GlobalProtect Changes

PAN-OS® 8.0 has the following changes in default behavior for GlobalProtect™ features:
Feature
Change
GlobalProtect portals and gateways
  • The AgentGateways tab for GlobalProtect portal configurations is split into two separate tabs: Internal and External. Use the Internal tab to specify internal gateway settings for GlobalProtect agents and apps. Use the External tab to specify external gateway settings for GlobalProtect agents and apps. These are layout changes only—your existing PAN-OS 7.1 configuration is preserved.
  • The AgentClient SettingsNetwork Settings tab for GlobalProtect gateway configurations is replaced with two separate tabs: IP Pools and Split Tunnel. These are layout changes only—your existing PAN-OS 7.1 configuration is preserved.
  • The selectable Disable login page option on the General tab for GlobalProtect portal configurations is now a Disable command in the Portal Login Page. This is a layout change only—your existing PAN-OS 7.1 configuration is preserved.
  • (PAN-OS 8.0.5 and later releases) To improve access control for GlobalProtectportals and gateways (internal or external), even when user endpoints have valid authentication override cookies, PAN-OS now matches the users against the Allow List of authentication profiles (DeviceAuthentication Profile<authentication_profile>Advanced). Modifying the Allow List is an easy way to prevent unauthorized access by users who have valid cookies but disabled accounts.
IP address pools
In PAN-OS 7.1 and earlier releases, to prevent potential IP address conflicts, the GlobalProtect gateway did not assign an IP address if the local network IP address sent from the endpoint was in the same subnet as the IP address pool. Users had to configure a second IP address pool that contained addresses from a separate subnet. Beginning in PAN-OS 8.0, when you configure only one IP address pool, GlobalProtect assigns an IP address regardless of subnet overlap. This change may cause warning messages on Windows endpoints. If you are concerned about the warning message, configure a second IP address pool.
Clientless VPN
The option to Allow user to launch unpublished applications is now renamed Display application URL address bar. The new option name better reflects the purpose of this option.
Web interfaces changes
GlobalProtect has the following minor changes to menu and check box labels. These are changes to wording only—your existing PAN-OS 7.1 configuration is preserved.
Location
PAN-OS 7.1 Label
PAN-OS 8.0 Label
The General tab for GlobalProtect portal configurations
Custom Login Page
Portal Login Page
The General tab for GlobalProtect portal configurations
Custom Help Page
App Help Page
The AgentExternal> Add > External Gateway for GlobalProtect portal configurations
If this GlobalProtect gateway can be manually selected
Manual (the user can manually select this gateway)

Related Documentation