GlobalProtect Features

Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 9.0 release.
The following table describes new GlobalProtect features introduced in PAN-OS 9.0. For features related to the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.
New GlobalProtect Feature
Description
Simplified Deployment for GlobalProtect Portals and Gateways
You can now reduce the number of GlobalProtect portals and gateways you need to deploy and manage for GlobalProtect use cases by configuring the following features on a single firewall:
  • Endpoint Tunnel Configurations Based on Source Region or IP Address
    —You can now assign tunnel configurations to users based on their source IP address or region from a particular GlobalProtect gateway. For example, you can configure a gateway to allow all traffic for local network printing to bypass the VPN tunnel when end users connect from a branch office but require all traffic to route through the VPN tunnel when users connect remotely from an unknown or untrusted network (such as a coffee shop or library).
  • Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes
    —You can now deploy different configurations_and_enforce access control for managed (corporate-owned) endpoints and unmanaged endpoints (such as in a BYOD environment) from a particular GlobalProtect portal or gateway. To identify the managed status of an endpoint, GlobalProtect portals and gateways can now use the following new endpoint attributes: machine certificate and serial number.
  • DNS Configuration Assignment Based on Users or User Groups
    —From a particular gateway you can now assign different DNS servers_and_DNS suffixes to endpoints based on the user or user group. This allows you to leverage your distributed DNS infrastructure for users connecting with GlobalProtect.
  • Mixed Authentication Method Support for Certificates or User Credentials
    —You can now assign multiple combinations_of_authentication methods with user credentials and/or client certificates from a particular portal or gateway. For example when connecting to the same portal or gateway, users connecting from corporate mobile devices can authenticate using a certificate while users connecting from personal devices can authenticate using their AD credentials.
HIP Report Redistribution
In data center environments, you can now use HIP report redistribution to ensure consistent policy enforcement across all endpoints and to simplify policy configuration and management across internal and external gateways. With HIP report redistribution, you use the same mechanism as User-ID redistribution to enable the GlobalProtect gateways to send the HIP reports to a Dedicated Log Collector (DLC), firewall, or Panorama. HIP report redistribution eliminates the need for exception policies for external gateways or internal gateways thereby simplifying HIP setup and configuration time for your gateways and firewalls.
Tunnel Restoration and Authentication Cookie Usage Restrictions
You can now enforce additional restrictions for enhanced security:
  • You can now choose to enable automatic restoration of VPN tunnels at the gateway level. For example, you can enable automatic restoration of VPN tunnels for all gateways in the enterprise except for specific gateways that you want to require authentication before a tunnel is established.
  • You can now choose whether to accept an authentication cookie when the IP address attributes (IP address or IP address range) of the endpoint change. If you choose to reject an authentication cookie when the endpoint IP address attribute differs from the original value associated with the authentication cookie, the user must authenticate again to receive a new authentication cookie.
These settings provide a more restricted user connection experience.
Pre-Logon Followed By Two-Factor and SAML Authentication
The GlobalProtect app for Windows and Mac endpoints now supports pre-logon followed by two-factor or SAML authentication for user login. After the pre-logon tunnel is established, the user can log in to the endpoint and authenticate using the configured authentication method. If authentication is successful on Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel and the GlobalProtect connection is established. If authentication is successful on macOS endpoints, a new tunnel is created and the GlobalProtect connection is established.
GlobalProtect Gateway and Portal Location Configuration
To help users identify the geographic location of GlobalProtect gateways, you can now configure a label for the physical_location. By separating the location into a dedicated label, you can also use location-independent names when you configure your gateways.
The GlobalProtect app displays the label for the location of the gateway to which a user is connected and the Clientless VPN portal landing page displays the label for the location of the portal to which a Clientless VPN user is logged in.
When end users experience unusual behavior, such as poor network performance, they can provide this location information to their support or Help Desk professionals to assist with troubleshooting. They can also use this location information to determine their proximity to the Clientless VPN portal or gateway. Based on their proximity, they can evaluate whether they need to switch to a closer portal or gateway. However, auto-selected gateways are still preferred.
Refer to the GlobalProtect App 5.0 Release_Notes for more information on gateway and portal location visibility for end users.
User Location Visibility on GlobalProtect Gateways and Portals
For enhanced reporting and user activity analysis, you can now view the source region of users_that_connect (or have previously connected) to GlobalProtect portals and gateways. You can identify the source region of the Clientless VPN users in the Remote Users section of the Portal configuration and the source region of GlobalProtect users in the Remote Users section of the Gateway configuration.
Concurrent Support for IPv4 and IPv6 DNS Servers
You can now assign up to ten IPv4 and IPv6_DNS_servers in the client settings provided to the endpoint by the GlobalProtect gateway. This enhancement enables you to simultaneously assign multiple IPv4 and IPv6 DNS servers simultaneously to the endpoints that connect to the gateway.
Support for IPv6-Only GlobalProtect Deployments
GlobalProtect now supports IPv6-only deployments. With this enhancement, you can define an IP address pool that uses only IPv6 addresses when you con-figure GlobalProtect gateways.
When you configure IPv6 pools, you must also enable split tunneling to route any IPv4 traffic from the endpoint to the internet.

Related Documentation