New GlobalProtect Features
IPv6 for GlobalProtect
GlobalProtect clients and satellites can now connect to portals and gateways using IPv6. This feature allows connections from clients that are in IPv6-only environments, IPv4 only environments, or dual-stack (IPv4 and IPv6) environments. You can tunnel IPv4 traffic over an IPv6 tunnel and the IP address pool can assign both IPv4 and IPv6 addresses. To use this feature, you must install a GlobalProtect subscription on each gateway that supports GlobalProtect clients that use IPv6 addresses.
Define Split Tunnels by Excluding Access Routes
You can now exclude specific destination IP subnets traffic from being sent over the VPN tunnel. With this feature, you can send latency-sensitive or high-bandwidth-consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
External Gateway Priority by Source Region
GlobalProtect can now use the geographic region of the GlobalProtect client to determine the best external gateway. By including source region as part of the external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This can help avoid distant connections when there are momentary fluctuations of network latency. This can also be used to ensure all connections stay within a region if desired.
Internal Gateway Selection by Source IP Address
GlobalProtect can now restrict internal gateway connection choicesbasedonthe source IP address of the client. In a distributed enterprise, this features allows you to have users from a branch to authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches.
GlobalProtect Agent Login Enhancement
To simplify GlobalProtect agents and prevent unnecessary login prompts when a username and password are not required, the panel that showed portal, username, and password is now split into two screens (one screen for the portal address and another screen for username and password). The GlobalProtect agent now displays login prompts for username and password only if this information is required. GlobalProtect automatically hides the username and password screen for authentication types—such as cookie or client certificate authentication—that do not require a username and password.
Authentication Policy and Multi-Factor Authentication for GlobalProtect
You can leverage the new Authentication Policy and Multi-Factor Authentication enhancements within GlobalProtect to support access to non-HTTP applications that require multi-factor authentication. GlobalProtect can now notify and prompt the user to perform the timely, multi-factor authentication needed to access sensitive network resources.
SAML 2.0 Authentication for GlobalProtect
GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication. If you have chosen SAML as your authentication standard, GlobalProtect portals and gateways can act as Security Assertion Markup Language (SAML)2.0 service providers and GlobalProtect clients can authenticate users directly to the SAML identity provider.
Restrict Transparent Agent Upgrades to Internal Network Connections
You can now control when transparent upgrades occur for a GlobalProtect client. With this configuration, if the user connects from outside the corporate network, the upgrade is postponed. Later, when the user connects from within the corporate network, the upgrade is activated. This feature allows you to hold the updates until users can take advantage of good network availability and high bandwidth from within the corporate network. The upgrades will not hinder users when they travel to environments with low bandwidth.
The PAN-OS Windows User-ID agent has been extended to support a new AirWatch MDM Integration service. This service acts a replacement for the GlobalProtect Mobile Security Manager and enables GlobalProtect to use the host information collected by the service to enforce HIP-based policies on devices managed by VMware AirWatch. Running as part of the PAN-OS Windows User-ID agent, the AirWatch MDM integration service uses the AirWatch API to collect information from mobile devices (including Android and iOS) that are managed by AirWatch and translate this data into host information.
Increased Capacity for Split Tunnel Include Access Routes
(PAN-OS 8.0.2 and later releases)
The firewall now supports up to 800 access routes used to include traffic in a split tunnel gateway configuration on Chromebooks and up to 1000 access routes on all other endpoints. This enables you include a greater number of routes from being sent over the GlobalProtect VPN tunnel than was previously available. Note that the exclude tunnel capacity remains the same at 200 access routes. For upgrade and downgrade considerations for this feature, see the PAN-OS 8.0 New Features Guide.
GlobalProtect Features Clientless VPN IPv6 for GlobalProtect Split Tunnel to Exclude by Access Route External Gateway Priority by Source Region Internal Gateway Selection by Source ...
Authentication Policy and Multi-Factor Authentication for G...
Authentication Policy and Multi-Factor Authentication for GlobalProtect You can now leverage the new Authentication Features within GlobalProtect to support access to non-browser-based applications that require ...
Gateway Configuration Disable split tunneling. To do this, ensure there are no Access Routes specified in Agent Client Settings Split Tunnel settings. See Configure a ...
SAML 2.0 Authentication for GlobalProtect
SAML 2.0 Authentication for GlobalProtect GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication . If you have chosen SAML as your authentication standard, ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
Customize the GlobalProtect Agent
Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...
Tunnel Settings Tab
Tunnel Settings Tab Select Network GlobalProtect Gateways Agent Tunnel Settings to enable tunneling and configure the tunnel parameters. Tunnel parameters are required if you are ...
Split Tunnel to Exclude by Access Route
Split Tunnel to Exclude by Access Route You can now exclude specific destination IP subnet traffic from being sent over the VPN tunnel. With this feature, you ...
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...