Select Network > GlobalProtect > Portals to set up and manage a GlobalProtect™ portal. The portal provides the management functions for the GlobalProtect infrastructure. Every client system that participates in the GlobalProtect network receives its configuration from the portal, including information about the available gateways and any client certificates that might be necessary for the client to connect to a gateway. In addition, the portal controls the behavior and distribution of the GlobalProtect agent software to Mac and Windows laptops. (For mobile devices, the GlobalProtect app is distributed through the web store for that device—Apple App Store for iOS devices, Google Play for Android devices, Microsoft Store for Windows 10 phone and other Windows 10 UWP devices, and, for Chromebooks, the GlobalProtect app is distributed by the Chromebook Management Console or through Google Play).
To add a portal configuration, click Add to open the GlobalProtect Portal dialog.
What do you want to know? See:
What general settings should I configure for the GlobalProtect portal? GlobalProtect Portals General Tab
How can I assign an authentication profile to a portal configuration? GlobalProtect Portals Authentication Configuration Tab
What client authentication options can I configure? GlobalProtect Portals Agent Authentication Tab
How can I assign a configuration to a specific group of devices based on operating system, user, and/or user group? GlobalProtect Portals Agent User/User Group Tab
How can I configure the settings and priority of the internal and external gateways? GlobalProtect Portals Agent Gateways Tab
How can I create separate client configurations for different types of users? GlobalProtect Portals Agent Configuration Tab
What settings can I customize on the look and behavior of the GlobalProtect agent? GlobalProtect Portals Agent App Tab
How can I configure data collection options? GlobalProtect Portals Agent Data Collection Tab
How can I extend VPN connectivity to a firewall which acts as a satellite? GlobalProtect Portals Satellite Configuration Tab
Looking for more? For detailed, step-by-step instructions on setting up the portal, refer to Configure a GlobalProtect Portal in the GlobalProtect Administrator’s Guide .
GlobalProtect Portals General Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > General to define the network settings that an agent or app uses to connect to the GlobalProtect portal. Optionally, you can disable the login page or specify a custom portal login and help pages for GlobalProtect. For information on how to create and import custom pages, refer to Customize the Portal Login, Welcome, and Help Pages in the GlobalProtect Administrator’s Guide .
GlobalProtect Portal Setting Description
Name Type a name for the portal (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is the virtual system (vsys) where the GlobalProtect portal is available. For a firewall that is not in multi-vsys mode, Location selection is not available. After you save the portal, you cannot change Location.
Network Settings
Interface Select the name of the firewall interface that will be the ingress for communications from remote clients and firewalls.
IP Address Specify the IP address on which the GlobalProtect portal web service is to run.
Appearance
Disable login page Select this option to disable access to the GlobalProtect portal login page from a web browser.
Custom Login Page (Optional) Choose a custom login page for user access to the portal.
Custom Help Page (Optional) Choose a custom help page to assist the user with GlobalProtect.
GlobalProtect Portals Authentication Configuration Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Authentication to configure several different types of GlobalProtect portal settings:
An SSL/TLS service profile that the portal and servers use for authentication. The service profile is independent of the other settings in Authentication. Unique authentication schemes that are based primarily on the operating system of the user endpoints and secondarily on an optional authentication profile. (Optional) A Certificate Profile, which enables GlobalProtect to use a specific certificate profile for authenticating the user. The certificate from the client must match the certificate profile (if client certificates are part of the security scheme).
GlobalProtect Portal Authentication Setting Description
Server Authentication
SSL/TLS Service Profile Select an existing SSL/TLS Service profile. The profile specifies a certificate and the allowed protocols for securing traffic on the management interface. The Common Name (CN) and, if applicable, the Subject Alternative Name (SAN) fields of the certificate associated with the profile must match the IP address or fully qualified domain name (FQDN) of the Interface selected in the General tab. As a best practice in GlobalProtect VPN configurations, use a profile associated with a certificate from a trusted, third-party CA or a certificate that your internal enterprise CA generated.
Client Authentication
Name Enter a name to identify the client authentication configuration. (The client authentication configuration is independent of the SSL/TLS service profile.). You can create multiple client authentication configurations and differentiate them primarily by operating system and additionally by unique authentication profiles (for the same OS). For example, you can add client authentication configurations for different operating systems but also have different configurations for the same OS that are differentiated by unique authentication profiles. (You should manually order these profiles from most specific to most general. For example, all users and any OS is the most general.) You can also create configurations that GlobalProtect deploys to agents in pre-logon mode (before the user has logged in to the system) or that it applies to any user. (Pre-logon establishes a VPN tunnel to a GlobalProtect gateway before the user logs in to GlobalProtect.)
OS To deploy a client authentication profile specific to the operating system (OS) on an endpoint, Add the OS ( Android, Chrome, iOS, Mac, Windows, or WindowsUWP). The OS is the primary differentiator between configurations. (See Authentication Profile for further differentiation.) The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite (LSVPN).
Authentication Profile In addition to distinguishing a client authentication configuration by an OS, you can further differentiate by specifying an authentication profile. (You can create a New Authentication Profile or select an existing one.) To configure multiple authentication options for an OS, you can create multiple client authentication profiles. If you are configuring an LSVPN in Gateways, you cannot save that configuration unless you select an authentication profile here. Also, if you plan to use serial numbers to authenticate satellites, the portal must have an authentication profile available when it cannot locate or validate a firewall serial number. Refer also to Device > Authentication Profile.
Authentication Message To help end users know the type of credentials they need for logging in, enter a message or keep the default message. The maximum length of the message is 100 characters.
Certificate Profile
Certificate Profile (Optional) Select the Certificate Profile the portal uses to match those client certificates that come from user endpoints. With a Certificate Profile, the portal authenticates the user only if the certificate from the client matches this profile. The certificate profile is independent of the OS. Also, this profile is active even if you enable Authentication Override, which overrides the Authentication Profile to allow authentication using encrypted cookies.
GlobalProtect Portals Agent Configuration Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent to define the agent configuration settings. The GlobalProtect portal deploys the configuration to the device after the connection is first established.
You can also specify that the portal automatically deploy trusted root certificate authority (CA) certificates and intermediate certificates. If the endpoints do not trust the server certificates that the GlobalProtect gateways and GlobalProtect Mobile Security Manager are using, the endpoints need these certificates to establish HTTPS connections to the gateways or Mobile Security Manager. The portal pushes the certificates you specify here to the client along with the client configuration.
To add a trusted root CA certificate, Add an existing certificate or Import a new one. To install (transparently) the trusted root CA certificates that are required for SSL Forward Proxy decryption in the certificate store on the client, select Install in Local Root Certificate Store.
If you have different types of users that require different configurations, you can create separate agent configurations to support them. The portal subsequently uses the user or group name and OS of the client to determine the agent configuration to deploy. As with security rule evaluations, the portal looks for a match, starting from the top of the list. When the portal finds a match, it delivers the corresponding configuration to the agent/app. Therefore, if you have multiple agent configurations, it is important to order them so that more specific configurations (such as those for specific users or operating systems) are above the more generic configurations. Use Move Up and Move Down to reorder the configurations. As needed, Add a new agent configuration. For detailed information on configuring the portal and creating agent configurations, refer to Configure the GlobalProtect Portal in the GlobalProtect Administrator’s Guide . When you Add a new agent configuration or modify an existing one, the agent Configs dialog opens and displays five tabs, which are described in the following tables:
GlobalProtect Portals Agent Authentication Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Authentication to configure the authentication settings that apply to the agent configuration.
GlobalProtect Portal Client Authentication Configuration Setting Description
Authentication Tab
Name Enter a descriptive name for this configuration for client authentication.
Client Certificate (Optional) Select the source that distributes the client certificate to a client, which then presents the certificate to the gateways. A client certificate is required if you are configuring mutual SSL authentication. If SCEP is configured for pre-logon in the portal client configuration, the portal generates a machine certificate that is stored in the system certificate store for gateway authentication and connections. To use a certificate that is Local to the firewall instead of a generated certificate from the PKI through SCEP, select a certificate that is already uploaded to the firewall. If you use an internal CA to distribute certificates to clients, select None (default). When you select None, the portal does not push a certificate to the client.
Save User Credentials Select Yes to save the username and password on the agent or select No to force the users to provide the password—either transparently via the client or by manually entering one—each time they connect. Select Save Username Only to save only the username each time a user connects.
Authentication Override
Generate cookie for authentication override Select this option to configure the portal to generate encrypted, endpoint-specific cookies. The portal sends this cookie to the endpoint after the user first authenticates with the portal.
Cookie Lifetime Specify the hours, days, or weeks that the cookie is valid. The typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires, the user must enter login credentials and the portal subsequently encrypts a new cookie to send to the user endpoint.
Accept cookie for authentication override Select this option to configure the portal to authenticate clients through a valid, encrypted cookie. When the endpoint presents a valid cookie, the portal verifies that the cookie was encrypted by the portal, decrypts the cookie, and then authenticates the user.
Certificate to Encrypt/Decrypt Cookie Select the certificate to use for encrypting and decrypting the cookie. Ensure that the portal and gateways use the same certificate to encrypt and decrypt cookies. (Configure the certificate as part of a gateway client configuration. See Network > GlobalProtect > Gateways).
Two-Factor Authentication
To configure GlobalProtect to support dynamic passwords—such as one-time passwords (OTPs)—specify the portal or gateway types that require users to enter dynamic passwords. Where two-factor authentication is not enabled, GlobalProtect uses regular authentication using login credentials (such as AD) and a certificate. When you enable a portal or a gateway type for two-factor authentication, that portal or gateway prompts the user after initial portal authentication to submit credentials and a second OTP (or other dynamic password). However, if you also enable authentication override, an encrypted cookie is used to authenticate the user (after the user is first authenticated for a new session) and, thus, preempts the requirement for the user to re-enter credentials (as long as the cookie is valid). Therefore, the user is transparently logged in whenever necessary as long as the cookie is valid. You specify the lifetime of the cookie.
Portal authentication Select this option to use dynamic passwords to connect to the portal.
Internal gateway authentication Select this option to use dynamic passwords to connect to internal gateways.
Manual only external gateway authentication Select this option to use dynamic passwords to connect to external gateways that are configured as Manual gateways.
Auto discovery external gateway authentication Select this option to use dynamic passwords to connect to any remaining external gateways that the agent can automatically discover (gateways which are not configured as Manual).
GlobalProtect Portals Agent User/User Group Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > User/User Group to specify the operating systems and users or user groups to which this agent configuration applies. If this agent configuration cannot accommodate all combinations of operating systems and users capabilities, consider adding another agent configuration. If you have multiple agent configurations that are differentiated by operating systems and users or user groups, the most specific configurations should be at the top of the table in Agent and the most general (such as any OS and a broad group membership) at the bottom. You can move an agent configuration up or down as needed.
For groups, the only supported type of authentication service is LDAP.
GlobalProtect Portal Client User/User Group Configuration Setting Description
OS A user or group member can have multiple devices whose operating systems differ from each other (for example, a user with one endpoint running Windows OS and another endpoint running Mac OS). The portal can provide configurations that are specific to the OS on each endpoint. For the current agent configuration, you can Add one or more client operating systems to specify which clients receive the configuration. A portal automatically learns the OS of the client device and incorporates details for that OS in the client configuration. You can select Any OS or a specific OS ( Android, Chrome, iOS, Mac, Windows, or WindowsUWP); you can also select more than one OS. The information in User/User Groups describes how you can further differentiate by selection of users, user groups, and choice of any, pre-logon or select.
User/User Group You can Add individual users or user groups to which the current agent configuration applies. You must configure group mapping ( Device > User Identification > Group Mapping Settings) before you can select the groups. In addition to users and groups, you can use the drop-down to specify when these settings apply to the users or groups: any —The agent configuration applies to all users (no need to Add users or user groups). select —The agent configuration applies only to users and user groups you Add to this list. pre-logon —The agent configuration applies only to the users and user groups you Add that also are configured for pre-logon or pre-logon then on-demand. To use the pre-logon option, you must also enable a pre-logon (or pre-logon then on-demand) Connect Method in the App tab for this agent configuration.
GlobalProtect Portals Agent Gateways Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Gateways to configure the settings for internal and external gateways for an agent configuration.
GlobalProtect Portal Gateway Setting Description
Internal Gateways
Specify the internal firewalls to which an agent or app can request access and also provide HIP reports (if HIP is enabled in the GlobalProtect Portals Agent Data Collection Tab). Add internal gateways that include the following information for each: Name —A label of up to 31 characters to identify the gateway. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Address —The IP address or FQDN of the firewall interface for the gateway. This value must match the Common Name (CN) and SAN (if specified) in the gateway server certificate. For example, if you used an FQDN to generate the certificate, you must enter the FQDN here.
External Gateways
Cuttoff Time (sec) Specify the number of seconds that an agent or app waits for all of the available gateways to respond before it selects the best gateway. For subsequent connection requests, the agent or app tries to connect to only those gateways that responded before the cutoff. A value of 0 means the agent or app uses the TCP timeout—AppConfigurations in the App tab (range is 0-10; default is 5).
Specify the list of firewalls to which agents can try to connect when establishing a tunnel while not on the corporate network. Add external gateways that include the following information for each: Name —A label of up to 31 characters to identify the gateway. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Address —The IP address or FQDN of the firewall interface where the gateway is configured.The value must match the CN (and SAN if specified) field in the gateway server certificate (for example, if you used a FQDN to generate the certificate, you must also enter the FQDN here). Priority —Select a value ( Highest, High, Medium, Low, Lowest, or Manual only) to help the agent determine which gateway to use. The agent will contact all specified gateways (except those with a priority of Manual only) and establish a tunnel with the firewall that provides the fastest response and the highest priority value. Manual —Select this option to let users manually select (or switch to) a gateway. The GlobalProtect agent can connect to any external gateway that is configured as Manual. When the agent or app connects to another gateway, the existing tunnel is disconnected and a new tunnel established. The manual gateways can also have a different authentication mechanism than the primary gateway. If a client system is restarted or if a rediscovery is performed, the GlobalProtect agent connects to the primary gateway. This feature is useful if a group of users needs to connect temporarily to a specific gateway to access a secure segment of your network.
Internal Host Detection
Internal Host Detection Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways. When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways.
IP Address Enter an internal IP Address for internal host detection.
Hostname Enter the Hostname that resolves to the IP address within the internal network.
Third Party VPN
Third Party VPN To direct the GlobalProtect agent or app to ignore selected, third-party VPN clients so that GlobalProtect does not conflict with them, Add the name of the VPN client by selecting the name from the list or entering the name in the field provided. GlobalProtect ignores the route settings for the specified VPN clients if you configure this feature.
GlobalProtect Portals Agent App Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > App to specify how end users interact with the GlobalProtect agents installed on their systems. You can define different app settings for the different GlobalProtect agent configurations you create.
GlobalProtect App Configuration Setting Description
Welcome Page Select a welcome page to present to end users after they connect to GlobalProtect. You can select the factory-default page or Import a custom page. The default is None.
App Configurations
Connect Method On-demand (Manual user initiated connection) —Users must launch the GlobalProtect agent or app and then initiate a connection to the portal and enter their GlobalProtect credentials. This option is used primarily for remote access connections. User-logon (Always On) —The GlobalProtect agent or app automatically establishes a connection to the portal after the user logs in to an endpoint. The portal responds by providing the client with the appropriate agent configuration. Subsequently, the agent sets up a tunnel to one of the gateways specified in the agent configuration received from the portal. Pre-logon —Pre-logon ensures remote Windows and Mac users are always connected to the corporate network and enables user logon scripts and application of domain policies when the user logs in to the endpoint. Because the endpoint can connect to the corporate network as if it were internal, users can log in with new passwords when their passwords expire or receive help with password recovery if they forget their password. With pre-logon, the GlobalProtect agent establishes a VPN tunnel to a GlobalProtect gateway before the user logs in to the endpoint; the endpoint requests authentication by submitting a pre-installed machine certificate to the gateway. Then, on Windows endpoints, the gateway reassigns the VPN tunnel from the pre-logon user to the username that logged in to the endpoint; on Mac endpoints, the agent disconnects and creates a new VPN tunnel for the user. There are two pre-logon connect methods, either of which enables the same pre-logon functionality that takes place before users log in to the endpoint. However, after users log in to the endpoint, the pre-logon connect method determines when the GlobalProtect agent connection is established: Pre-logon (Always On) —The GlobalProtect agent automatically attempts to connect and reconnect to GlobalProtect gateways. Mobile devices do not support pre-logon functionality, and therefore will default to the User-logon (Always On) connect method if this connect method is specified. Pre-logon then On-demand ( available only with content release 590-3397 and later releases )—Users must launch the GlobalProtect agent or app and then initiate the connection manually. Mobile devices do not support pre-logon functionality, and therefore will default to the On-demand (Manual user initiated connection) connect method if this connect method is specified.
GlobalProtect App Config Refresh Interval (hours) Specify the number of hours the GlobalProtect portal waits before it initiates the next refresh of a client’s configuration (range is 1-168; default is 24).
Allow User to Disable GlobalProtect App Specifies whether users are allowed to disable the GlobalProtect agent and, if so, what—if anything—they must do before they can disable the agent: Allow —Allow any user to disable the GlobalProtect agent as needed. Disallow —Do not allow end users to disable the GlobalProtect agent. Allow with Comment —Allow users to disable the GlobalProtect agent or app on their endpoint but require that they submit their reason for disabling the agent. Allow with Passcode —Allow users to enter a passcode to disable the GlobalProtect agent or app. This option requires the user to enter and confirm a Passcode value that, like a password, does not display when typed. Typically, administrators provide a passcode to users before unplanned or unanticipated events prevent users from connecting to the network by using the GlobalProtect VPN. You can provide the passcode through email or as a posting on your organization’s website. Allow with Ticket —This option enables a challenge-response mechanism where, after a user attempts to disable GlobalProtect, the endpoint displays an 8-character hexadecimal ticket request number. The user must contact the firewall administrator or support team (preferably by phone for security purposes) to provide this number. From the firewall ( Network > GlobalProtect > Portals), the administrator or support person can then click Generate Ticket and enter the ticket Request number to obtain the Ticket number (also an 8-character hexadecimal number). The administrator or support person provides this ticket number to the user, who then enters it into the challenge field to disable the agent.
Allow User to Upgrade GlobalProtect App Specifies whether end users can upgrade the GlobalProtect agent software and, if they can, whether they can choose when to upgrade: Disallow —Prevent users from upgrading the agent or app software. Allow Manually —Allow users to manually check for and initiate upgrades by selecting Check Version in the GlobalProtect agent. Allow with Prompt (default)—Prompt users when a new version is activated on the firewall and allow users to upgrade their software when it is convenient. Allow Transparently —Automatically upgrade the agent software whenever a new version becomes available on the portal.
Use Single Sign-on ( Windows Only ) Select No to disable single sign-on (SSO). With SSO enabled (default), the GlobalProtect agent automatically uses the Windows login credentials to authenticate and then connect to the GlobalProtect portal and gateway. GlobalProtect can also wrap third-party credentials to ensure that Windows users can authenticate and connect even when a third-party credential provider is used to wrap the Windows login credentials.
Clear Single Sign-On Credentials on Logout ( Windows Only ) Select No to keep single sign-on credentials when the user logs out. Select Yes (default) to clear them and force the user to enter credentials upon the next login.
Use Default Authentication on Kerberos Authentication Failure ( Windows Only ) Select No to use only Kerberos authentication. Select Yes (default) to retry authentication by using the default authentication method after a failure to authenticate with Kerberos.
Enforce GlobalProtect Connection for Network Access Select Yes to force all network traffic to traverse a GlobalProtect tunnel. By default, this option is set to No meaning GlobalProtect is not required for network access meaning users can still access the internet if GlobalProtect is disabled or disconnected. To provide instructions to users before traffic is blocked, configure a Traffic Blocking Notification Message and optionally specify when to display the message ( Traffic Blocking Notification Delay). To permit traffic required to establish a connection with a captive portal, specify a Captive Portal Exception Timeout. The user must authenticate with the portal before the timeout expires. To provide additional instructions, configure a Captive Portal Detection Message.
Captive Portal Exception Timeout (sec) To enforce GlobalProtect for network access but provide a grace period to allow users enough time to connect to a captive portal, specify the timeout in seconds (range is 0 to 3600). For example, a value of 60 means the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
Traffic Blocking Notification Delay (sec) Specify a value, in seconds, to determine when to display the notification message. GlobalProtect starts the countdown to display the notification after the network is reachable (default is 15; range is 5 to 120).
Display Traffic Blocking Notification Message Specify whether a message appears when GlobalProtect is required for network access. Select No to disable the message. By default the value is set to Yes meaning GlobalProtect displays the message when GlobalProtect is disconnected but detects that network is reachable.
Traffic Blocking Notification Message Customize a notification message to display to users when GlobalProtect is required for network access. The message can indicate the reason for blocking the traffic and provide instructions on how to connect (for example, To access the network, you must first connect to GlobalProtect. ). The message must be 512 or fewer characters.
Allow User to Dismiss Traffic Blocking Notifications Select No to always display traffic blocking notifications. By default the value is set to Yes meaning users are permitted to dismiss the notifications.
Display Captive Portal Detection Message Specifies whether a message appears when GlobalProtect detects a captive portal. Select Yes to enable the message. By default the value is set to No meaning GlobalProtect displays the message when GlobalProtect detects a captive portal.
Captive Portal Detection Message Customize a notification message to display to users when GlobalProtect detects a captive portal. The message can provide additional information about connecting to the captive portal (for example, GlobalProtect has temporarily permitted network access for you to connect to the internet. Follow instructions from your internet provider. If you let the connection time out, open GlobalProtect and click Connect to try again.). The message must be 512 or fewer characters.
Client Certificate Store Lookup Select the type of certificate or certificates that an agent or app looks up in its personal certificate store. The GlobalProtect agent or app uses the certificate to authenticate to the portal or a gateway and then establish a VPN tunnel to the GlobalProtect gateway. User —Authenticate by using the certificate that is local to the user’s account. Machine —Authenticate by using the certificate that is local to the endpoint. This certificate applies to all the user accounts permitted to use the endpoint. User and machine (default)—Authenticate by using the user certificate and the machine certificate.
SCEP Certificate Renewal Period (days) This mechanism is for renewing a SCEP-generated certificate before the certificate actually expires. You specify the maximum number of days before certificate expiry that the portal can request a new certificate from the SCEP server in your PKI system (range is 0-30; default is 7). A value of 0 means that the portal does not automatically renew the client certificate when it refreshes a client configuration. For an agent or app to get the new certificate, the user must log in during the renewal period (the portal does not request the new certificate for a user during this renewal period unless the user logs in). For example, suppose that a client certificate has a lifespan of 90 days and this certificate renewal period is 7 days. If a user logs in during the final 7 days of the certificate lifespan, the portal generates the certificate and downloads it along with a refreshed client configuration. See GlobalProtect App Config Refresh Interval (hours).
Extended Key Usage OID for Client Certificate Enter the extended key usage of a client certificate by specifying its object identifier (OID). This setting ensures that the GlobalProtect agent selects only a certificate that is intended for client authentication and enables GlobalProtect to save the certificate for future use.
Enable Advanced View Select No to restrict the user interface on the client side to the basic, minimum view (enabled by default).
Allow User to Dismiss Welcome Page Select No to force the Welcome Page to appear each time a user initiates a connection. This restriction prevents a user from dismissing important information, such as terms and conditions that may be required by your organization to maintain compliance.
Enable Rediscover Network Option Select No to prevent users from manually initiating a network rediscovery.
Enable Resubmit Host Profile Option Select No to prevent users from manually triggering resubmission of the latest HIP.
Allow User to Change Portal Address Select No to disable the Portal field on the Home tab in the GlobalProtect agent or app. However, because the user will then be unable to specify a portal to which to connect, you must supply the default portal address in the Windows registry or Mac plist: Windows registry HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup with key Portal Mac plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.pansetup.plist with key Portal For more information about pre-deploying the portal address, see Customizable Agent Settings in the GlobalProtect Administrator’s Guide.
Allow User to Continue with Invalid Portal Server Certificate Select No to prevent the agent from establishing a connection with the portal if the portal certificate is not valid.
Display GlobalProtect Icon Select No to hide the GlobalProtect icon on the client system. If the icon is hidden, users cannot perform certain tasks, such as viewing troubleshooting information, changing passwords, rediscovering the network, or performing an on-demand connection. However, HIP notification messages, login prompts, and certificate dialogs do display when user interaction is necessary.
User Switch Tunnel Rename Timeout (sec) ( Windows Only ) Specify the number of seconds that a remote user has to be authenticated by a GlobalProtect gateway after logging into an endpoint by using Microsoft’s Remote Desktop Protocol (RDP) (range is 0-600; default is 0). Requiring the remote user to authenticate within a limited amount of time maintains security. After authenticating the new user and switching the tunnel to the user, the gateway renames the tunnel. A value of 0 means that the current user’s tunnel is not renamed but, instead, is immediately terminated. In this case, the remote user gets a new tunnel and has no time limit for authenticating to a gateway (other than the configured TCP timeout).
Show System Tray Notifications ( Windows Only ) Select No to hide notifications from the user. Select Yes (default) to display notifications in the system tray area.
Custom Password Expiration Message ( Windows Only ) Create a custom message to display to users when their password is about to expire. The maximum message length is 200 characters.
Maximum Internal Gateway Connection Attempts Enter the maximum number of times the GlobalProtect agent should retry the connection to an internal gateway after the first attempt fails (range is 0-100; default is 0, which means the GlobalProtect agent does not retry the connection). By increasing the value, you enable the agent to automatically connect to an internal gateway that is temporarily down or unreachable during the first connection attempt but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information.
Portal Connection Timeout (sec) The number of seconds (between 1 and 600) before a connection request to the portal times out due to no response from the portal.When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 30. Starting with content version 777-4484, the default is 5.
TCP Connection Timeout (sec) The number of seconds (between 1 and 600) before a TCP connection request times out due to unresponsiveness from either end of the connection. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 60. Starting with content version 777-4484, the default is 5.
TCP Receive Timeout (sec) The number of seconds before a TCP connection times out due to the absence of some partial response of a TCP request (range is 1-600; default is 30).
Update DNS Settings at Connect ( Windows Only ) Select Yes to flush the DNS cache and force all adapters to use the DNS settings in the configuration. Select No (the default) to use the DNS settings of the client.
Detect Proxy for Each Connection ( Windows Only ) Select No to auto-detect the proxy for the portal connection and use that proxy for subsequent connections. Select Yes (default) to auto-detect the proxy at every connection.
Send HIP Report Immediately if Windows Security Center (WSC) State Changes ( Windows Only ) Select No to prevent the GlobalProtect agent from sending HIP data when the status of the Windows Security Center (WSC) changes. Select Yes (default) to immediately send HIP data when the status of the WSC changes.
Retain Connection on Smart Card Removal (Windows Only) Select Yes to retain the connection when a user removes a smart card containing a client certificate. Select No (default), to terminate the connection when a user removes a smart card.
Disable GlobalProtect Agent or App
Passcode/Confirm Passcode Enter and then confirm a passcode if the setting for Allow User to Disable GlobalProtect App is Allow with Passcode. Treat this passcode like a password—record it and store it in a secure place. You can distribute the passcode to new GlobalProtect users by email or post it in a support area of your company website. If circumstances prevent the endpoint from establishing a VPN connection and this feature is enabled, a user can enter this passcode in the agent or app interface to disable the GlobalProtect agent and get Internet access without using the VPN.
Max Times User Can Disable Specify the maximum number of times that a user can disable GlobalProtect before the user must connect to a firewall. The default value of 0 means users have no limit to the number of times they can disable the agent.
Disable Timeout (min) Specify the maximum number of minutes the GlobalProtect agent or app can be disabled. After the specified time passes, the agent tries to connect to the firewall. The default of 0 indicates that the disable period is unlimited.
Mobile Security Manager Settings
Mobile Security Manager If you are using the GlobalProtect Mobile Security Manager for mobile device management (MDM), enter the IP address or FQDN of the device check-in (enrollment) interface on the GP-100 appliance.
Enrollment Port The port number the mobile endpoint should use when connecting to the GlobalProtect Mobile Security Manager for enrollment. By default, the Mobile Security Manager listens on port 443. A best practice is to keep this port number so that mobile endpoint users are not prompted for a client certificate during the enrollment process (possible values are 443, 7443, and 8443; default is 443).
GlobalProtect Portals Agent Data Collection Tab
Select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Data Collection to define the data the agent collects from the client in the HIP report.
GlobalProtect Data Collection Configuration Setting Description
Collect HIP Data Clear this selection to prevent the agent from collecting and sending HIP data.
Max Wait Time (sec) Specify how many seconds the agent or app should search for HIP data before submitting the available data (range is 10-60; default is 20).
Exclude Categories Select Exclude Categories to specify the host information categories for which you do not want the agent or app to collect HIP data. Select a Category (such as data-loss-prevention) to exclude from HIP collection. After selecting a category, you can Add and a particular Vendor and, then, you can Add specific products from the vendor to further refine the exclusion as needed. Click OK to save settings in each dialog.
Custom Checks Select Custom Checks to define custom host information you want the agent to collect. For example, if you have any required applications that are not included in the Vendor or Product lists for creating HIP objects, you can create a custom check to determine whether that application is installed (it has a corresponding Windows registry or Mac plist key) or is currently running (has a corresponding running process): Windows Add a check for a particular registry key or key value. Mac Add a check for particular plist key or key value. Process List Add the processes you want to check for on user endpoints to see if they are running. For example, to determine whether a software application is running, add the name of the executable file to the process list. You can add a process to the Windows tab, the Mac tab, or both.
GlobalProtect Portals Satellite Configuration Tab
A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect agent to enable the satellite to establish VPN connectivity to a GlobalProtect gateway. Like a GlobalProtect agent, a satellite receives its initial configuration from the portal, which includes the certificates and VPN configuration routing information and enable the satellite to connect to all configured gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the branch office firewall, you must configure an interface with WAN connectivity and set up a security zone and policy to allow the branch office LAN to communicate with the Internet. You can then select Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Satellite > <GlobalProtect-satellite> to configure the GlobalProtect satellite settings on the portal, as in the following table.
GlobalProtect Portal Satellite Configuration Setting Description
General Name —A name for this satellite configuration on the GlobalProtect portal. Configuration Refresh Interval (hours) —How often a satellite should check the portal for configuration updates (range is 1-48; default is 24).
Devices Add a satellite using the firewall serial number. The portal can accept a serial number or login credentials to identify who is requesting a connection; if the portal does not receive a serial number, it requests login credentials. If you identify the satellite by its firewall serial number, you do not need to provide user login credentials when the satellite first connects to acquire the authentication certificate and its initial configuration. After the satellite authenticates by either a serial number or login credentials, the satellite hostname is automatically added to the portal.
Enrollment User/User Group The portal can use Enrollment User/User Group settings with or without serial numbers to match a satellite to this configuration. Satellites that do not match on a serial number are required to authenticate either as an individual user or group member. Add the user or group that you want to receive this configuration. Before you can restrict the configuration to specific groups, you must enable Group Mapping in the firewall ( Device > User Identification > Group Mapping Settings).
Gateways Click Add to enter the IP address or hostname of the gateway(s) satellites by which this configuration can establish IPSec tunnels. Enter the FQDN or IP address of the interface where the gateway is configured in the Gateways field. (Optional) If you are adding two or more gateways to the configuration, the Routing Priority helps the satellite pick the preferred gateway (range is 1-25). Lower numbers have higher priority (for gateways that are available). The satellite multiplies the routing priority by 10 to determine the routing metric. Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10 times the routing priority. If you have more than one gateway, be sure to set the routing priority so that routes advertised by backup gateways have higher metrics than the same routes advertised by primary gateways. For example, if you set the routing priority for the primary gateway and backup gateway to 1 and 10 respectively, the satellite will use 10 as the metric for the primary gateway and 100 as the metric for the backup gateway. The satellite also shares its network and routing information with the gateways if you Publish all static and connected routes to Gateway ( Network > IPSec tunnels > <tunnel> > Advanced —available only when you select GlobalProtect Satellite on the <tunnel> > General tab). See Network > IPSec Tunnels for details.
Trusted Root CA Click Add and then select the CA certificate for issuing gateway server certificates. As a best practice, all your gateways should use the same issuer. You can Import or Generate a root CA certificate for issuing gateway server certificates if one doesn’t already exist on the portal.
Client Certificate
Local Issuing Certificate Select the root CA issuing certificate the portal will use to issue certificates to a satellite after it successfully authenticates. If the needed certificate does not already exist on the firewall, you can Import or Generate it. If the a certificate does not already reside on the firewall, you can Import or Generate an issuing certificate. Validity Period (days)—Specify the GlobalProtect satellite certificate lifetime (range is 7-365; default is 7). Certificate Renewal Period (days)—Specify the number of days before expiration that certificates can be automatically renewed (range is 3-30; default is 3). OCSP Responder Select the OCSP Responder the satellite will use to verify the revocation status of certificates presented by the portal and gateways. None means that OCSP is not used for verifying revocation of a certificate.
SCEP SCEP —Select a SCEP profile for generating client certificates. If the profile is not in the drop-down, you can create a New profile. Certificate Renewal Period (days)—Specify the number of days before expiration that certificates can be automatically renewed (range is 3-30; default is 3).

Related Documentation