You can now view all agent customization options and configure them from the new App tab in a GlobalProtect portal agent configuration. You can create separate agent configurations to customize the GlobalProtect app for different groups of users or types of endpoints.
Additionally, future options will be available with content releases that allow you to take advantage of new app configuration features without waiting for the next PAN-OS release.
Included in the new customization options are settings that, in earlier releases, required you to define their values in the Windows registry or Mac global property list (plist). Settings defined in the GlobalProtect portal agent configuration take precedence over settings defined in the Windows registry or Mac plist.
The following topics describe the available customization options:
GlobalProtect App Display Options
By configuring GlobalProtect app display options in a GlobalProtect portal agent configuration, you can customize which options are available for different sets of users.
Some options allow you to hide notifications or menu options from view while other options only let you gray out the feature in menus but this still prevents users from selecting the option.
Option Details
Enable Advanced View Select No to restrict the user interface on the client side to the basic minimum view. By default, the advanced view setting is enabled.
Display GlobalProtect Icon Select No to hide the GlobalProtect icon on the client system. When the icon is hidden, users cannot perform other tasks (such as change passwords, rediscover the network, resubmit host information, view troubleshooting information, or trigger an on-demand connection request). However, HIP notification messages, login prompts, and certificate dialogs still display as necessary for interacting with the end user.
Enable Rediscover Network Option Select No to prevent users from performing a manual network rediscovery.
Enable Resubmit Host Profile Option Select No to prevent users from manually triggering resubmission of the latest HIP.
( New ) Show System Tray Notifications Select No to hide notifications from users. Select Yes (default) to enable the GlobalProtect agent to display notifications about status changes in the notification area (system tray).
GlobalProtect App User Behavior Options
User behavior options enable you to define the way your users can interact with the GlobalProtect app.
Option Details
Allow User to Change Portal Address Select No to disable the Portal field on the Home tab of the GlobalProtect agent. Because the user is then unable to specify a portal to which to connect, you must pre-deploy the default portal address by configuring a new key in the Windows registry or Mac plist and supplying the portal address as the value: Windows registry —Create a new key named Portal in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup Mac plist —Create a new entry named Portal in the following plist location: Library/Preferences/com.paloaltonetworks.GlobalProtect.pansetup.plist
Allow User to Dismiss Welcome Page Select No to force the GlobalProtect agent to display the Welcome Page each time users initiate a connection to prevent them from dismissing important information, such as terms and conditions required by your organization to maintain compliance.
Allow User to Continue with Invalid Portal Server Certificate Select No to prevent the GlobalProtect agent from establishing a connection with the portal if the portal certificate is not valid.
Allow User to Upgrade GlobalProtect App Select Disallow, Allow Manually, Allow with Prompt, or Allow Transparently to specify whether GlobalProtect agent software downloads and upgrades are allowed and, if so, how they occur.
Allow User to Disable GlobalProtect App Select an override option— Allow, Disallow, Allow with Comment, Allow with Passcode, or Allow with Ticket —to specify the condition under which users can disable the GlobalProtect agent.
GlobalProtect App Behavior Options
GlobalProtect app behavior options determine how the GlobalProtect agent establishes a connection with GlobalProtect portals and gateways.
Option Details
Connect Method Select a connect method— On-demand (Manual user initiated connection), User-logon (Always On), or Pre-logon (Always On) —to specify how users connect to the GlobalProtect gateway.
GlobalProtect App Config Refresh Interval (hours) Specify the interval, in hours, to determine the frequency at which the GlobalProtect agent refreshes the configuration (range is 1-168; default is 24).
( New ) Update DNS Settings at Connect (Windows Only) Select Yes to flush the DNS cache and force all adapters to use the DNS settings specified in the configuration. Select No (default) to enable the GlobalProtect agent to use the DNS settings of the client.
( New ) Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only) Select No to prevent the GlobalProtect agent from sending HIP data in response to a change in the Windows Security Center (WSC) status. Select Yes (default) to configure GlobalProtect to immediately send HIP data when the WSC status changes.
( New ) Detect Proxy for Each Connection (Windows Only) Select No to enable the GlobalProtect agent to automatically detect the proxy for the portal connection and use that proxy for subsequent connections. Select Yes (default) to enable the GlobalProtect agent to automatically detect the proxy each time the agent connects.
( New ) Clear Single Sign-On Credentials on Logout (Windows Only) Select No to enable the GlobalProtect agent to keep single sign-on (SSO) credentials after users log out. Select Yes (default) to clear credentials and force users to enter them when they next log in.
( New ) Use Default Authentication on Kerberos Authentication Failure (Windows Only) Select No to force GlobalProtect to authenticate using Kerberos. Select Yes (default) to allow the GlobalProtect agent to retry authentication using the default authentication method after a failure to authenticate with Kerberos.
( New ) Custom Password Expiration Message (LDAP Authentication Only) An optional custom message notification that the GlobalProtect agent appends to the standard password expiry message sent to alert users that their password is due to expire. The message text supports up to 200 characters.
( New ) Portal Connection Timeout (sec) The period of time, in seconds, that is required for the portal connection request to time out due to inactivity (range is 1-600; default is 30).
( New ) TCP Connection Timeout (sec) The period of time, in seconds, that is required for the TCP connection request to time out due to inactivity (range is 1-600; default is 5).
( New ) TCP Receive Timeout (sec) The period of time, in seconds, that is required to receive a partial response to a TCP request (range is 1-600; default is 30).
( New ) Client Certificate Store Lookup The store which the agent should use to look up client certificates to use to authenticate and establish the VPN connection with the GlobalProtect gateway. User certificates are stored in the Current User certificate store on Windows and in the Personal Keychain on Mac OS. Machine certificates are stored in the Local Computer certificate store on Windows and in the System Keychain on Mac OS. By default, the agent looks for User and machine certificates in both places.
( New ) SCEP Certificate Renewal Period (days) The frequency, in days, after which the portal should renew the Simple Certificate Enrollment Protocol (SCEP) certificate (default is 7). A value of 0 means the portal does not renew the certificate automatically during a configuration refresh.
( New ) Maximum Internal Gateway Connection Attempts Enter the number of times that GlobalProtect reattempts to connect to the internal gateway after initially failing. A value of 0 indicates that the GlobalProtect agent will not attempt to reconnect if the initial attempt fails.
( New ) Extended Key Usage OID for Client Certificate Enter a certificate object identifier (OID) to specify the type of certificate that GlobalProtect should use for authentication on Windows and Mac clients. When specified, GlobalProtect presents only certificates with that OID and ignores all other certificates.
User Switch Tunnel Rename Timeout (sec) Specify a grace period, in seconds, to enable the GlobalProtect gateway to reassign a VPN tunnel to a remote user within a specified amount of time. If the remote user fails to authenticate within the configured grace period, the GlobalProtect gateway terminates the original VPN connection. The default value of 0 seconds means the remote user is not permitted to authenticate with the gateway (range is 0-600).

Related Documentation