GlobalProtect — Customize Tunnel Settings

Customize the settings for the VPN tunnel the GlobalProtect app establishes to connect to Prisma Access.
Customize the settings for the VPN tunnel the GlobalProtect app establishes to connect to Prisma Access.
Tunnel settings include split tunneling options that you can use to define what traffic the app sends to Prisma Access and what can be routed locally instead (like bandwidth intensive applications that aren’t required for business use).
The
Match Criteria
you define for tunnel settings tells Prisma Access the users, devices, or systems that should receive the settings. For example, you could specify that a tunnel settings rule applies to all instances of the GlobalProtect app in a certain region.
You can explore all GlobalProtect tunnel settings on the
GlobalProtect App
page, and here are examples of some of the options available to you.
Custom Tunnel Settings
Explore and customize tunnel settings here —>
Authentication Override
Enable Prisma Access to generate and accept secure, encrypted cookies for user authentication. Turning this on allows the user to provide login credentials only once during the specified period of time.
  • Generate cookie for authentication override
    —Enables the Prisma Access to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
  • Accept cookie for authentication override
    —Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user.
    The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to Prisma Access for user authentication.
  • Cookie Lifetime
    —Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1 to 72; for weeks is 1 to 52; and for days is 1 to 365. After the cookie expires, the user must re-enter their login credentials and then Prisma Access subsequently encrypts a new cookie to send to the app. This value can be the same as or different from the Cookie Lifetime that you configure.
  • Certificate to Encrypt/Decrypt Cookie
    —Selects the RSA certificate used to encrypt and decrypt the cookie.
Split Tunneling
Split tunneling conserves bandwidth by excluding traffic Prisma Access that is not business critical or does not enable productivity. Here you can define what traffic the GlobalProtect app allows or disallows through the VPN tunnel to Prisma Access.
  • Local Network Access
    —Give Windows and Mac users access to local resources, without requiring them to first connect to Prisma Access.
  • Exclude Traffic
    —Specify traffic to exclude from Prisma Access policy inspection and enforcement based on application, domain, and route (like an IP address).
  • Customize Include Traffic
    —By default, the GlobalProtect app routes all traffic to Prisma Access except what's in the exclude list. Specify traffic that the GlobalProtect app should always route to Prisma Access, even when it meets exclude list criteria.
Exclude Video Stream Traffic
Choose not to send video streaming traffic from the listed applications to Prisma Access. Right now, this setting is applied globally: video streaming exclusions are applied to all traffic the GlobalProtect app sends to Prisma Access, not just the match criteria you've defined for this rule.

Recommended For You