GlobalProtect Portals Agent App Tab
Select NetworkGlobalProtectPortals<GlobalProtect-portal-config>Agent<agent-config>App to specify how end-users interact with the GlobalProtect apps installed on their systems. You can define different app settings for the different GlobalProtect agent configurations you create.
GlobalProtect App Configuration Settings
Select a welcome page to present to end-users after they connect to GlobalProtect. You can select the factory-default page or Import a custom page. The default is None.
GlobalProtect App Config Refresh Interval (hours)
Specify the number of hours the GlobalProtect portal waits before it initiates the next refresh of an app’ss configuration (range is 1 to 168; default is 24).
Allow User to Disable GlobalProtect App
Specifies whether users are allowed to disable the GlobalProtect app and, if so, what—if anything—they must do before they can disable the app:
Allow User to Upgrade GlobalProtect App
Specifies whether end-users can upgrade the GlobalProtect app software and, if they can, whether they can choose when to upgrade:
Use Single Sign-on
Select No to disable single sign-on (SSO). With SSO enabled (default), the GlobalProtect app automatically uses the Windows login credentials to authenticate and then connect to the GlobalProtect portal and gateway. GlobalProtect can also wrap third-party credentials to ensure that Windows users can authenticate and connect even when a third-party credential provider is used to wrap the Windows login credentials.
Clear Single Sign-On Credentials on Logout
Select No to keep single sign-on credentials when the user logs out. Select Yes (default) to clear them and force the user to enter credentials upon the next login.
Use Default Authentication on Kerberos Authentication Failure
Select No to use only Kerberos authentication. Select Yes (default) to retry authentication by using the default authentication method after a failure to authenticate with Kerberos. This feature is supported for Mac and Windows endpoints only.
Automatic Restoration of VPN Connection Timeout
Enter a timeout value, in minutes, from 0 to 180 to specify the action the GlobalProtect app takes when the tunnel is disconnected due to network instability or endpoint state changes by entering; default is 30.
Wait Time Between VPN Connection Restore Attempts
Enter the amount of time, in seconds, the GlobalProtect app waits between attempts to reestablish the connection with the last-connected gateway when you enable Automatic Restoration of VPN Connection Timeout. Specify a longer or shorter wait time depending on your network conditions. Range is 1 to 60 seconds; the default is 5.
Client Certificate Store Lookup
Select the type of certificate or certificates that an app looks up in its personal certificate store. The GlobalProtect app uses the certificate to authenticate to the portal or a gateway and then establish a VPN tunnel to the GlobalProtect gateway.
SCEP Certificate Renewal Period (days)
This mechanism is for renewing a SCEP-generated certificate before the certificate actually expires. You specify the maximum number of days before certificate expiry that the portal can request a new certificate from the SCEP server in your PKI system (range is 0 to 30; default is 7). A value of 0 means that the portal does not automatically renew the client certificate when it refreshes a client configuration.
For an app to get the new certificate, the user must log in during the renewal period (the portal does not request the new certificate for a user during this renewal period unless the user logs in).
For example, suppose that a client certificate has a lifespan of 90 days and this certificate renewal period is 7 days. If a user logs in during the final 7 days of the certificate lifespan, the portal generates the certificate and downloads it along with a refreshed client configuration. See GlobalProtect App Config Refresh Interval (hours).
Extended Key Usage OID for Client Certificate
Enter the extended key usage of a client certificate by specifying its object identifier (OID). This setting ensures that the GlobalProtect app selects only a certificate that is intended for client authentication and enables GlobalProtect to save the certificate for future use.
Enable Advanced View
Select No to restrict the user interface on the app to the basic, minimum view (enabled by default).
Allow User to Dismiss Welcome Page
Select No to force the Welcome Page to appear each time a user initiates a connection. This restriction prevents a user from dismissing important information, such as terms and conditions that may be required by your organization to maintain compliance.
Enable Rediscover Network Option
Select No to prevent users from manually initiating a network rediscovery.
Enable Resubmit Host Profile Option
Select No to prevent users from manually triggering resubmission of the latest HIP.
Allow User to Change Portal Address
Select No to disable the Portal field on the Home tab in the GlobalProtect app. However, because the user will then be unable to specify a portal to which to connect, you must supply the default portal address in the Windows registry or Mac plist:
For more information about pre-deploying the portal address, see Customizable App Settings in the GlobalProtect Administrator’s Guide.
Allow User to Continue with Invalid Portal Server Certificate
Select No to prevent the app from establishing a connection with the portal if the portal certificate is not valid.
Display GlobalProtect Icon
Select No to hide the GlobalProtect icon on the endpoint. If the icon is hidden, users cannot perform certain tasks, such as viewing troubleshooting information, changing passwords, rediscovering the network, or performing an on-demand connection. However, HIP notification messages, login prompts, and certificate dialogs do display when user interaction is necessary.
User Switch Tunnel Rename Timeout (sec)
Specify the number of seconds that a remote user has to be authenticated by a GlobalProtect gateway after logging into an endpoint by using Microsoft’s Remote Desktop Protocol (RDP) (range is 0 to 600; default is 0). Requiring the remote user to authenticate within a limited amount of time maintains security.
After authenticating the new user and switching the tunnel to the user, the gateway renames the tunnel.
A value of 0 means that the current user’s tunnel is not renamed but, instead, is immediately terminated. In this case, the remote user gets a new tunnel and has no time limit for authenticating to a gateway (other than the configured TCP timeout).
Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)
This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the Connect Method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
A value of 1 to 600 indicates the number of seconds in which the pre-logon tunnel can remain active after a user logs on to the endpoint. During this time, GlobalProtect enforces policies on the pre-logon tunnel. If the user authenticates with the GlobalProtect gateway within the timeout period, GlobalProtect reassigns the tunnel to the user. If the user does not authenticate with the GlobalProtect gateway before the timeout, GlobalProtect terminates the pre-logon tunnel.
Show System Tray Notifications
Select No to hide notifications from the user. Select Yes (default) to display notifications in the system tray area.
Custom Password Expiration Message
(LDAP Authentication Only)
Create a custom message to display to users when their password is about to expire. The maximum message length is 200 characters.
Maximum Internal Gateway Connection Attempts
Enter the maximum number of times the GlobalProtect agent should retry the connection to an internal gateway after the first attempt fails (range is 0 to 100; default is 0, which means the GlobalProtect app does not retry the connection). By increasing the value, you enable the app to automatically connect to an internal gateway that is temporarily down or unreachable during the first connection attempt but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information.
Portal Connection Timeout (sec)
The number of seconds (between 1 and 600) before a connection request to the portal times out due to no response from the portal. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 30. Starting with content version 777-4484, the default is 5.
TCP Connection Timeout (sec)
The number of seconds (between 1 and 600) before a TCP connection request times out due to unresponsiveness from either end of the connection.When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 60. Starting with content version 777-4484, the default is 5.
TCP Receive Timeout (sec)
The number of seconds before a TCP connection times out due to the absence of some partial response of a TCP request (range is 1 to 600; default is 30).
Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)
(GlobalProtect 4.0.3 and later releases) Configure the DNS resolution preferences when the GlobalProtect tunnel is connected on Windows endpoints:
To configure DNS settings for GlobalProtect app 4.0.2 and earlier releases, use the Update DNS Settings at Connect option.
Update DNS Settings at Connect
(Windows Only) (Deprecated)
(GlobalProtect 4.0.2 and earlier releases) Configure the DNS server preferences for the GlobalProtect tunnel:
To configure DNS settings for GlobalProtect app 4.0.3 and later releases, use the Resolve All FQDNs Using DNS Servers Assigned by the Tunnel option.
Detect Proxy for Each Connection
Select No to auto-detect the proxy for the portal connection and use that proxy for subsequent connections. Select Yes (default) to auto-detect the proxy at every connection.
Set Up Tunnel Over Proxy (Windows & Mac Only)
Specify whether GlobalProtect must use or bypass proxies. Select No to require GlobalProtect to bypass proxies. Select Yes to require GlobalProtect to use proxies. Based on the GlobalProtect proxy use, endpoint OS, and tunnel type, network traffic will behave differently.
Send HIP Report Immediately if Windows Security Center (WSC) State Changes
Select No to prevent the GlobalProtect app from sending HIP data when the status of the Windows Security Center (WSC) changes. Select Yes (default) to immediately send HIP data when the status of the WSC changes.
Enforce GlobalProtect Connection for Network Access
Select Yes to force all network traffic to traverse a GlobalProtect tunnel. Select No (default) if GlobalProtect is not required for network access and users can still access the internet even when GlobalProtect is disabled or disconnected.
To provide instructions to users before traffic is blocked, configure a Traffic Blocking Notification Message and optionally specify when to display the message (Traffic Blocking Notification Delay).
To permit traffic required to establish a connection with a captive portal, specify a Captive Portal Exception Timeout. The user must authenticate with the portal before the timeout expires. To provide additional instructions, configure a Captive Portal Detection Message and optionally specify when to display the message (Captive Portal Notification Delay).
In most cases, use the default selection No. Selecting Yes blocks all network traffic to and from the endpoint until the app connects to an internal gateway inside the enterprise or to an external gateway outside the enterprise network.
Captive Portal Exception Timeout (sec)
To enforce GlobalProtect for network access but provide a grace period to allow users enough time to connect to a captive portal, specify the timeout in seconds (range is 0 to 3600). For example, a value of 60 means the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
Traffic Blocking Notification Delay (sec)
Specify a value, in seconds, to determine when to display the notification message. GlobalProtect starts the countdown to display the notification after the network is reachable (range is 5 to 120; default is 15).
Display Traffic Blocking Notification Message
Specifies whether a message appears when GlobalProtect is required for network access. Select No to disable the message. Select Yes to enable the message (GlobalProtect displays the message when GlobalProtect is disconnected but detects that the network is reachable.)
Traffic Blocking Notification Message
Customize a notification message to display to users when GlobalProtect is required for network access. GlobalProtect displays the message when GlobalProtect is disconnected but detects the network is reachable. The message can indicate the reason for blocking the traffic and provide instructions on how to connect. For example:
To access the network, you much first connect to GlobalProtect.
The message must be 512 or fewer characters.
Allow User to Dismiss Traffic Blocking Notifications
Select No to always display traffic blocking notifications. By default the value is set to Yes meaning users are permitted to dismiss the notifications.
Display Captive Portal Detection Message
Specifies whether a message appears when GlobalProtect detects a captive portal. Select Yes to display the message. Select No (default) to suppress the message (GlobalProtect does not display a message when GlobalProtect detects a captive portal).
If you enable a Captive Portal Detection Message, the message appears 85 seconds before the Captive Portal Exception Timeout. So if the Capture Portal Exception Timeout is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.
Captive Portal Detection Message
Customize a notification message to display to users when GlobalProtect detects the network which provides additional instructions for connecting to a captive portal. For example:
GlobalProtect has temporarily permitted network access for you to connect to the internet. Follow instructions from your internet provider. If you let the connection time out, open GlobalProtect and click Connect to try again.
The message must be 512 or fewer characters.
Enable Inbound Authentication Prompts from MFA Gateways
To support multi-factor authentication (MFA), a GlobalProtect endpoint must receive and acknowledge UDP prompts that are inbound from the gateway. Select Yes to enable a GlobalProtect endpoint to receive and acknowledge the prompt. Select No (default) for GlobalProtect to block UDP prompts from the gateway.
Network Port for Inbound Authentication Prompts (UDP)
Specifies the port number a GlobalProtect endpoint uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number from 1 to 65535.
Trusted MFA Gateways
Specifies the list of firewalls or authentication gateways a GlobalProtect endpoint trusts for multi-factor authentication. When a GlobalProtect endpoint receives a UDP message on the specified network port, GlobalProtect displays an authentication message only if the UDP prompt comes from a trusted gateway.
Inbound Authentication Message
Customize a notification message to display when users try to access a resource that requires additional authentication. When users try to access a resource that requires additional authentication, GlobalProtect receives a UDP packet containing the inbound authentication prompt and displays this message. The UDP packet also contains the URL for the Authentication Portal page you specify when you Configure Multi-Factor Authentication. GlobalProtect automatically appends the URL to the message. For example:
You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at
The message must be 255 or fewer characters.
Specifies the preferred protocol for GlobalProtect endpoint communications. Select No to change the preferred protocol to IPv4.Select Yes (default) to make IPv6 the preferred connection a dual-stack environment.
Retain Connection on Smart Card Removal
Select Yes to retain the connection when a user removes a smart card containing a client certificate. Select No (default) to terminate the connection when a user removes a smart card.
Change Password Message
Customize a message to specify password policies or requirements when users change their active directory (AD) password. For example:
Passwords must contain at least one number and one uppercase letter.
The message must be 255 or fewer characters for two byte Unicode languages such as Chinese Simplified. For Japanese, the message must be 128 or fewer characters.
Display Status Panel at Startup (Windows Only)
Select Yes to automatically display the GlobalProtect status panel when users establish a connection for the first time. Select No to suppress the GlobalProtect status panel when users establish a connection for the first time.
Disable GlobalProtect App
Enter and then confirm a passcode if the setting for Allow User to Disable GlobalProtect App is Allow with Passcode. Treat this passcode like a password—record it and store it in a secure place. You can distribute the passcode to new GlobalProtect users by email or post it in a support area of your company website.
If circumstances prevent the endpoint from establishing a VPN connection and this feature is enabled, a user can enter this passcode in the app interface to disable the GlobalProtect app and get Internet access without using the VPN.
Max Times User Can Disable
Specify the maximum number of times that a user can disable GlobalProtect before the user must connect to a firewall. The default value of 0 means users have no limit to the number of times they can disable the app.
Disable Timeout (min)
Specify the maximum number of minutes the GlobalProtect app can be disabled. After the specified time passes, the app tries to connect to the firewall. The default of 0 indicates that the disable period is unlimited.
Set a disable timeout value to restrict the amount of time for which users can disable the app. This ensures that GlobalProtect resumes and establishes the VPN when the timeout is over to secure the user and the user’s access to resources.
Mobile Security Manager Settings
Mobile Security Manager
If you are using the GlobalProtect Mobile Security Manager for mobile device management (MDM), enter the IP address or FQDN of the device check‑in (enrollment) interface on the GP-100 appliance.
The port number the mobile endpoint should use when connecting to the GlobalProtect Mobile Security Manager for enrollment. The Mobile Security Manager listens on port 443 by default.
Keep this port number so that mobile endpoint users are not prompted for a client certificate during the enrollment process (other possible values are 443, 7443, and 8443).
Customize the GlobalProtect App
Customize the GlobalProtect App The portal agent configuration allows you to customize how your end users interact with the GlobalProtect apps installed on their endpoints. ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect Gateway After you have completed the prerequisite tasks, configure the GlobalProtect Gateways : Add a gateway. Select Network GlobalProtect Gateways , and ...
App Behavior Options
App Behavior Options The following table lists the options that you can configure in the Windows Registry and macOS plist to customize the behavior of ...
Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 8.1 release. ...
Define the GlobalProtect Agent Configurations
Define the GlobalProtect Agent Configurations After a GlobalProtect user connects to the portal and is authenticated by the GlobalProtect portal, the portal sends the agent ...
Kerberos Authentication Support for macOS
The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO. ...
Mixed Internal and External Gateway Configuration
Mixed Internal and External Gateway Configuration In a GlobalProtect mixed internal and external gateway configuration, you can configure separate gateways for VPN access and for ...
Define the GlobalProtect Client Authentication Configurations
Define the GlobalProtect Client Authentication Configurations Each GlobalProtect client authentication configuration specifies the settings that enable the user to authenticate with the GlobalProtect portal. You ...