Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 9.0 release.
The following table describes new GlobalProtect features introduced in PAN-OS 9.0. For features related to the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.
New GlobalProtect Feature
Simplified Deployment for GlobalProtect Portals and Gateways
You can now reduce the number of GlobalProtect portals and gateways you need to deploy and manage for GlobalProtect use cases by configuring the following features on a single firewall:
HIP Report Redistribution
In data center environments, you can now use HIP report redistribution to ensure consistent policy enforcement across all endpoints and to simplify policy configuration and management across internal and external gateways. With HIP report redistribution, you use the same mechanism as User-ID redistribution to enable the GlobalProtect gateways to send the HIP reports to a Dedicated Log Collector (DLC), firewall, or Panorama. HIP report redistribution eliminates the need for exception policies for external gateways or internal gateways thereby simplifying HIP setup and configuration time for your gateways and firewalls.
Tunnel Restoration and Authentication Cookie Usage Restrictions
You can now enforce additional restrictions for enhanced security:
These settings provide a more restricted user connection experience.
Pre-Logon Followed By Two-Factor and SAML Authentication
The GlobalProtect app for Windows and Mac endpoints now supports pre-logon followed by two-factor or SAML authentication for user login. After the pre-logon tunnel is established, the user can log in to the endpoint and authenticate using the configured authentication method. If authentication is successful on Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel and the GlobalProtect connection is established. If authentication is successful on macOS endpoints, a new tunnel is created and the GlobalProtect connection is established.
GlobalProtect Gateway and Portal Location Configuration
To help users identify the geographic location of GlobalProtect gateways, you can now configure a label for the physical_location. By separating the location into a dedicated label, you can also use location-independent names when you configure your gateways.
The GlobalProtect app displays the label for the location of the gateway to which a user is connected and the Clientless VPN portal landing page displays the label for the location of the portal to which a Clientless VPN user is logged in.
When end users experience unusual behavior, such as poor network performance, they can provide this location information to their support or Help Desk professionals to assist with troubleshooting. They can also use this location information to determine their proximity to the Clientless VPN portal or gateway. Based on their proximity, they can evaluate whether they need to switch to a closer portal or gateway. However, auto-selected gateways are still preferred.
Refer to the GlobalProtect App 5.0 Release_Notes for more information on gateway and portal location visibility for end users.
User Location Visibility on GlobalProtect Gateways and Portals
For enhanced reporting and user activity analysis, you can now view the source region of users_that_connect (or have previously connected) to GlobalProtect portals and gateways. You can identify the source region of the Clientless VPN users in the Remote Users section of the Portal configuration and the source region of GlobalProtect users in the Remote Users section of the Gateway configuration.
Concurrent Support for IPv4 and IPv6 DNS Servers
You can now assign up to ten IPv4 and IPv6_DNS_servers in the client settings provided to the endpoint by the GlobalProtect gateway. This enhancement enables you to simultaneously assign multiple IPv4 and IPv6 DNS servers simultaneously to the endpoints that connect to the gateway.
Support for IPv6-Only GlobalProtect Deployments
GlobalProtect now supports IPv6-only deployments. With this enhancement, you can define an IP address pool that uses only IPv6 addresses when you con-figure GlobalProtect gateways.
When you configure IPv6 pools, you must also enable split tunneling to route any IPv4 traffic from the endpoint to the internet.