GlobalProtect Features

Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 8.1 release.
New GlobalProtect Feature
Optimized Split Tunneling for GlobalProtect
In addition to route-based split tunnel policy, GlobalProtect™ now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application. This feature works on Windows and macOS endpoints and enables you to:
  • Tunnel enterprise SaaS and public cloud applications for comprehensive SaaS application visibility and control to avoid risks associated with Shadow-IT in environments where tunneling all traffic is not feasible.
  • Send latency-sensitive traffic, such as VoIP, outside the tunnel, while all other traffic goes through the tunnel for inspection and policy enforcement by the GlobalProtect gateway.
  • Exclude HTTP/HTTPS video streaming traffic from the tunnel. Video streaming applications, such as YouTube and Netflix, consume large amounts of bandwidth. By excluding lower risk video streaming traffic from the tunnel, you can decrease bandwidth consumption on the gateway.
Kerberos Authentication Support for macOS
GlobalProtect endpoints running macOS 10.10 and later releases now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO, which is primarily intended for internal gateway deployments, provides accurate User-ID™ information without user interaction and helps enforce user and HIP policies.
SAML SSO for GlobalProtect on Chromebooks
GlobalProtect now supports SAML single sign-on (SSO) for Chrome OS. If you configure SAML as the authentication standard for Chromebooks, users can authenticate to GlobalProtect by leveraging the same login they use to access the Chromebook applications. This allows users to connect to GlobalProtect without having to re-enter their credentials in the GlobalProtect app. With SSO enabled (default), Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to your organization’s SAML identity provider.
GlobalProtect currently supports only the Post SAML HTTP binding method.
GlobalProtect Credential Provider Pre-Logon Connection Status
The GlobalProtect credential provider logon screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure pre-logon for remote users. The pre-logon connection status indicates the state of the pre-logon VPN connection prior to user logon. By providing more visibility on the pre-logon connection status, this feature allows end-users to determine whether they will be able to access network resources upon logon, which prevents them from logging in prematurely before the connection establishes and network resource become available.
If the GlobalProtect app determines that an endpoint is internal (connected to the corporate network), the logon screen displays the GlobalProtect connection status as Internal. If the GlobalProtect app determines that an endpoint is external (connected to a remote network), the logon screen displays the GlobalProtect connection status as Connected or Not Connected.
Active Directory Password Change Using the GlobalProtect Credential Provider
End users can now change their Active Directory (AD) password using the GlobalProtect credential provider on Windows 10 endpoints. This enhancement improves the single sign-on (SSO) experience by allowing users to update their AD password and access resources that are secured by GlobalProtect using the GlobalProtect credential provider. Users can change their AD password using the GlobalProtect credential provider only when their AD password expires or an administrator requires a password change at the next login.
Expired Active Directory Password Change for Remote Users
Remote users can now change their RADIUS or Active Directory (AD) password through the GlobalProtect app when their password expires or a RADIUS/AD administrator requires a password change at the next login. With this feature, users can change their RADIUS or AD password when they are unable to access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user authenticates with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess the endpoint state and the third-party security applications running on the endpoint. OPSWAT is a security tool leveraged by the Host Information Profile (HIP) to collect information about the security status of your endpoints. GlobalProtect uses this information for policy enforcement on the GlobalProtect gateway.
This integration follows the end-of-life (EoL) announcement for OPSWAT SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in PAN-OS 8.0 and earlier releases.
GlobalProtect App for Linux
The new GlobalProtect app for Linux now extends User-ID and security policy enforcement to users on Linux endpoints. The GlobalProtect app provides a command-line interface and functions as an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect features and authentication methods, including certificate and two-factor authentication and both user-logon and on-demand connect methods. The app can also perform internal host detection to determine whether the Linux endpoint is on the internal network and collects host information (such as operating system and operating system version, domain, hostname, host ID, and network interface). Using this information, you can allow or deny access to a specific Linux endpoint based on the adherence of that endpoint to the host policies you define.
The GlobalProtect app for Linux is available for the Linux distribution of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and requires a GlobalProtect subscription.

Related Documentation