GlobalProtect Features

New GlobalProtect Features	Description
GlobalProtect App for Chrome OS	The new GlobalProtect app for Chrome OS is now available for Chromebooks running Chrome OS 45 and later. The app, which is available from the Chrome Web Store, extends the same next-generation firewall-based policies that are enforced within the physical perimeter to devices running Chrome OS. GlobalProtect portals and gateways support the GlobalProtect app for Chromebooks in PAN-OS 6.1 and later releases.
Simplified GlobalProtect Agent User Interface for Windows and Mac OS Clients	The GlobalProtect agent 3.0 for Windows and Mac OS now displays a simpler, cleaner user interface. As part of the redesign, a user can now log in to the GlobalProtect portal and view connection status information right from the main Home tab. The remaining tabs provide details and statistics about the connection, information that the GlobalProtect agent is collecting about the host state, and troubleshooting information.
Dynamic GlobalProtect App Customization	New configuration options for the GlobalProtect app will now be available with content releases. This change will allow you to take advantage of new app configuration features without waiting for the next PAN-OS release. With this feature, you can also view all customization options from the new App tab in a GlobalProtect portal agent configuration. Configure these options to change the default display of the GlobalProtect user interface, usability preferences, timeout values, and scenario-based behaviors. Included in the new customization options are settings that, in earlier releases, required you to define their values in the Windows registry or Mac global property list (plist). Settings defined in the GlobalProtect portal agent configuration take precedence over settings defined in the Windows registry or the Mac plist.
Enhanced Two-Factor Authentication for GlobalProtect	Two-factor authentication is now easier to deploy and use. By pre-deploying a client certificate through the Simple Certificate Enrollment Protocol (SCEP) and by enabling dynamic passwords, such as one-time passwords (OTPs), you make strong two-factor authentication easier, as follows: Client certificate distribution—For easier deployment, the GlobalProtect portal can now request a client certificate from your enterprise public key infrastructure (PKI) and issue the certificate to a user—without exposing the PKI infrastructure to the Internet. The client certificate has a configurable lifespan, typically 90 days. GlobalProtect automates the process by using SCEP to obtain and install certificates transparently, thus simplifying the deployment of credentials. Cookie authentication—To reduce the number of times users must enter their two-factor authentication credentials, you can now configure GlobalProtect to require users to log in only once when connecting to GlobalProtect portals and gateways. After a user authenticates and connects, GlobalProtect creates an encrypted cookie and issues it to the GlobalProtect agent. With an encrypted cookie on their device, users can remain logged in for the lifespan of the cookie (typically 24 hours). For each subsequent login during the lifespan of the cookie (for example, after the device wakes up from the sleep state), GlobalProtect uses the cookie to authenticate the user instead of requiring the user to enter credentials. The new authentication override options replace the authentication modifier option, which was available in PAN-OS 7.0. For upgrade information on this feature, see Upgrade/Downgrade Considerations.
Client Authentication Configuration by Operating System or Browser	For increased flexibility, you can now specify the client operating system (Android, iOS, Windows, Mac, or Chrome), to which to apply a client authentication configuration. You can also customize the client authentication for satellite devices, web-based browser access (GlobalProtect portal only), and third-party IPSec VPN access (GlobalProtect gateways only). This enhancement enables you to customize the authentication method for different sets of users.
Kerberos Single Sign-On for GlobalProtect	GlobalProtect clients running on Windows 7, 8, or 10 now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals, and the GlobalProtect app acts as a user principal and authenticates the user with a Kerberos service ticket from the Key Distribution Center (KDC). Kerberos SSO is primarily intended for internal gateway configurations to provide accurate User-ID™ information transparently without any user interaction.
Customizable Password Expiry Notification Message	You can now customize the notification message that GlobalProtect displays when a user’s password is about to expire. The new option is available in the GlobalProtect portal agent configuration and is supported using the LDAP authentication method. The GlobalProtect agent appends the custom message to the standard password expiry notification message that it displays before a user’s password expires. This enhancement enables you to display information that users may need when their password is about to expire.
Enhanced Authentication Challenge Support for Android and iOS Devices	GlobalProtect for iOS and Android devices now supports two-factor authentication challenge as a one-time password (OTP). When prompted, the user can now cancel the login to view the token password sent via SMS or using any other token retrieval app on the mobile device. The user must then return to the GlobalProtect app and log in with the valid token password within 30 seconds. If the user does not successfully enter the password within 30 seconds, the authentication challenge disappears and the user must restart the GlobalProtect app to enter the password.
Block Access from Lost or Stolen and Unknown Devices	For greater protection against unauthorized network access, you can now block access from known and unknown devices. To block network access from known devices, you can now add host IDs to a device block list. This is useful when a user reports that a device is lost or stolen and you need to take immediate action. To prevent unauthorized access from unknown devices, you can now configure the firewall to pre-deploy client certificates through the Simple Certificate Enrollment Protocol (SCEP) and enable GlobalProtect to use the SCEP configuration on Palo Alto Networks firewalls to validate that these client certificates (used to authenticate users) were positively issued to the authenticating device. When enabled, GlobalProtect blocks the session if the certificate does not match the device to which the certificate was issued. Both methods offer greater protection against unauthorized network access from known and unknown devices.
Certificate Selection by OID	You can now specify the certificate that GlobalProtect uses for authentication on Windows and Mac clients by entering the certificate object identifier (OID). By specifying the OID, GlobalProtect filters out all other certificates except for those with the matching OID.
Save Username Only Option	You can now enable GlobalProtect to save only a username when users log in to GlobalProtect. The new option provides an alternative to saving both the username and password. This option replaces the Allow user to save password option, which was available in PAN-OS 7.0. For upgrade information on this feature, see Upgrade/Downgrade Considerations.
Use Address Objects in a GlobalProtect Gateway Client Configuration	You can now use an address object, which can include an IPv4 address or an FQDN, to define networking settings in a GlobalProtect gateway client configuration. IP address pools support address objects that define a single IP address, range of IP addresses, or IP netmask and access routes support address objects that define a single IP address or IP netmask. You can also define address objects in Panorama and deploy them with GlobalProtect settings to gateway devices.
Transparent Distribution of Trusted Root CAs for SSL Decryption	You can now easily and transparently install the trusted root certificate authority (CA) certificates required for SSL forward proxy decryption in a GlobalProtect portal configuration. For each CA certificate that you enable, the GlobalProtect portal automatically distributes the certificate to the GlobalProtect agent which installs it in the certificate store on GlobalProtect endpoints. The firewall uses these certificates to establish itself as a trusted third party to the session between the client and the server.
Maximum Internal Gateway Connection Retry Attempts	You can now configure the maximum number of retries when the GlobalProtect agent fails to connect to an internal gateway. By default, the agent does not retry the connection attempt when the internal gateway is temporarily down or unreachable. With this new feature, you can specify the number of retries by configuring the option in a GlobalProtect portal agent configuration.
GlobalProtect Notification Suppression	You can now suppress the bubble notification that GlobalProtect displays from the notification area (system tray). Each notification contains information about changes in the agent status. Suppressing the bubble notification allows the GlobalProtect agent to run more transparently and enables you to further customize the behavior of the GlobalProtect agent that runs on Windows clients.
Disable GlobalProtect Without Comment	For increased flexibility, you can now allow a user to disable the GlobalProtect app without providing a comment, passcode, or ticket number. In this release, you can configure the option as part of a GlobalProtect portal agent configuration. In earlier releases, this option was only available in the Windows registry or Mac global property list (plist). Settings defined in the GlobalProtect portal agent configuration take precedence over settings defined in the Windows registry or the Mac plist.