GlobalProtect App Configuration Setting |
Description |
Welcome Page
|
Select a welcome page to present to end users after they connect to GlobalProtect. You can select the
factory-default
page or
Import
a custom page. The default is
None.
|
App Configurations
|
Connect Method
|
On-demand (Manual user initiated connection)
—Users must launch the GlobalProtect agent or app and then initiate a connection to the portal and enter their GlobalProtect credentials. This option is used primarily for remote access connections.
User-logon (Always On)
—The GlobalProtect agent or app automatically establishes a connection to the portal after the user logs in to an endpoint. The portal responds by providing the client with the appropriate agent configuration. Subsequently, the agent sets up a tunnel to one of the gateways specified in the agent configuration received from the portal.
Pre-logon
—Pre-logon ensures remote Windows and Mac users are always connected to the corporate network and enables user logon scripts and application of domain policies when the user logs in to the endpoint. Because the endpoint can connect to the corporate network as if it were internal, users can log in with new passwords when their passwords expire or receive help with password recovery if they forget their password. With pre-logon, the GlobalProtect agent establishes a VPN tunnel to a GlobalProtect gateway before the user logs in to the endpoint; the endpoint requests authentication by submitting a pre-installed machine certificate to the gateway. Then, on Windows endpoints, the gateway reassigns the VPN tunnel from the pre-logon user to the username that logged in to the endpoint; on Mac endpoints, the agent disconnects and creates a new VPN tunnel for the user.
There are two pre-logon connect methods, either of which enables the same pre-logon functionality that takes place before users log in to the endpoint. However, after users log in to the endpoint, the pre-logon connect method determines when the GlobalProtect agent connection is established:
Pre-logon (Always On)
—The GlobalProtect agent automatically attempts to connect and reconnect to GlobalProtect gateways. Mobile devices do not support pre-logon functionality, and therefore will default to the
User-logon (Always On)
connect method if this connect method is specified.
Pre-logon then On-demand
(
available only with content release 590-3397 and later releases
)—Users must launch the GlobalProtect agent or app and then initiate the connection manually. Mobile devices do not support pre-logon functionality, and therefore will default to the
On-demand (Manual user initiated connection)
connect method if this connect method is specified.
|
GlobalProtect App Config Refresh Interval (hours)
|
Specify the number of hours the GlobalProtect portal waits before it initiates the next refresh of a client’s configuration (range is 1-168; default is 24).
|
Allow User to Disable GlobalProtect App
|
Specifies whether users are allowed to disable the GlobalProtect agent and, if so, what—if anything—they must do before they can disable the agent:
Allow
—Allow any user to disable the GlobalProtect agent as needed.
Disallow
—Do not allow end users to disable the GlobalProtect agent.
Allow with Comment
—Allow users to disable the GlobalProtect agent or app on their endpoint but require that they submit their reason for disabling the agent.
Allow with Passcode
—Allow users to enter a passcode to disable the GlobalProtect agent or app. This option requires the user to enter and confirm a Passcode value that, like a password, does not display when typed. Typically, administrators provide a passcode to users before unplanned or unanticipated events prevent users from connecting to the network by using the GlobalProtect VPN. You can provide the passcode through email or as a posting on your organization’s website.
Allow with Ticket
—This option enables a challenge-response mechanism where, after a user attempts to disable GlobalProtect, the endpoint displays an 8-character hexadecimal ticket request number. The user must contact the firewall administrator or support team (preferably by phone for security purposes) to provide this number. From the firewall (
Network > GlobalProtect > Portals), the administrator or support person can then click
Generate Ticket
and enter the ticket
Request
number to obtain the
Ticket
number (also an 8-character hexadecimal number). The administrator or support person provides this ticket number to the user, who then enters it into the challenge field to disable the agent.
|
Allow User to Upgrade GlobalProtect App
|
Specifies whether end users can upgrade the GlobalProtect agent software and, if they can, whether they can choose when to upgrade:
Disallow
—Prevent users from upgrading the agent or app software.
Allow Manually
—Allow users to manually check for and initiate upgrades by selecting
Check Version
in the GlobalProtect agent.
Allow with Prompt
(default)—Prompt users when a new version is activated on the firewall and allow users to upgrade their software when it is convenient.
Allow Transparently
—Automatically upgrade the agent software whenever a new version becomes available on the portal.
|
Use Single Sign-on
(
Windows Only
)
|
Select
No
to disable single sign-on (SSO). With SSO enabled (default), the GlobalProtect agent automatically uses the Windows login credentials to authenticate and then connect to the GlobalProtect portal and gateway. GlobalProtect can also wrap third-party credentials to ensure that Windows users can authenticate and connect even when a third-party credential provider is used to wrap the Windows login credentials.
|
Clear Single Sign-On Credentials on Logout
(
Windows Only
)
|
Select
No
to keep single sign-on credentials when the user logs out. Select
Yes
(default) to clear them and force the user to enter credentials upon the next login.
|
Use Default Authentication on Kerberos Authentication Failure
(
Windows Only
)
|
Select
No
to use only Kerberos authentication. Select
Yes
(default) to retry authentication by using the default authentication method after a failure to authenticate with Kerberos.
|
Enforce GlobalProtect Connection for Network Access
|
Select
Yes
to force all network traffic to traverse a GlobalProtect tunnel. By default, this option is set to
No
meaning GlobalProtect is not required for network access meaning users can still access the internet if GlobalProtect is disabled or disconnected. To provide instructions to users before traffic is blocked, configure a
Traffic Blocking Notification Message
and optionally specify when to display the message (
Traffic Blocking Notification Delay). To permit traffic required to establish a connection with a captive portal, specify a
Captive Portal Exception Timeout. The user must authenticate with the portal before the timeout expires. To provide additional instructions, configure a
Captive Portal Detection Message.
|
Captive Portal Exception Timeout (sec)
|
To enforce GlobalProtect for network access but provide a grace period to allow users enough time to connect to a captive portal, specify the timeout in seconds (range is 0 to 3600). For example, a value of 60 means the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
|
Traffic Blocking Notification Delay (sec)
|
Specify a value, in seconds, to determine when to display the notification message. GlobalProtect starts the countdown to display the notification after the network is reachable (default is 15; range is 5 to 120).
|
Display Traffic Blocking Notification Message
|
Specify whether a message appears when GlobalProtect is required for network access. Select
No
to disable the message. By default the value is set to
Yes
meaning GlobalProtect displays the message when GlobalProtect is disconnected but detects that network is reachable.
|
Traffic Blocking Notification Message
|
Customize a notification message to display to users when GlobalProtect is required for network access. The message can indicate the reason for blocking the traffic and provide instructions on how to connect (for example,
To access the network, you must first connect to GlobalProtect.
). The message must be 512 or fewer characters.
|
Allow User to Dismiss Traffic Blocking Notifications
|
Select
No
to always display traffic blocking notifications. By default the value is set to
Yes
meaning users are permitted to dismiss the notifications.
|
Display Captive Portal Detection Message
|
Specifies whether a message appears when GlobalProtect detects a captive portal. Select
Yes
to enable the message. By default the value is set to
No
meaning GlobalProtect displays the message when GlobalProtect detects a captive portal.
|
Captive Portal Detection Message
|
Customize a notification message to display to users when GlobalProtect detects a captive portal. The message can provide additional information about connecting to the captive portal (for example, GlobalProtect has temporarily permitted network access for you to connect to the internet. Follow instructions from your internet provider. If you let the connection time out, open GlobalProtect and click Connect to try again.). The message must be 512 or fewer characters.
|
Client Certificate Store Lookup
|
Select the type of certificate or certificates that an agent or app looks up in its personal certificate store. The GlobalProtect agent or app uses the certificate to authenticate to the portal or a gateway and then establish a VPN tunnel to the GlobalProtect gateway.
User
—Authenticate by using the certificate that is local to the user’s account.
Machine
—Authenticate by using the certificate that is local to the endpoint. This certificate applies to all the user accounts permitted to use the endpoint.
User and machine
(default)—Authenticate by using the user certificate and the machine certificate.
|
SCEP Certificate Renewal Period (days)
|
This mechanism is for renewing a SCEP-generated certificate before the certificate actually expires. You specify the maximum number of days before certificate expiry that the portal can request a new certificate from the SCEP server in your PKI system (range is 0-30; default is 7). A value of 0 means that the portal does not automatically renew the client certificate when it refreshes a client configuration.
For an agent or app to get the new certificate, the user must log in during the renewal period (the portal does not request the new certificate for a user during this renewal period unless the user logs in).
For example, suppose that a client certificate has a lifespan of 90 days and this certificate renewal period is 7 days. If a user logs in during the final 7 days of the certificate lifespan, the portal generates the certificate and downloads it along with a refreshed client configuration. See
GlobalProtect App Config Refresh Interval (hours).
|
Extended Key Usage OID for Client Certificate
|
Enter the extended key usage of a client certificate by specifying its object identifier (OID). This setting ensures that the GlobalProtect agent selects only a certificate that is intended for client authentication and enables GlobalProtect to save the certificate for future use.
|
Enable Advanced View
|
Select
No
to restrict the user interface on the client side to the basic, minimum view (enabled by default).
|
Allow User to Dismiss Welcome Page
|
Select
No
to force the Welcome Page to appear each time a user initiates a connection. This restriction prevents a user from dismissing important information, such as terms and conditions that may be required by your organization to maintain compliance.
|
Enable Rediscover Network Option
|
Select
No
to prevent users from manually initiating a network rediscovery.
|
Enable Resubmit Host Profile Option
|
Select
No
to prevent users from manually triggering resubmission of the latest HIP.
|
Allow User to Change Portal Address
|
Select
No
to disable the
Portal
field on the
Home
tab in the GlobalProtect agent or app. However, because the user will then be unable to specify a portal to which to connect, you must supply the default portal address in the Windows registry or Mac plist:
Windows registry
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
with key
Portal
Mac plist
/Library/Preferences/com.paloaltonetworks.GlobalProtect.pansetup.plist
with key
Portal
For more information about pre-deploying the portal address, see
Customizable Agent Settings
in the GlobalProtect Administrator’s Guide.
|
Allow User to Continue with Invalid Portal Server Certificate
|
Select
No
to prevent the agent from establishing a connection with the portal if the portal certificate is not valid.
|
Display GlobalProtect Icon
|
Select
No
to hide the GlobalProtect icon on the client system. If the icon is hidden, users cannot perform certain tasks, such as viewing troubleshooting information, changing passwords, rediscovering the network, or performing an on-demand connection. However, HIP notification messages, login prompts, and certificate dialogs do display when user interaction is necessary.
|
User Switch Tunnel Rename Timeout (sec)
(
Windows Only
)
|
Specify the number of seconds that a remote user has to be authenticated by a GlobalProtect gateway after logging into an endpoint by using Microsoft’s Remote Desktop Protocol (RDP) (range is 0-600; default is 0). Requiring the remote user to authenticate within a limited amount of time maintains security.
After authenticating the new user and switching the tunnel to the user, the gateway renames the tunnel.
A value of 0 means that the current user’s tunnel is not renamed but, instead, is immediately terminated. In this case, the remote user gets a new tunnel and has no time limit for authenticating to a gateway (other than the configured TCP timeout).
|
Show System Tray Notifications
(
Windows Only
)
|
Select
No
to hide notifications from the user. Select
Yes
(default) to display notifications in the system tray area.
|
Custom Password Expiration Message
(
Windows Only
)
|
Create a custom message to display to users when their password is about to expire. The maximum message length is 200 characters.
|
Maximum Internal Gateway Connection Attempts
|
Enter the maximum number of times the GlobalProtect agent should retry the connection to an internal gateway after the first attempt fails (range is 0-100; default is 0, which means the GlobalProtect agent does not retry the connection). By increasing the value, you enable the agent to automatically connect to an internal gateway that is temporarily down or unreachable during the first connection attempt but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information.
|
Portal Connection Timeout (sec)
|
The number of seconds (between 1 and 600) before a connection request to the portal times out due to no response from the portal.When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 30. Starting with content version 777-4484, the default is 5.
|
TCP Connection Timeout (sec)
|
The number of seconds (between 1 and 600) before a TCP connection request times out due to unresponsiveness from either end of the connection. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 60. Starting with content version 777-4484, the default is 5.
|
TCP Receive Timeout (sec)
|
The number of seconds before a TCP connection times out due to the absence of some partial response of a TCP request (range is 1-600; default is 30).
|
Update DNS Settings at Connect
(
Windows Only
)
|
Select
Yes
to flush the DNS cache and force all adapters to use the DNS settings in the configuration. Select
No
(the default) to use the DNS settings of the client.
|
Detect Proxy for Each Connection
(
Windows Only
)
|
Select
No
to auto-detect the proxy for the portal connection and use that proxy for subsequent connections. Select
Yes
(default) to auto-detect the proxy at every connection.
|
Send HIP Report Immediately if Windows Security Center (WSC) State Changes
(
Windows Only
)
|
Select
No
to prevent the GlobalProtect agent from sending HIP data when the status of the Windows Security Center (WSC) changes. Select
Yes
(default) to immediately send HIP data when the status of the WSC changes.
|
Retain Connection on Smart Card Removal (Windows Only)
|
Select
Yes
to retain the connection when a user removes a smart card containing a client certificate. Select
No
(default), to terminate the connection when a user removes a smart card.
|
Disable GlobalProtect Agent or App
|
Passcode/Confirm Passcode
|
Enter and then confirm a passcode if the setting for
Allow User to Disable GlobalProtect App
is
Allow with Passcode. Treat this passcode like a password—record it and store it in a secure place. You can distribute the passcode to new GlobalProtect users by email or post it in a support area of your company website.
If circumstances prevent the endpoint from establishing a VPN connection and this feature is enabled, a user can enter this passcode in the agent or app interface to disable the GlobalProtect agent and get Internet access without using the VPN.
|
Max Times User Can Disable
|
Specify the maximum number of times that a user can disable GlobalProtect before the user must connect to a firewall. The default value of 0 means users have no limit to the number of times they can disable the agent.
|
Disable Timeout (min)
|
Specify the maximum number of minutes the GlobalProtect agent or app can be disabled. After the specified time passes, the agent tries to connect to the firewall. The default of 0 indicates that the disable period is unlimited.
|
Mobile Security Manager Settings
|
Mobile Security Manager
|
If you are using the GlobalProtect Mobile Security Manager for mobile device management (MDM), enter the IP address or FQDN of the device check-in (enrollment) interface on the GP-100 appliance.
|
Enrollment Port
|
The port number the mobile endpoint should use when connecting to the GlobalProtect Mobile Security Manager for enrollment. By default, the Mobile Security Manager listens on port 443. A best practice is to keep this port number so that mobile endpoint users are not prompted for a client certificate during the enrollment process (possible values are 443, 7443, and 8443; default is 443).
|