GlobalProtect Features
Focus
Focus

GlobalProtect Features

Table of Contents

GlobalProtect Features

What are the new GlobalProtect features for PAN-OS 11.2?
The following section describes new GlobalProtect features introduced in PAN-OS 11.2. For features related to the GlobalProtect app, see the GlobalProtect admin guide.

GlobalProtect Support for PAN-OS-11.2-DHCP-Based IP Address Assignments

May 2024
  • Available in PAN-OS 11.2.0 and later releases.
Starting from PAN-OS 11.2.1, the DHCP Based IP Address Assignment feature is supported for both VM-Series virtual firewall and hardware next-generation firewall platforms.
DHCP Based IP Address Assignment feature in PAN OS 11.2.0 release is supported for VM-Series Virtual Firewalls only. The feature is not supported for hardware next-generation firewall platforms.
You can now configure a DHCP server profile on the GlobalProtect gateway to use DHCP server for managing and assigning IP addresses for the endpoints connected remotely through the GlobalProtect app. Users who are using enterprise DHCP servers can enable this feature for centralized IP management and IP address assignments. When you configure a DHCP server profile on the GlobalProtect gateway and upon successful communication between the gateway and the DHCP server, the gateway obtains DHCP IP addresses from a DHCP member server. The GlobalProtect gateway then assigns the IP addresses as the tunnel IP for the endpoints that are remotely connected through the GlobalProtect app. If the DHCP server fails to respond to the gateway within the set communication timeout and retry times period, the gateway falls back to the private Static IP pool for the allocation of IP addresses for the endpoints.
When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records for the GlobalProtect connected users. DDNS are useful for endpoint admins to do troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses get registered to the DDNS server only when you configure IP Address Management (IPAM) on Windows server, DDNS server, or on the Infoblox server.

CIE (SAML) Authentication using Embedded Web-view

May 2024, Introduced in PAN OS 11.2
May 2024
  • Available in PAN-OS 11.2.0 and later releases.
The enhancement also supports force authentication and enables end users to authenticate again while reconnecting to the app even when the SAML token remains valid and helps enterprises to achieve security compliance. You can now configure the GlobalProtect app to prompt the end users to reenter their credentials to authenticate whenever they reconnect the GlobalProtect app using the Cloud Identity Engine (CIE) authentication method.
Previously, users were not prompted to re-authenticate when they tried to reconnect to the app using the CIE authentication method.