The new GlobalProtect app for Chrome OS extends the same next-generation firewall-based policies that are enforced within the physical perimeter to Chromebooks. To set up the app for the user automatically, you can optionally use the Google Chromebook Management Console to configure and deploy settings to managed Chrome OS devices.
Prerequisites for the GlobalProtect App for Chrome OS
To add support for the GlobalProtect app for Chrome OS, consider the following:
The GlobalProtect app 3.0 is available for Chromebooks running Chrome OS 45 and later. GlobalProtect portals and gateways support the GlobalProtect app for Chrome OS in PAN-OS 6.1 and later releases. ( Client certificate authentication only ) To authenticate using client certificates, upgrade the GlobalProtect gateway to PAN-OS 6.1.8, PAN-OS 7.0.3, PAN-OS 7.1.0, or any subsequent release. Because Chrome OS does not allow third-party applications to launch automatically, the GlobalProtect app for Chrome OS must use the on-demand connect method to initiate a VPN connection. For ease of configuration, the GlobalProtect portal automatically uses the on-demand connect method in the client configuration so that you do not need to manually change the connect method. The GlobalProtect app for Chrome OS collects HIP data specific to Chrome. Therefore, if you are using HIP-based policy enforcement, consider creating or modifying your existing HIP objects and HIP profiles or creating new ones.
Configure the GlobalProtect App for Chrome OS
Configure the Gateway to Support the GlobalProtect App for Chrome OS
The GlobalProtect app for Chrome OS can establish VPN connections with both internal and external gateways. Configuring a gateway that supports the GlobalProtect app for Chrome OS is similar to configuring a gateway that supports mobile devices—you must also install a gateway subscription for each gateway that supports Chromebooks. You can also customize an external gateway configuration to apply it specifically to Chromebooks (see Client Authentication Configuration by Operating System or Browser).
Configure the Portal and Customize the GlobalProtect App to Support Chrome OS
To support the GlobalProtect app for Chrome OS, you must configure one or more gateways to which the app can connect and then configure the portal and app settings. The portal sends configuration information to the app, including information about available gateways and customization settings that define how end users interact with the app.
After receiving the configuration from the GlobalProtect portal, the app auto-discovers the gateways listed in the client configuration and selects the best gateway. Because Chrome OS does not allow third-party applications to launch automatically, the GlobalProtect app for Chrome OS only supports on-demand connections. As a result, the end user has to launch the app and manually initiate a VPN connection to establish a VPN (tunnel) connection.
The following workflow shows how to configure the GlobalProtect portal to support Chrome OS clients.
Configure the Portal and Customize the App
Before You Begin: Configure one or more gateways to which the app can connect. See Configure the Gateway to Support the GlobalProtect App for Chrome OS.
Configure the GlobalProtect portal. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a client configuration or Add a new one. ( New portal configuration only ) On the General tab, provide a Name and Interface for the new GlobalProtect portal configuration.
Configure the method of authentication a GlobalProtect portal uses to authenticate Chrome OS users. Select the Authentication tab. ( New portal configuration only ) Select an SSL/TLS Service Profile. Add a new Client Authentication configuration and configure the settings. To create a configuration specific to Chromebooks, specify Chrome as the OS as described in Client Authentication Configuration by Operating System or Browser.
Add the trusted root CA certificate the app will use to perform certificate checks when connecting to the GlobalProtect gateway. The portal deploys the specified root CA certificate with the client configuration. If the certificate is self-signed, the GlobalProtect app for Chrome OS will not use the certificate deployed by the portal. Therefore, to use a self-signed certificate, you must install the root CA in the client's local certificate store. If GlobalProtect does not require the certificate, you must install it in the root CA of the client’s local certificate store. Select the Agent tab and Add the trusted root CA in the Trusted Root CA section. Install the root CA in the local certificate store of the Chromebook: From the Chromebook, click the status area and then select Settings > Show advanced settings > Manage certificates > Authorities > Import. Browse to the certificate and then click Open. When prompted to edit trust settings, select all options and then click OK. Verify that the Chromebook lists the certificate on Your Certificates tab.
Add a new agent configuration for the app and configure the internal or external gateways to which users with this configuration can connect. The GlobalProtect app for Chrome OS does not support manual gateway configurations. Select Network > GlobalProtect > Portals and reselect the portal configuration you are configuring. From the Agent tab, select the agent configuration you want to modify or Add a new one. Select Authentication and provide a Name for the configuration. Select Gateways and Add one or more internal or external gateway. ( External gateways only ) Set the Priority of the gateway. GlobalProtect excludes any external gateways that have Manual only priority.
Customize how your end users interact with the GlobalProtect app installed on their Chromebooks. The GlobalProtect app for Chrome OS supports only the configuration options listed here. On the App tab, configure the Connect Method as On-demand (Manual user initiated connection). This setting requires users to manually initiate a VPN connection using the GlobalProtect app. The GlobalProtect app for Chrome OS supports only this connect method and automatically uses this method for all connections even if you do not specify it as the Connect Method. Customize the behavior of the app for users that receive this configuration, including any of the following supported options: Enable Advanced View —Select No to restrict the user interface on the Chromebook to the basic minimum view. By default, the user can view advanced settings. Allow User to Change Portal Address —Select No to disable the Portal field on the GlobalProtect app. Allow User to Continue with Invalid Portal Server Certificate —Select No to prevent the app from establishing a connection with the portal if the portal certificate is not valid. By default, the app can establish a connection with the portal when the portal certificate is not valid. Portal Connection Timeout —Specify the amount of time, in seconds, after which the app cancels the portal connection (range is 1-600; default is 30). TCP Connection Timeout —Specify the amount of time, in seconds, after which the app cancels a TCP connection request (range is 1-600; default is 5). TCP Receive Timeout —Specify the permitted amount of time, in seconds, in which the app can receive a partial response to a request or read some data. If the response exceeds the timeout, the app cancels the request (range is 1-600; default is 30). SCEP Cert Renewal Period —Specify the number of days after which the app renews the Simple Certificate Enrollment Protocol (SCEP) certificate. A value of 0 means the certificate should not be renewed automatically during a configuration refresh. Maximum Internal Gateway Connection Attempts —Specify the maximum number of times the app tries to establish a connection to an internal gateway. The default is 0, which means the app does not reattempt a connection after an initial failure.
Save your configuration changes. Click OK twice. Commit your changes.
Deploy the GlobalProtect app to end users. The portal does not distribute the GlobalProtect app for Chrome OS. An end user can download the GlobalProtect app directly from the Chrome Web Store. You can also force-install the app on managed Chromebooks using the Chromebook Management Console. See Configure the GlobalProtect App Using the Chromebook Management Console.
Enforce Policies on the GlobalProtect App for Chrome OS
With the release of the GlobalProtect app for Chrome OS, you can now create HIP objects using Host Info that is specific to Chrome OS and use it as match conditions in any HIP profiles. You can then use a HIP profile as a match condition in a policy rule to enforce the corresponding security policy.
The following table defines the criteria that is specific to Chrome OS that you can use when you create a HIP object.
HIP Object Criteria Value
General > Host Info > OS Select Contains: Google: Chrome to create a HIP object that looks for information about devices running Chrome OS.
General > Host Info > Client Version Select an operator (for example, Contains) and then enter the version number of the GlobalProtect app for Chrome OS. For example, enter 3.0 to match endpoints running the GlobalProtect app 3.0. Specifying the client version without specifying the OS or hostname matches all endpoints regardless of OS version.
General > Host Info > Host Name Select an operator (for example, Contains) and enter CHROME to match devices that contain chrome in the host name. GlobalProtect automatically prepends the host name with this prefix when the app submits the host information to the gateway.
Deploy the GlobalProtect App for Chrome OS
Deploy the GlobalProtect app using either of the following methods:
Chrome Web Store —You or your users can install the GlobalProtect app on a Chromebook by downloading the app from the Chrome Web Store. Chromebook Management Console —Enables management Chromebook settings and apps from a central, web-based location. From the console, you can deploy the GlobalProtect app to Chromebooks and customize VPN settings.

Related Documentation