Client Settings Tab

  • NetworkGlobalProtectGateways<gateway-config>Agent<agent-config>Client Settings
Select the Client Settings tab to configure settings for the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
Some Client Settings options are available only after you enable tunnel mode and define a tunnel interface on the Tunnel Settings Tab.
GlobalProtect Gateway Client Settings and Network Configuration
Description
Config Selection Criteria tab
Name
Enter a name to identify the client settings configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Source User
Add the specific users or user groups to which this configuration applies.
You must configure group mapping (DeviceUser IdentificationGroup Mapping Settings) before you can select users and groups.
To deploy this configuration to all users, select any from the Source User drop-down. To deploy this configuration only to users with GlobalProtect apps in pre-logon mode, select pre-logon from the Source User drop-down.
The client settings configuration is deployed to users only if the user matches the criteria for Source User, OS, AND Source Address.
OS
To deploy this configuration based on the operating system of the endpoint, Add an OS (Android, Chrome, iOS, Linux, Mac, Windows, WindowsUWP). Alternatively, you can set this value to Any so that configuration deployment is based only on the user or user group and not on the operating system of the endpoint.
The client settings configuration is deployed to users only if the user matches the criteria for Source User, OS, AND Source Address.
Source Address
To deploy this configuration based on user location, Add a source Region or local IP Address (IPv4 and IPv6). To deploy this configuration to all user locations, do not specify a Region or IP Address. You must also leave these fields empty if your users are running GlobalProtect app 4.0 and earlier releases, as this feature is not supported on older GlobalProtect app releases.
The Source Address match is successful if the location of a connecting user matches either the Regionor the IP Address that you configure.
The client settings configuration is deployed to users only if the user matches the criteria for Source User, OS, AND Source Address.
Authentication Override tab
Authentication Override
Enable the gateway to use secure, device-specific, encrypted cookies to authenticate the user after the user first authenticates using the authentication scheme specified by the authentication or certificate profile.
  • Generate cookie for authentication override—During the lifetime of the cookie, the agent presents this cookie each time the user authenticates with the gateway.
  • Cookie Lifetime—Specify the hours, days, or weeks that the cookie is valid. The typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires, the user must enter login credentials and the gateway subsequently encrypts a new cookie to send to user device.
  • Accept cookie for authentication override—Select this option to configure the gateway to accept authentication using the encrypted cookie. When the agent presents the cookie, the gateway validates that the cookie was encrypted by the gateway before authenticating the user.
  • Certificate to Encrypt/Decrypt Cookie—Select the certificate the gateway uses to use when encrypting and decrypting the cookie.
Ensure that the gateway and portal both use the same certificate to encrypt and decrypt cookies.
IP Pools tab
Retrieve Framed-IP-Address attribute from authentication server
Select this option to enable the GlobalProtect gateway to assign fixed IP addresses by use of an external authentication server. When this option is enabled, the GlobalProtect gateway allocates the IP address for connecting to devices by using the Framed-IP-Address attribute from the authentication server.
Authentication Server IP Pool
Add a subnet or range of IP addresses to assign to remote users. When the tunnel is established, the GlobalProtect gateway allocates the IP address in this range to connecting devices using the Framed-IP-Address attribute from the authentication server. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).
You can enable and configure Authentication Server IP Pool only if you enable Retrieve Framed-IP-Address attribute from authentication server.
The authentication server IP pool must be large enough to support all concurrent connections. IP address assignment is fixed and is retained after the user disconnects. Configure multiple ranges from different subnets to allow the system to offer clients an IP address that does not conflict with other interfaces on the client.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user can receive the address 192.168.0.10.
IP Pool
Add a range of IP addresses to assign to remote users. When the tunnel is established, an interface is created on the remote user’s endpoint with an address in this range. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10).
To avoid conflicts, the IP pool must be large enough to support all concurrent connections. The gateway maintains an index of clients and IP addresses so that the client automatically receives the same IP address the next time it connects. Configuring multiple ranges from different subnets allows the system to offer clients an IP address that does not conflict with other interfaces on the client.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user may be assigned the address 192.168.0.10.
Split Tunnel tab
Access Route tab
No direct access to local network
Select this option to disable split tunneling, including direct access to local networks on Windows and macOS endpoints. This function prevents a user from sending traffic to proxies or local resources, such as a home printer. When the tunnel is established, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall.
Include
Add routes to include in the VPN tunnel. These are the routes the gateway pushes to the remote users’ endpoint to specify what user endpoints can send through the VPN connection.
To include all destination subnets or address objects, Include 0.0.0.0/0 and ::/0 as access routes.
Exclude
Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).
You can define the routes you send through the VPN tunnel as routes you include in the tunnel, routes you exclude from the tunnel, or a combination of both. For example, you can set up split tunneling to allow remote users to access the internet without going through the VPN tunnel. Excluded routes should be more specific than the included routes to avoid excluding more traffic than you intend to exclude.
If you don’t include or exclude routes, every request is routed through the tunnel (no split tunneling). In this case, each internet request passes through the firewall and then out to the network. This method can prevent the possibility of an external party accessing user endpoints and gaining access to the internal network (with a user endpoint acting as a bridge).
Domain and Application tab
Include Domain
Add the software as a service (SaaS) or public cloud applications that you want to include in the VPN tunnel using the domain and port (optional). These are the applications the gateway pushes to the remote users’ endpoint to specify what user endpoints can send through the VPN connection.
You can configure a list of ports for each domain. If no ports are configured, all ports for the specified domain are subject to this policy.
If you only include domains, all other domains are excluded by default.
Exclude Domain
Add the software as a service (SaaS) or public cloud applications that you want to exclude from the VPN tunnel using the domain and port (optional). These applications are sent through the physical adapter on endpoints rather than the virtual adapter (the tunnel).
You can configure a list of ports for each domain. If no ports are configured, all ports for the specified domain are subject to this policy.
If you only exclude domains, all other domains are included by default.
If you do not include or exclude any domains, every request is routed through the tunnel (no split tunneling). In this case, each Internet request passes through the firewall and out to the network. This method can prevent external parties from accessing user endpoints to gain access to the internal network.
Include Client Application Process Name
Add the software as a service (SaaS) or public cloud applications that you want to include in the VPN tunnel using the application process name. These are the applications the gateway pushes to the endpoints of remote users to specify what those user endpoints can send through the VPN connection.
If you only include applications, all other applications are excluded by default.
Exclude Client Application Process Name
Add the software as a service (SaaS) or public cloud applications that you want to exclude from the VPN tunnel using the application process name. These applications are sent through the physical adapter on endpoints rather than the virtual adapter (the tunnel).
If you only exclude applications, all other applications are included by default.
If you do not include or exclude any applications, every request is routed through the tunnel (no split tunneling). In this case, each Internet request passes through the firewall and out to the network. This method can prevent external parties from accessing user endpoints to gain access to the internal network.
Network Services tab
DNS Server
Specify the IP address of the DNS server to which the GlobalProtect app with this client setting configuration sends DNS queries. You can add multiple DNS servers by separating each IP address with a comma.
DNS Suffix
Specify the DNS suffix that the endpoint should use locally when an unqualified hostname is entered that the endpoint cannot resolve. You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.

Related Documentation