GlobalProtect — Customize App Settings

Customize how your end users interact with the GlobalProtect app.
Customize how your end users interact with the GlobalProtect app.
There are some settings that you can customize globally. These
global app settings
apply to the GlobalProtect app across all devices. Other GlobalProtect app settings are set by default. You can then customize these options and, based on
match criteria
, target them to specific users and devices. The match criteria you define for app settings tells Prisma Access the users, devices, or systems that should receive the settings. For example, you could specify that a rule applies only to devices with serial numbers that match Active Directory entries.
You can explore all GlobalProtect settings on the
GlobalProtect App
page, and here are examples of some of the options available to you.
GlobalProtect App Settings
Explore and customize app settings here —>
Authentication Override
Enable Prisma Access to generate and accept secure, encrypted cookies for user authentication. Turning this on allows the user to provide login credentials only once during the specified period of time.
  • Generate cookie for authentication override
    —Enables the Prisma Access to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
  • Accept cookie for authentication override
    —Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user.
    The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to Prisma Access for user authentication.
  • Cookie Lifetime
    —Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1 to 72; for weeks is 1 to 52; and for days is 1 to 365. After the cookie expires, the user must re-enter their login credentials and then Prisma Access subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the Cookie Lifetime that you configure.
  • Certificate to Encrypt/Decrypt Cookie
    —Selects the RSA certificate used to encrypt and decrypt the cookie.
Connection
Specify the method that the GlobalProtect app uses to
Connect
to Prisma Access.
  • User-logon (Always On)
    —The GlobalProtect app automatically connects to Prisma Access as soon as the user logs in. When used in conjunction with SSO (Windows endpoints only), the login is transparent to the end user.
    On iOS endpoints, this setting prevents one-time password (OTP) applications from working because the GlobalProtect app forces all traffic to go through the tunnel.
  • Pre-logon (Always On)
    —The GlobalProtect app authenticates the user and establishes a VPN tunnel to Prisma Access before the user logs in. This option requires that you use an external PKI solution to pre-deploy a machine certificate to each device that receives these settings.
  • On-demand (Manual user initiated connection)
    —Users must manually launch the app to connect to GlobalProtect.
  • Pre-logon then On-demand
    —Similar to the Pre-logon (Always On) connect method, this connect method (which requires Content Release version 590-3397 or later) enables the GlobalProtect app to authenticate the user and establish a VPN tunnel to Prisma Access before the user logs in to the endpoint. Unlike the pre-logon connect method, after the user logs in, users must manually launch the app to connect to GlobalProtect if the connection is terminated for any reason. The benefit of this option is that you can allow users to specify a new password after their password expires or they forget their password, but still require users to manually initiate the connection after they log in.
GlobalProtect
Decide what GlobalProtect app settings the user can adjust:
  • Disable GlobalProtect
    —Decide whether or not users can disable the GlobalProtect app. Users that disable the GlobalProtect app can not connect to Prisma Access (and your protected company resources) until they turn the app back on.
  • Upgrade GlobalProtect
    —Specify how app upgrades should work, including whether users can initiate updates.
    If you want to control when users can upgrade, you can customize the app upgrade on a per-configuration basis. For example, if you want to test a release on a small group of users before deploying it to your entire user base, you can create a configuration that applies to users in your IT group only, thus allowing them to upgrade and test while disabling upgrades in all other user/group configurations. After you have thoroughly tested the new version, you can modify the agent configurations for the rest of your users to allow the upgrade.
    • Allow with Prompt
      —Prompt users to upgrade when a new version of the app is available.
    • Allow Transparently
      —Upgrades occur automatically without user interaction.
    • Internal
      —Upgrades occur automatically without user interaction when the user is connected to Prisma Access.
    • Disallow
      —Prevent app upgrades.
    • Allow Manually
      —Let users initiate app upgrades from inside the GlobalProtect app.
  • Uninstall GlobalProtect
    —Allow users to uninstall the GlobalProtect app, prevent them from uninstalling the GlobalProtect app, or allow them to uninstall if they specify a password you create.
  • User Can Change Portal
    —Let users change the portal the GlobalProtect app uses to connect to Prisma Access.
Internal Host Detection
If you do not require your mobile users to connect to Prisma Access when they are on the internal network, enable internal host detection to enable the GlobalProtect app to determine if it is on an internal or external network.
  • Enter the IP Address (IPv4 or IPv6) of a host that can be resolved from the internal network only.
  • Enter the DNS Hostname that resolves to the IP address you enter.
When a mobile user connects to Prisma Access, the GlobalProtect app attempts to do a reverse DNS lookup on the specified address. If the lookup fails, the GlobalProtect app determines that it is on the external network and then initiates a connection to Prisma Access.
Gateways
By default, all the gateways in your Prisma Access locations are available to users. If you have additional GlobalProtect gateways (internal or external) that you’d like your users to be able to connect to, you can add those gateways here.
HIP Data Collection
Define custom host information profile (HIP) data that you want the app to collect or exclude from collection. When this option is enabled, the app collects data from devices running Windows, Mac, or Linux operating systems.
For example, a custom check could enable you to know whether a certain application is installed or running on an endpoint.The data that you define to be collected in a custom check is included in the raw host information data that the GlobalProtect app collects and then submits to Prisma Access when the appconnects.
To monitor the data collected with custom checks, create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to endpoint traffic and enforce security rules.
Go to
Objects
HIP Objects / HIP Profiles
.
Allow traffic to specified fqdn when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established
Automatically Launch Webpage in Default Browser Upon Captive Portal Detection
To automatically launch your default web browser so that users can log in to the authentication portal seamlessly, enter the fully qualified domain name (FQDN) or IP address of the website that you want to use for the initial connection attempt that initiates web traffic when the default web browser launches (maximum length is 256 characters). The authentication portal then intercepts this website connection attempt and redirects the default web browser to the authentication portal login page. If this field is empty (default), Prisma Access does not launch the default web browser automatically upon authentication portal detection.
GlobalProtect Connection MTU
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
Select No to prevent the GlobalProtect app from sending HIP data when the status of the Windows Security Center (WSC) changes. Select Yes (default) to immediately send HIP data when the status of the WSC changes.
App Settings
User Behavior Settings
Authentication Settings
VPN Settings
Enforcement Settings
Connection Behavior Settings
DNS Settings
Proxy Settings
MFA Settings

Recommended For You