Client Settings Tab
to configure settings for the virtual network adapter on the client system when an agent establishes a tunnel with the gateway.
GlobalProtect Gateway Client Settings and Network Configuration
Enter a name to identify the client settings configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Enable the gateway to use secure, device-specific, encrypted cookies to authenticate the user after the user first authenticates using the authentication scheme specified by the authentication or certificate profile.
Ensure that the gateway and portal both use the same certificate to encrypt and decrypt cookies.
User/User Group tab
Specify the user or user group and client operating system to which this agent configuration applies.
Adda specific user or user group to which this configuration applies.
You must configure group mapping (
) before you can select users and groups.
Group Mapping Settings
You can also create configurations that are deployed to agents or apps in
pre-logonmode (before the user logs in to the endpoint) or configurations to deploy to
To deploy configurations based on the operating system running on the endpoint,
Addan OS (
WindowsUWP). Alternatively, you can leave this value set to
Anyso that configuration deployment is based only on the user or user group and not on the operating system of the endpoint.
IP Pools tab
Retrieve Framed-IP-Address attribute from authentication server
Select this option to enable the GlobalProtect gateway to assign fixed IP addresses by use of an external authentication server. When this option is enabled, the GlobalProtect gateway allocates the IP address for connecting to devices by using the Framed-IP-Address attribute from the authentication server.
Authentication Server IP Pool
Adda subnet or range of IP addresses to assign to remote users. When the tunnel is established, the GlobalProtect gateway allocates the IP address in this range to connecting devices using the Framed-IP-Address attribute from the authentication server. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).
You can enable and configure
Authentication Server IP Poolonly if you enable
Retrieve Framed-IP-Address attribute from authentication server.
The authentication server IP pool must be large enough to support all concurrent connections. IP address assignment is fixed and is retained after the user disconnects. Configure multiple ranges from different subnets to allow the system to offer clients an IP address that does not conflict with other interfaces on the client.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user can receive the address 192.168.0.10.
Adda range of IP addresses to assign to remote users. When the tunnel is established, an interface is created on the remote user’s endpoint with an address in this range. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).
To avoid conflicts, the IP pool must be large enough to support all concurrent connections. The gateway maintains an index of clients and IP addresses so that the client automatically receives the same IP address the next time it connects. Configuring multiple ranges from different subnets allows the system to offer clients an IP address that does not conflict with other interfaces on the client.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user may be assigned the address 192.168.0.10.
Split Tunnel tab
No direct access to local network
Select this option to disable split tunneling, including direct access to local networks on Windows and Mac OS endpoints. This function prevents a user from sending traffic to proxies or local resources, such as a home printer. When the tunnel is established, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall.
Addroutes to include in the VPN tunnel. These are the routes the gateway pushes to the remote users’ endpoint to specify what user endpoints can send through the VPN connection.
Addroutes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).
You can define the routes you send through the VPN tunnel as routes you include in the tunnel, routes you exclude from the tunnel, or a combination of both. For example, you can set up split tunneling to allow remote users to access the internet without going through the VPN tunnel. Excluded routes should be more specific than the included routes to avoid excluding more traffic than you intend to exclude.
If you don’t include or exclude routes, every request is routed through the tunnel (no split tunneling). In this case, each internet request passes through the firewall and then out to the network. This method can prevent the possibility of an external party accessing user endpoints and gaining access to the internal network (with a user endpoint acting as a bridge).
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
Gateway Configuration Disable split tunneling. To do this, ensure there are no Access Routes specified in Agent Client Settings Split Tunnel settings. See Configure a ...
GlobalProtect Features New GlobalProtect Features Description Clientless VPN You can now use Clientless VPN for securing remote access to common enterprise web applications that use ...
GlobalProtect Portals Agent Authentication Tab
GlobalProtect Portals Agent Authentication Tab Select Network GlobalProtect Portals Agent Authentication to configure the authentication settings that apply to the agent configuration. GlobalProtect Portal Client ...
Split Tunnel to Exclude by Access Route
Split Tunnel to Exclude by Access Route You can now exclude specific destination IP subnet traffic from being sent over the VPN tunnel. With this feature, you ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
Enable Two-Factor Authentication Using One-Time Passwords (OTPs) Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a ...
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Configuration Tab A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect agent to enable it ...