Document:Prisma Access (Cloud Management)

GlobalProtect — Customize App Settings

Filter

GlobalProtect — Customize App Settings

Customize how your end users interact with the GlobalProtect app.

There are some settings that you can customize globally. These

global app settings

apply to the GlobalProtect app across all devices. Other GlobalProtect app settings are set by default. You can then customize these options and, based on match criteria
, target them to specific users and devices. The match criteria you define for app settings tells Prisma Access the users, devices, or systems that should receive the settings. For example, you could specify that a rule applies only to devices with serial numbers that match Active Directory entries.

You can explore all GlobalProtect settings on the

GlobalProtect App

page, and here are examples of some of the options available to you.

GlobalProtect App Settings
Explore and customize app settings here —>
Authentication Override	Enable Prisma Access to generate and accept secure, encrypted cookies for user authentication. Turning this on allows the user to provide login credentials only once during the specified period of time. Generate cookie for authentication override —Enables the Prisma Access to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint. Accept cookie for authentication override —Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user. The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to Prisma Access for user authentication.
Connection Settings	Specify the method that the GlobalProtect app uses to Connect to Prisma Access. User-logon (Always On) —The GlobalProtect app automatically connects to Prisma Access as soon as the user logs in. When used in conjunction with SSO (Windows endpoints only), the login is transparent to the end user. On iOS endpoints, this setting prevents one-time password (OTP) applications from working because the GlobalProtect app forces all traffic to go through the tunnel. Pre-logon (Always On) —The GlobalProtect app authenticates the user and establishes a VPN tunnel to Prisma Access before the user logs in. This option requires that you use an external PKI solution to pre-deploy a machine certificate to each device that receives these settings. On-demand (Manual user initiated connection) —Users must manually launch the app to connect to GlobalProtect. Pre-logon then On-demand —Similar to the Pre-logon (Always On) connect method, this connect method (which requires Content Release version 590-3397 or later) enables the GlobalProtect app to authenticate the user and establish a VPN tunnel to Prisma Access before the user logs in to the endpoint. Unlike the pre-logon connect method, after the user logs in, users must manually launch the app to connect to GlobalProtect if the connection is terminated for any reason. The benefit of this option is that you can allow users to specify a new password after their password expires or they forget their password, but still require users to manually initiate the connection after they log in.
GlobalProtect	Decide what GlobalProtect app settings the user can adjust: Disable GlobalProtect —Decide whether or not users can disable the GlobalProtect app. Users that disable the GlobalProtect app can not connect to Prisma Access (and your protected company resources) until they turn the app back on. Upgrade GlobalProtect —Specify how app upgrades should work, including whether users can initiate updates. If you want to control when users can upgrade, you can customize the app upgrade on a per-configuration basis. For example, if you want to test a release on a small group of users before deploying it to your entire user base, you can create a configuration that applies to users in your IT group only, thus allowing them to upgrade and test while disabling upgrades in all other user/group configurations. After you have thoroughly tested the new version, you can modify the agent configurations for the rest of your users to allow the upgrade. Allow with Prompt —Prompt users to upgrade when a new version of the app is available. Allow Transparently —Upgrades occur automatically without user interaction. Internal —Upgrades occur automatically without user interaction when the user is connected to Prisma Access. Disallow —Prevent app upgrades. Allow Manually —Let users initiate app upgrades from inside the GlobalProtect app. Uninstall GlobalProtect —Allow users to uninstall the GlobalProtect app, prevent them from uninstalling the GlobalProtect app, or allow them to uninstall if they specify a password you create. User Can Change Portal —Let users change the portal the GlobalProtect app uses to connect to Prisma Access. Enable Welcome Page —Let users configure welcome page individually for all the GlobalProtect app settings. You can select the predefined factory default page, custom page, or none. If you select None, then the welcome page is not enabled for that app setting.
App Configuration -Advanced Options
App Settings	Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)—Select No to prevent the GlobalProtect app from sending HIP data when the status of the Windows Security Center (WSC) changes. Select Yes (default) to immediately send HIP data when the status of the WSC changes.
User Behavior Settings	User Behavior settings include:
Authentication Settings	Authentication settings include:
VPN Settings	Configure VPN timeout and tunnel settings: Display IPSec to SSL Fallback Notification —Select No to prevent pop-up notifications when the GlobalProtect app fails to establish connection to an IPSec tunnel and falls back to an SSL tunnel. Select Yes (default) to allow pop-up notifications when the connection changes.
Enforcement Settings	Enforce settings for specified traffic: Allow traffic to specified FDQN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is established — Learn more. Automatically Launch Webpage in Default Browser Upon Captive Portal Detection — To automatically launch your default web browsers so that users can log in to the authentication portal seamlessly, enter the fully qualified domain name (FQDN) or IP address of the website that you want to use for the initial connection attempt that initiates web traffic when the default web browser launches (maximum length is 256 characters). The authentication portal then intercepts this website connection attempt and redirects the default web browser to the authentication portal login page. If this field is empty (default), Prisma Access does not launch the default web browser automatically upon authentication portal detection. Enable Advance Internal Host Detection — Enable advance internal host detection to add an extra security layer during internal host detection by the GlobalProtect app. With the advance internal host detection, the app validates the server certificate of the internal gateways in addition to performing a reverse DNS lookup of the internal host to determine whether the app is inside the enterprise network. Enabling the advanced internal host detection stops malicious actors from spoofing the reverse DNS server response during the internal host detection and thereby prevents unauthorized access to the endpoints in the enterprise network. If you do not enable the advance internal host detection, the existing internal host detection works as expected.
Connection Behavior Settings	Connection Behavior settings include: Learn more.
DNS Settings	DNS settings include:
Proxy Settings	Specify the Proxy Auto-Configuration (PAC) File URL that you want to push to the endpoint to configure proxy settings. The maximum URL length is 256 characters. The following Proxy Auto-Configuration (PAC) File URL methods are supported: Proxy Auto-Config (PAC) standard (for example, http://pac.<hostname or IP>/proxy.pac). Web Proxy Auto-Discovery Protocol (WPAD) standard (for example, http://wpad.<hostname or IP>/wpad.dat).
MFA Settings	MFA settings include:
Troubleshooting Settings	Troubleshooting settings include:
Device Quarantine Settings	Device Quarantine settings include:
Internal Host Detection	If you do not require your mobile users to connect to Prisma Access when they are on the internal network, enable internal host detection to enable the GlobalProtect app to determine if it is on an internal or external network. Enter the IP Address (IPv4 or IPv6) of a host that can be resolved from the internal network only. Enter the DNS Hostname that resolves to the IP address you enter. When a mobile user connects to Prisma Access, the GlobalProtect app attempts to do a reverse DNS lookup on the specified address. If the lookup fails, the GlobalProtect app determines that it is on the external network and then initiates a connection to Prisma Access.
Gateways	By default, all the gateways in your Prisma Access locations are available to users. If you have additional GlobalProtect gateways (internal or external) that you’d like your users to be able to connect to, you can add those gateways here.
HIP Data Collection	Define custom host information profile (HIP) data that you want the app to collect or exclude from collection. When this option is enabled, the app collects data from devices running Windows, Mac, or Linux operating systems. For example, a custom check could enable you to know whether a certain application is installed or running on an endpoint.The data that you define to be collected in a custom check is included in the raw host information data that the GlobalProtect app collects and then submits to Prisma Access when the app connects. To monitor the data collected with custom checks, create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to endpoint traffic and enforce security rules. Go to Manage Configuration > Objects > HIP Objects / HIP Profiles .