Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 8.1 release.
New GlobalProtect Feature
|Optimized Split Tunneling for GlobalProtect|
In addition to route-based split tunnel policy, GlobalProtect™ now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application. This feature works on Windows and macOS endpoints and enables you to:
|Kerberos Authentication Support for macOS|
GlobalProtect endpoints running macOS 10.10 and later releases now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO, which is primarily intended for internal gateway deployments, provides accurate User-ID™ information without user interaction and helps enforce user and HIP policies.
|SAML SSO for GlobalProtect on Chromebooks|
GlobalProtect now supports SAML single sign-on (SSO) for Chrome OS. If you configure SAML as the authentication standard for Chromebooks, users can authenticate to GlobalProtect by leveraging the same login they use to access the Chromebook applications. This allows users to connect to GlobalProtect without having to re-enter their credentials in the GlobalProtect app. With SSO enabled (default), Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to your organization’s SAML identity provider.
GlobalProtect currently supports only the Post SAML HTTP binding method.
|GlobalProtect Credential Provider Pre-Logon Connection Status|
The GlobalProtect credential provider logon screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure pre-logon for remote users. The pre-logon connection status indicates the state of the pre-logon VPN connection prior to user logon. By providing more visibility on the pre-logon connection status, this feature allows end-users to determine whether they will be able to access network resources upon logon, which prevents them from logging in prematurely before the connection establishes and network resource become available.
If the GlobalProtect app determines that an endpoint is internal (connected to the corporate network), the logon screen displays the GlobalProtect connection status as Internal. If the GlobalProtect app determines that an endpoint is external (connected to a remote network), the logon screen displays the GlobalProtect connection status as Connected or Not Connected.
|Active Directory Password Change Using the GlobalProtect Credential Provider|
End users can now change their Active Directory (AD) password using the GlobalProtect credential provider on Windows 10 endpoints. This enhancement improves the single sign-on (SSO) experience by allowing users to update their AD password and access resources that are secured by GlobalProtect using the GlobalProtect credential provider. Users can change their AD password using the GlobalProtect credential provider only when their AD password expires or an administrator requires a password change at the next login.
|Expired Active Directory Password Change for Remote Users|
Remote users can now change their RADIUS or Active Directory (AD) password through the GlobalProtect app when their password expires or a RADIUS/AD administrator requires a password change at the next login. With this feature, users can change their RADIUS or AD password when they are unable to access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user authenticates with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
|OPSWAT SDK V4 Support|
GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess the endpoint state and the third-party security applications running on the endpoint. OPSWAT is a security tool leveraged by the Host Information Profile (HIP) to collect information about the security status of your endpoints. GlobalProtect uses this information for policy enforcement on the GlobalProtect gateway.
This integration follows the end-of-life (EoL) announcement for OPSWAT SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in PAN-OS 8.0 and earlier releases.
|GlobalProtect App for Linux|
The new GlobalProtect app for Linux now extends User-ID and security policy enforcement to users on Linux endpoints. The GlobalProtect app provides a command-line interface and functions as an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect features and authentication methods, including certificate and two-factor authentication and both user-logon and on-demand connect methods. The app can also perform internal host detection to determine whether the Linux endpoint is on the internal network and collects host information (such as operating system and operating system version, domain, hostname, host ID, and network interface). Using this information, you can allow or deny access to a specific Linux endpoint based on the adherence of that endpoint to the host policies you define.
The GlobalProtect app for Linux is available for the Linux distribution of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and requires a GlobalProtect subscription.
GlobalProtect Features Optimized Split Tunneling for GlobalProtect GlobalProtect™ now supports split tunneling based on destination domain, application process name, and video streaming application. Kerberos Authentication ...
SSO Wrapping for Third-Party Credential Providers on Window...
SSO Wrapping for Third-Party Credential Providers on Windows Endpoints On Windows 7 endpoints, the GlobalProtect app utilizes the Microsoft credential provider framework to support single ...
Split Tunnel for Public Applications
GlobalProtect™ now supports split tunneling based on destination domain, application process name, and video streaming application. ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect Gateway After you have completed the prerequisite tasks, configure the GlobalProtect Gateways : Add a gateway. Select Network GlobalProtect Gateways , and ...
SAML SSO for GlobalProtect on Chromebooks
The GlobalProtect app for Chromebooks now supports SAML single sign-on. ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Customize the GlobalProtect App
Customize the GlobalProtect App The portal agent configuration allows you to customize how your end users interact with the GlobalProtect apps installed on their endpoints. ...
GlobalProtect Portals Agent App Tab
GlobalProtect Portals Agent App Tab Select Network GlobalProtect Portals Agent App to specify how end-users interact with the GlobalProtect apps installed on their systems. You ...
About GlobalProtect Licenses
About GlobalProtect Licenses If you want to use GlobalProtect to provide a secure remote access or virtual private network (VPN) solution via single or multiple ...