified
network port, GlobalProtect displays an authentication message only
if the UDP prompt comes from a trusted gateway. |
Inbound Authentication Message | Customize a notification message to display
when users try to access a resource that requires additional authentication.
When users try to access a resource that requires additional authentication,
GlobalProtect receives a UDP packet containing the inbound authentication
prompt and displays this message. The UDP packet also contains the
URL for the Authentication Portal page you specify when you Configure Multi-Factor Authentication.
GlobalProtect automatically appends the URL to the message. For
example: You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at The
message must be 255 or fewer characters. |
IPv6 Preferred | Specifies the preferred protocol for GlobalProtect endpoint
communications. Select No to change the preferred protocol
to IPv4.Select Yes (default) to make IPv6 the preferred connection
a dual-stack environment. |
Change Password Message | Customize a message to specify password
policies or requirements when users change their active directory (AD)
password. For example: Passwords must contain at least one number and one uppercase letter. The
message must be 255 or fewer characters for two byte Unicode languages
such as Chinese Simplified. For Japanese, the message must be 128
or fewer characters. |
Log Gateway Selection Criteria | Select Yes to enable
the GlobalProtect app to send the gateway selection criteria logs
to the firewall. The default is No. The app
does not send the enhanced logs for the gateway selection criteria
to the firewall. |
Enable Autonomous DEM and GlobalProtect
App Log Collection for Troubleshooting Requires Content Release version
8350-14191 or later; Requires GlobalProtect app 5.2.5 or later. | Select Yes toenable the GlobalProtect app to display the Report
an Issue option to allow end users to send the
troubleshooting and diagnostic logs directly to Strata Logging Service. You must configure the Strata Logging Servicecertificate that is pushed from
theportal as a client certificate to display the Report
an Issue option. This certificate is used for the
client to authenticate to Strata Logging Service when sending
the logs. When this setting isset to No
(default), the GlobalProtect app will not display the
Report an Issue option and end users
cannot send the troubleshooting and diagnostic logs to Strata Logging Service. |
Display Autonomous DEM Updates Notification | Select Yes if you
want users to see notifications whenever the ADEM agent is updated. |
Run Diagnostics Tests for These Destination
Web Servers Requires Content Release version 8350-14191 or
later; Requires GlobalProtect app 5.2.5 or later. | Enter up to ten HTTPS-based destination
URLs to initiate performance tests for probing. These diagnostic tests
are only run if you chose to Enable Autonomous DEM and
GlobalProtect App Log Collection for Troubleshooting.
The destination URLs you enter can be IP addresses or fully qualified
domain names (for example, https://10.10.10.10/resource.html, https://webserver/file.pdf,
or https://google.com). |
Autonomous DEM endpoint agent for Prisma
Access (Windows & Mac only) Runs on Windows 10 and macOS
only; Content Release version 8393-6628 or later; Requires GlobalProtect
app 5.2.6 or later. | Specify whether you want to install the
Autonomous DEM (ADEM) endpoint agent during the GlobalProtect app installation
and allow end users to enable or disable user experience tests from
the app.
|
Device Added to Quarantine Message | By default, the GlobalProtect displays the
following message when an end user’s device is quarantined: Access to the network from this device has been restricted as per your organization’s security policy. Please contact your IT administrator. You
can replace this default message with your own custom message of
up to 512 characters. |
Device Removed from Quarantine Message | By default, the GlobalProtect displays the following message when an end user’s device is removed
from quarantine: Access to the network from this device has been restored as per your organization’s security policy. You
can replace this default message with your own custom message of
up to 512 characters. |
Display Status Panel at Startup (Windows Only) | Select Yes to automatically display
the GlobalProtect status panel when users establish a connection
for the first time. Select No to suppress
the GlobalProtect status panel when users establish a connection
for the first time. |
Allow GlobalProtect UI to Persist for User
Input (Windows 10 or later and macOS) Requires
Content Release version 8450-6909 or later and GlobalProtect app
6.0.0 or later. | Select Yes to enable
the GlobalProtect app to continue to display the status panel on
the screen when end users are entering their credentials. |
Disable GlobalProtect App | |
Passcode/Confirm Passcode | Enter and then confirm a passcode if the
setting for Allow User to Disable GlobalProtect App is Allow
with Passcode. Treat this passcode like a password—record
it and store it in a secure place. You can distribute the passcode
to new GlobalProtect users by email or post it in a support area
of your company website. If circumstances prevent the endpoint
from establishing a VPN connection and this feature is enabled, a
user can enter this passcode in the app interface to disable the
GlobalProtect app and get Internet access without using the VPN. |
Max Times User Can Disconnect | Specify the maximum number of times that
a user can disconnect GlobalProtect before the user must connect to
a firewall. The default value of 0 means users have no limit to
the number of times they can disconnect the app. |
Disconnect Timeout (min) | Specify the maximum number of minutes the GlobalProtect
app can be disconnected. After the specified time passes, the app
tries to connect to the firewall. The default of 0 indicates that
the disconnect period is unlimited. Set
a disconnect timeout value to restrict the amount of time for which
users can disconnect the app. This ensures that GlobalProtect resumes
and establishes the VPN when the timeout is over to secure the user
and the user’s access to resources. |
Mobile Security Manager Settings | |
Mobile Security Manager | If you are using the GlobalProtect Mobile
Security Manager for mobile device management (MDM), enter the IP
address or FQDN of the device check‑in (enrollment) interface on
the GP-100 appliance. |
Enrollment Port | The port number the mobile endpoint should
use when connecting to the GlobalProtect Mobile Security Manager
for enrollment. The Mobile Security Manager listens on port 443
by default. Keep this port number
so that mobile endpoint users are not prompted for a client certificate
during the enrollment process (other possible values are 443, 7443,
and 8443). |