Globalprotect App New Features IP Estática Pag35

GlobalProtect App New Features Guide
4.1
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
January 29, 2019
2 GLOBALPROTECT APP NEW FEATURES GUIDE |

Table of Contents
New Features Released in GlobalProtect App 4.1......................................5
GlobalProtect User Experience Enhancements................................................................................... 7
GlobalProtect App for Linux.................................................................................................................. 14
GlobalProtect App for Linux Requirements and Features................................................. 14
Get Started with the GlobalProtect App for Linux.............................................................. 15
Optimized Split Tunneling for GlobalProtect.....................................................................................18
Kerberos Authentication Support for macOS....................................................................................23
SAML SSO for GlobalProtect on Chromebooks............................................................................... 28
GlobalProtect Credential Provider Pre-Logon Connection Status................................................30
Active Directory Password Change Using the GlobalProtect Credential Provider................... 32
Expired Active Directory Password Change for Remote Users.................................................... 33
Multiple Portal Support........................................................................................................................... 34
Static IP Address Assignment................................................................................................................ 35
Customizable Username and Password Labels................................................................................. 37
Gateway-Level IP Pools.......................................................................................................................... 39
Primary Username Visibility on GlobalProtect Gateways...............................................................41
OPSWAT SDK V4 Support.................................................................................................................... 43
GlobalProtect App for Android Enhancements.................................................................................45
Tunnel Connections Over Proxies........................................................................................................47
Captive Portal Notification Delay.........................................................................................................52
TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
New Features Released in GlobalProtect
App 4.1
GlobalProtect app 4.1 introduces the following new features:
> GlobalProtect User Experience Enhancements

> GlobalProtect App for Linux
> Optimized Split Tunneling for GlobalProtect
> Kerberos Authentication Support for macOS
> SAML SSO for GlobalProtect on Chromebooks
> GlobalProtect Credential Provider Pre-Logon Connection Status
> Active Directory Password Change Using the GlobalProtect Credential Provider
> Expired Active Directory Password Change for Remote Users
> Multiple Portal Support
> Static IP Address Assignment
> Customizable Username and Password Labels
> Gateway-Level IP Pools
> Primary Username Visibility on GlobalProtect Gateways
> OPSWAT SDK V4 Support
> GlobalProtect App for Android Enhancements
> Tunnel Connections Over Proxies
> Captive Portal Notification Delay
5
6 GLOBALPROTECT APP NEW FEATURES GUIDE | New Features Released in GlobalProtect App 4.1
© 2019 Palo Alto Networks, Inc.
GlobalProtect User Experience Enhancements
Software Support: Starting with GlobalProtect™ App 4.1
OS Support: Windows 7 and later releases and macOS 10.10 and later releases
GlobalProtect app 4.1 for Windows and macOS endpoints introduces an enhanced user experience through
a more modern and streamlined user interface and a more intuitive connection process.
GlobalProtect app 4.1 is supported on Windows 7 and later releases and macOS 10.10 and
later releases.
The following enhancements are introduced in GlobalProtect app 4.1:

• A Status Panel that displays the state of the GlobalProtect connection and allows end users to connect
to or disconnect from GlobalProtect.
• A Settings Panel that allows end users to view and modify the GlobalProtect app settings.
• Seamless Login connection experience from the status panel or sign-in window.
• Resilient Connection that enables GlobalProtect to reconnect automatically after network interruptions.
• Centralized Notification Management.
Status Panel
The status panel is the main window in the GlobalProtect app that displays when you launch GlobalProtect.
The status panel displays the state of the GlobalProtect connection and allows end users to connect to or
disconnect from GlobalProtect.
The VPN connection states include:

• Connecting
• Connected
• Connected – Internal
• Disconnecting
• Not connected (available only in On-Demand mode)
• Disabled (available only in Always On mode)
• Connection Failed
The status panel also contains the settings menu, which provides additional information and options for the
GlobalProtect app.
GLOBALPROTECT APP NEW FEATURES GUIDE | New Features Released in GlobalProtect App 4.1 7
The settings menu includes the following options:
• Settings—Opens the GlobalProtect Settings panel where end users can view and modify their
GlobalProtect app settings.
• About—Opens the About window, which displays the version of GlobalProtect currently installed on the
endpoint and allows users to Check for Updates.
• Welcome Page—If you customize the Welcome page, end users will see the custom welcome message
on the Welcome Page (default is “Welcome Page”).
• Refresh Connection—Allows end users to perform network discovery. This option is available only if
you Enable Rediscover Network Option in the GlobalProtect portal agent configuration (Network >
GlobalProtect > Portals > <portal-config> > GlobalProtect Portal Configuration > Agent > <agent-
config> > Configs > App).
• Disable—Disables the GlobalProtect app. This option is available only if you configure the Connect
Method as User Logon (Always On) and Allow User to Disable GlobalProtect App in the GlobalProtect
portal agent configuration (Network > GlobalProtect > Portals > <portal-config> > GlobalProtect Portal
Configuration > Agent > <agent-config> > Configs > App).
• Troubleshooting—Opens the Troubleshooting tab of the GlobalProtect Settings panel. The
Troubleshooting tab displays information about the network configuration, route settings, active
connections, and logs. End users can also Collect Logs to send to the system administrator when
troubleshooting errors on their endpoint.
• Help—Opens the GlobalProtect Help page, which provides general information about how to use the
GlobalProtect app. This option does not display on the Settings menu if you disable (select None) the
App Help Page in the GlobalProtect portal configuration (Network > GlobalProtect > Portals > <portal-
config> > GlobalProtect Portal Configuration > General > Appearance).
Settings Panel
The GlobalProtect Settings panel allows end users to view and modify the following settings for the
GlobalProtect app:
• General—The General tab displays the username and portal(s) associated with the GlobalProtect
account. Users can also add, delete, or modify portals from this tab.
• Connection—The Connection tab lists the gateways configured for the GlobalProtect app and provides
the following information about each gateway:
• Gateway name
• Tunnel status
• Authentication status
• Connection type
• Gateway IP address or FQDN (available only in external mode)
For internal mode, the Connection tab displays the entire list of available gateways.
For external mode, the Connection tab displays the gateway to which the endpoint is
connected and additional details about the gateway (such as the gateway IP address and
uptime).
Figure 1: Connection Tab When in Internal Mode
Figure 2: Connection Tab When in External Mode
• Host Profile—The Host Profile tab displays the endpoint data that GlobalProtect uses to monitor and
enforce security policies using the Host Information Profile (HIP). End users can Resubmit Host Profile
to manually resubmit HIP data to the gateway.
• Troubleshooting—On macOS endpoints, the Troubleshooting tab allows end users to Collect Logs and
set the Logging Level. On Windows endpoints, the Troubleshooting tab allows users to Collect Logs,
set the Logging Level, and view information about the network configuration, route settings, active
connections, and logs.
Figure 3: Troubleshooting Tab on Windows Endpoints
Figure 4: Troubleshooting Tab on macOS Endpoints

• Notifications—The Notifications tab displays the list of notifications triggered on the GlobalProtect app.
To view more details about a specific notification, double-click the notification.
Seamless Login
When you configure GlobalProtect with the On-Demand connect method, end users must launch the
GlobalProtect app from the system tray to manually initiate the connection. After the connection initiates,
users can continue the login process on the status panel to establish the connection.
End users perform the following steps to establish a GlobalProtect connection from the status panel:
1. Launch the GlobalProtect app; the status panel opens.
2. (Optional) If logging in to GlobalProtect for the first time, enter the GlobalProtect portal address.
3. (Optional) If multiple portals are saved on the app, select a portal from the portal drop-down. By default,
the most recently connected portal is preselected from the portal drop-down.
4. (Optional) By default, the endpoint is automatically connected to the Best Available gateway based
on the configuration that the administrator defines and the response times of the available gateway.
To manually connect to a specific gateway, select the gateway from the Gateway drop-down (external
gateways only).
5. (Optional) Depending on the connection mode, click Connect to initiate the connection.
6. (Optional) If prompted, enter your username and password, and then Sign-In.
When you configure GlobalProtect with the Always On connect method, the connection initiates
automatically, which allows end users to establish a connection without launching the GlobalProtect app.
If you configure the GlobalProtect portal agent to Save User Credentials (Network > GlobalProtect >
Portals > <portal-config> > GlobalProtect Portal Configuration > Agent > <agent-config> > Configs >
Authentication), the connection establishes automatically without requiring any user interaction. If you
disable the Save User Credentials option, then end users can log in and establish a connection using the
Sign In pop-up window (when prompted).
Resilient Connection
If you enable resilient VPN, GlobalProtect automatically attempts to reconnect each time the network
connection drops and comes back up. During the connection attempt, the status panel displays the
Connecting state with a Restoring VPN connection status message. If GlobalProtect is unable
to connect to the network, the status panel displays Not Connected and a Nonetwork connection
available status message. To terminate a connection attempt, Cancel it.
Notification Management
If multiple GlobalProtect notifications trigger at the same time, end users can view a summary list of the
notifications using one of the following methods:
• View More Notifications from the notification pop-up window.
• Select the Notifications tab on the GlobalProtect Settings panel.

The notifications list resets (removes previous notifications) each time the GlobalProtect app reconnects to
the portal (internal mode) or gateway (external mode). To view more details about a specific notification,
double-click the notification.
GlobalProtect App for Linux
The new GlobalProtect™ app for Linux extends User-ID™, two-factor authentication, and security policy
enforcement to users on Linux endpoints.
• GlobalProtect App for Linux Requirements and Features
• Get Started with the GlobalProtect App for Linux
• Install and Use the GlobalProtect App—See the GlobalProtect App User Guide
GlobalProtect App for Linux Requirements and Features

The following tables describe the requirements and features of the GlobalProtect app for Linux.
Table 1: GlobalProtect App for Linux Requirements
Requirement Details
Processor x86 instruction set with 64-bit processor
RAM 256MB minimum
Disk space 100MB minimum
Operating systems Palo Alto Networks supports GlobalProtect on multiple Linux operating systems.
To determine the minimum GlobalProtect release for a specific operating system,
refer to Where Can I Install the GlobalProtect App? in the Palo Alto Networks®
Compatibility Matrix.
Packages • .deb
• .rpm
• .tar
Portal and gateway PAN-OS 7.1 and later releases

support
License GlobalProtect Subscription on each gateway that supports Linux endpoints.
Table 2: GlobalProtect App for Linux Features
Feature Support
VPN • SSL
• IPSec
GlobalProtect app for Linux supports one tunnel per Linux

endpoint.
User interface Command-line interface (CLI) only
Feature Support
Portal and gateway • Two-factor authentication

authentication • Client certificate authentication
• SCEP for certificate distribution
• Server certificate validation
• Authentication cookies
Networking • IP addressing—IPv4 and IPv6 addresses

• Split tunneling (include and exclude routes)
Proxy Manual proxy server configuration
HIP data collection Host state information only
Upgrade capability Manual upgrades only
Status reporting • Notifications

• Errors
Connect method • User-logon

• On-demand
App customization • Connect Method (see above for options)

For more information, • GlobalProtect App Config Refresh Interval
see Customize the • Allow Endpoint User to Disable GlobalProtect App
GlobalProtect App. • SCEP Certificate Renewal Period (days)
• Enable Rediscover Network Option
• Enable Resubmit Host Profile Option
• Allow Endpoint User to Change Portal Address
• Allow Endpoint User to Continue when Portal Server Certificate is Invalid
• Custom Password Expiration Message (LDAP Authentication Only)
• Maximum Internal Gateway Connection Attempts
• Portal Connection, TCP Connection, and TCP Receive Timeouts
• Passcode/Confirm Passcode
• Max Times User Can Disable, and Disable Timeout
Get Started with the GlobalProtect App for Linux

The GlobalProtect app for Linux supports the installation packages as described in GlobalProtect App for
Linux Requirements and Features.
If the requirements for your Linux endpoints are different than the requirements for other endpoints, you
can configure your GlobalProtect portal and gateways with settings that apply only to Linux endpoints.
To get started with the GlobalProtect app for Linux:
STEP 1 | Configure your GlobalProtect gateways to support the GlobalProtect app for Linux.
1. Complete the prerequisite tasks for setting upaGlobalProtectgateway.
2. Install a GlobalProtect subscription for each gateway that supports the GlobalProtect app for Linux.
3. Customize a gateway configuration for your Linux endpoints:
When you configure a gateway, you can specify client authentication settings that apply specifically
to Linux. For example, you can configure Windows and Mac endpoints to use two-factor
authentication and require Linux endpoints to use certificate-based authentication.
You can also configure supported network and client settings—such as specific IP pools, access
routes, cookie authentication, and split tunneling—for Linux endpoints.
1. Select Network > GlobalProtect > Gateways and then select or Add a gateway configuration.
2. Add a Client Authentication configuration for Linux endpoints:
1. Select Authentication and Add a new Client Authentication configuration.
2. Enter a Name to identify the Client Authentication configuration, set OS to Linux, specify the
Authentication Profile and, optionally, enter an authentication message to provide endpoint
users with instructions or additional information when they authenticate from their Linux
endpoint.
3. Click OK.
3. To configure specific client settings that apply to only Linux endpoints, configure a new Client
Settings configuration:
1. Select Agent and Add a new Client Settings configuration.
2. Configure the Client Authentication settings as desired.
3. Select User/User Group and then Add an OS, and select Linux.
4. Click OK.
4. Click OK.
5. Commit the configuration.
STEP 2 | Configure the portal to support the GlobalProtect app for Linux.
To support the GlobalProtect app for Linux, you must configure one or more gateways to which the app
can connect and then configure the portal and app settings. The portal sends configuration information
and information about the available gateways to the app. After receiving the configuration from the
GlobalProtect portal, the app discovers the gateways listed in the client configuration and selects
the best gateway. Use the following workflow to configure the GlobalProtect portal to support the
GlobalProtect app for Linux.
1. If you have not already done so, complete the prerequisite tasks for setting up a GlobalProtectportal.
2. Define client settings for Linux users to authenticate to the portal.
1. Select Network > GlobalProtect > Portals and then select a portal configuration.
2. Configure Client Authentication settings that apply to Linux endpoints when users access the
portal:
1. Select Authentication and then Add a new Client Authentication configuration.
2. Enter a Name to identify the Client Authentication configuration, set OS to Linux, specify the
Authentication Profile to use for authenticating users on this portal, and then—optionally—
enter an authentication message to provide users with instructions or additional information.
3. Customize an agent configuration for Linux endpoints.
Whether you modify an existing configuration or create a new one depends on your environment.
For example, if you use OS-specific gateways or want to collect host information that is specific to
Linux endpoints, consider creating a new agent configuration.
For information about supported features, see GlobalProtect App for Linux Requirements and
Features.
1. Define a GlobalProtect Agent Configuration:
2. Select Agent and select an existing or Add a new portal agent configuration.
3. Configure the Authentication settings for Linux endpoints.
4. Select User/User Group and then add an OS and select Linux.
5. Specify the external gateways to which users with this configuration can connect.
6. (Optional) Select App and customize the applicable portal settings for the GlobalProtect app for
Linux. The GlobalProtect app discards an additional settings that do not apply.
7. Click OK twice.
8. Commit the configuration.
4. Enforce Policies on the GlobalProtect app for Linux (Objects > GlobalProtect > HIP Objects).
With the release of the GlobalProtect app for Linux, you can now create HIP objects using Host Info
that is specific to Linux endpoints and use it for match conditions in any HIP profiles. You can then
use a HIP profile as a match condition in a policy rule to enforce the corresponding security policy.
The following table defines the criteria that is specific to Linux that you can use when you create a
HIP object.
1. Select General > Host Info > OS.
2. Select Contains: Linux: <version> to create a HIP object that looks for information about
endpoints running a specific version of Linux. To create a HIP object for all Linux versions, select
All.
3. Click OK.
4. Configure HIP-Based Policy Enforcement.
STEP 3 | Download the GlobalProtect app for Linux.

1. From the Support Site, select Software Updates and locate the app package in the GlobalProtect App
for Linux section.
2. Download the TGZ file for the version of the GlobalProtect app for Linux you want to install.
3. Use software distribution and installation tools of your choice to deploy and install the app package
on multiple Linux servers or proceed to the following steps to manually copy the software to a server.
4. Copy the TGZ file to the Linux endpoint.
For example, if you downloaded the package to a Mac endpoint, you can open a terminal and then
copy the file:
macUser@mac:~$ scp ~/Downloads/PanGPLinux-4.1.0.tgz

linuxUser@linuxHost:<DestinationFolder>
where <DestinationFolder> is a location such as ~/pkgs/ where you want to store the TGZ
file.
5. From the Linux endpoint, unzip the package.
user@linuxhost:~$ tar -xvf ~/pkgs/PanGPLinux-4.1.0.tgz
After you unzip the package, you will see installation packages—DEB for Ubuntu and RPM for
CentOS and Red Hat—and the scripts to install and uninstall the packages.
6. Install and use the GlobalProtect App—See the GlobalProtect App User Guide.
Optimized Split Tunneling for GlobalProtect
Software Support: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases
OS Support: Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases
In addition to route-based split tunneling, the GlobalProtect app for Windows and macOS endpoints now
supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming
application.
This enhancement requires a GlobalProtect subscription.
This enhancement enables you to:

• Tunnel enterprise SaaS and public cloud applications for comprehensive SaaS application visibility and
control to avoid risks associated with Shadow IT in environments where it is not feasible to tunnel all
traffic.
• Send latency-sensitive traffic, such as VoIP, outside the VPN tunnel, while all other traffic goes through
the VPN for inspection and policy enforcement by the GlobalProtect gateway.
• Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel. Video streaming applications, such
as YouTube and Netflix, consume large amounts of bandwidth. By excluding lower risk video streaming
traffic from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
The firewall App-ID functionality identifies the video stream before allowing traffic to be split
tunneled.
The following list describes the order in which the split tunnel rules are applied:
When you configure a split tunnel to include traffic based on the application process name or destination
domain and port (optional), all traffic for that specific application or domain is sent through the VPN tunnel
for inspection and policy enforcement. For example, you can allow all Salesforce traffic to go through the
VPN tunnel using the *Salesforce.com destination domain. By including all Salesforce traffic in the VPN
tunnel, you can provide secure access to the entire Salesforce domain and subdomains.
When you configure a split tunnel to exclude traffic based on the application process name or destination
domain and port (optional), all traffic for that specific application or domain is sent directly to the physical
adapter on the endpoint without inspection. For example, you can exclude all Skype traffic from the VPN
tunnel using the C:\Program Files (x86)\Skype\Phone\Skype application process name.
Use the following steps to configure a split tunnel for public applications or video streams:
• Configure a split tunnel to include or exclude public applications based on the destination
domain:
1. Configure a GlobalProtect gateway.
Select Network > GlobalProtect > Gateways to modify an existing gateway or Add a new one.
2. Enable split tunneling.
1. On the Agent > Tunnel Settings tab, enable Tunnel Mode to enable split tunneling.
2. Configure the tunnel parameters for the GlobalProtect app.
3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the
destination domain and port (optional).
This feature supports both IPv4 and IPv6 traffic.
1. On the Agent > Client Settings tab, select an existing client setting or Add a new one.
2. Disable the No direct access to local network option (Split Tunnel > Access Route). If enabled,
this setting disables split tunneling on Windows, Linux, and macOS networks.
3. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect
through the VPN connection using the destination domain and port (Split Tunnel > Domain
and Application > Include Domain). You can add up to 200 entries to the list. For example, add
*.office365.com to allow all Office 365 traffic to go through the VPN tunnel.
4. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN
tunnel using the destination domain and port (Split Tunnel > Domain and Application > Exclude
Domain). You can add up to 200 entries to the list. For example, add *.engadget.com to
exclude all Engadget traffic from the VPN tunnel.
5. Click OK to save your client settings.
4. Save the gateway configuration.
1. Click OK to save the gateway configuration.
2. Commit your changes.
• Configure a split tunnel to include or exclude public applications based on the application
process name:
Select Network > GlobalProtect > Gateways to modify an existing gateway or add a new one.
3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the
application process name.
This feature supports both IPv4 and IPv6 traffic.
1. On the Agent > Client Settings tab, select an existing client setting or Add a new one.
2. Disable the No direct access to local network option (Split Tunnel > Access Route). This setting
disables split tunneling on Windows, Linux, and macOS networks.
3. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect
through the VPN connection using the application process name (Split Tunnel > Domain and
Application > Include Client Application Process Name. You can add up to 200 entries to the list.
For example, add /Application/Safari.app/Contents/MacOS/Safari to allow all Safari-
based traffic to go through the VPN tunnel on macOS endpoints.
4. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN
tunnel using the application process name (Split Tunnel > Domain and Application > Exclude
Client Application Process Name). You can add up to 200 entries to the list. For example, add /
Applications/Microsoft Lync.app/Contents/MacOS/MicrosoftLync to exclude all
Microsoft Lync application traffic from the VPN tunnel.
5. Click OK to save your client settings.
• Configure a split tunnel to exclude video streaming traffic:

Select Network > GlobalProtect > Gateways to modify an existing gateway or add a new one.
3. Configure a split tunnel to exclude video streaming traffic from the VPN tunnel.
All video traffic types are redirected for the following video streaming applications:
• YouTube
• Dailymotion
• Netflix
If you exclude any other video streaming applications from the VPN tunnel, only the following video
traffic types are redirected for those applications:
• MP4
• WebM
• MPEG
The App-ID functionality on the firewall identifies the video stream before traffic can be
split tunneled.
If the physical adapter on a Windows or macOS endpoint supports only IPv4

addresses, the endpoint user cannot access the video streaming applications that
you exclude from the VPN tunnel when you configure the GlobalProtect gateway to
assign IPv6 addresses to the virtual network adapters on the endpoints that connect
to the gateway. In this case, ensure that the IP pools used to assign IP addresses to
the virtual network adapters on these endpoints do not include any IPv6 addresses
(Network > GlobalProtect > Gateways > Agent > Client IP Pool or Client Settings > IP
Pools).
If you exclude video streaming traffic from the VPN tunnel (Network > GlobalProtect >
Gateways > <gateway-config> > Agent > Video Traffic), do not include web browser
applications, such as Firefox or Chrome, in the VPN tunnel (Network > GlobalProtect >
Gateways > <gateway-config> > Agent > Client Settings > <client-setting> > Split
Tunnel > Domain and Application). This ensures that there is no conflicting logic in the
split tunnel configuration and that your users can stream videos from web browsers.
To exclude Sling TV app traffic from the VPN tunnel, use application-based split
tunneling (Network > GlobalProtect > Gateways > <gateway-config> > Agent > Client
Settings > <client-setting-config> > Split Tunnel > Domain and Application > Exclude
Client Application Process Name).
1. On the Agent > Video Traffic tab, enable the option to Exclude video applications from the
tunnel.
If you enable this option but do not select specific video streaming applications to
exclude from the VPN tunnel, all video streaming traffic is excluded.
2. (Optional) Browse the Applications list to view all of the video streaming applications that you can
exclude from the VPN tunnel. Click the add icon (
) for the application(s) that you want to exclude. For example, click the add icon for directv to
exclude DIRECTV video streaming traffic from the VPN tunnel.
3. (Optional) Add the video streaming applications that you want to exclude from the VPN tunnel
using the Applications drop-down—a shortened version of the Applications list that contains
some of the most popular video streaming applications. For example, select youtube-streaming
from the Applications drop-down to exclude all YouTube-based video streaming traffic from the
VPN tunnel.
Kerberos Authentication Support for macOS
OS Support: macOS 10.10 and later releases
The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on (SSO) for
GlobalProtect portal and gateway authentication. Kerberos SSO maintains a seamless logon experience by
providing accurate User-ID™ information without user interaction. Networks that support Kerberos SSO
require end users to log in only during initial network access. After the initial login, end users can access
any Kerberos-enabled service in the network (such as webmail) without having to log in again until the SSO
session expires (the SSO session duration is established by the Kerberos administrator). This authentication
method helps identify users for user and HIP policy enforcement.
If you enable both Kerberos SSO and an external authentication service (such as RADIUS), GlobalProtect
attempts SSO first. You can configure GlobalProtect to fall back to an external authentication service when
SSO fails or you can configure GlobalProtect to use only Kerberos SSO for authentication.
In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals and the
GlobalProtect app acts as a user principal that authenticates end users with a Kerberos service ticket from
the Key Distribution Center (KDC).
The following items must be in place for the GlobalProtect app for macOS endpoints to support Kerberos
SSO:
• A Kerberos infrastructure, which includes a KDC with an authentication server (AS) and a ticket-granting
service (TGS).
GlobalProtect supports the following KDCs:
• Microsoft Active Directory on Windows Server 2008 R2
• Microsoft Active Directory on Windows Server 2012
• MIT Kerberos V5
The KDC must be reachable from the endpoint on which the Globalprotect app is running.
In most instances, the KDC is reachable only from inside the enterprise network, which
means the GlobalProtect app can use Kerberos authentication only when the endpoint is
internal. However, if the KDC is reachable from outside the enterprise network (from the
Internet), the GlobalProtect app can use Kerberos authentication when the endpoint is
external.
If the user certificate store contains at least one certificate that is issued by the same
CA as the certificate used for pre-logon tunnel establishment, you can also use
Kerberos authentication with pre-logon to enable the GlobalProtect app to use Kerberos
authentication when the endpoint is external.
When an end user attempts to access protected network resources using Kerberos authentication, the
AS grants the user a Ticket to Get Tickets (TGT), which is a service request used to generate service
tickets from the TGS. The service ticket is then used to authenticate the end user and establish a service
session.
• A Kerberos service account for each GlobalProtect portal and gateway.
Service accounts are required for creating Kerberos keytabs, which are files that contain the principal
name and password of each GlobalProtect portal or gateway.
• PAN-OS 8.0 or a later release.
• macOS version 10.10 or a later release.
STEP 1 | Create a Kerberos keytab file.

1. Log in to the KDC using your Kerberos service account credentials.
2. Open a command prompt and then enter the following command:
ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype

KRB5_NT_PRINCIPAL /out <file_name>.keytab
The <principal_name> and <password> are the principal name and password of the
GlobalProtect portal or gateway. The <algorithm> must match the algorithm in the
service ticket issued by the TGS, which is determined by the Kerberos administrator. If
the GlobalProtect portal or gateway is running in FIPS or CC mode, the algorithm must
be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. If the portal or gateway is
not running in FIPS or CC mode, you can also use des3-cbc-sha1 or arcfour-hmac.
STEP 2 | Create a server profile for Kerberos authentication.
STEP 3 | Import the Kerberos keytab file to an authentication profile.

1. Select Device > Authentication Profile.
2. Select an existing authentication profile or Add a new one.
3. In the Single Sign-On area, enter the Kerberos Realm (up to 127 characters), which is the domain
to which the end user belongs. For example, a user with the account name user@EXAMPLE.LOCAL
belongs to the EXAMPLE.LOCAL realm.
4. Import a Kerberos Keytab file to the authentication profile.
When the Import Keytab dialog opens, Browse to and select the keytab file, and then click OK.
5. Click OK to save your changes.
STEP 4 | Assign the authentication profile to an internal gateway. If the Kerberos authentication
infrastructure is deployed in an external gateway, such as a DMZ, you can also assign the
authentication profile to an external gateway.
1. Select Network > GlobalProtect > Gateways to modify an existing gateway or Add a new one.
2. Select an existing SSL/TLS Service Profile for securing the gateway, or Add a new service profile
(Network > GlobalProtect > Gateways > <gateway-config> > Authentication).
3. Add a Client Authentication configuration (Network > GlobalProtect > Gateways > <gateway-
config> > Authentication), and then configure the following settings:
• Name—Name of the client authentication configuration.
• OS—Operating systems on which the gateway can be accessed.
• Authentication Profile—Authentication profile to which your Kerberos keytab file was imported.
• (Optional) Username Label—Custom username label for GlobalProtect gateway login.
• (Optional) Password Label—Custom password label for GlobalProtect gateway login.
• (Optional) Authentication Message—Message that is displayed when end users authenticate to
the gateway.
STEP 5 | Assign the authentication profile to the GlobalProtect portal.

1. Select Network > GlobalProtect > Portals.
2. Select an existing portal or Add a new one.
3. Select an existing SSL/TLS Service Profile for securing the portal, or Add a new service profile
(Network > GlobalProtect > Portals > <portal-config> > Authentication).
4. Add a Client Authentication configuration (Network > GlobalProtect > Portals > <portal-config> >
Authentication), and then configure the following settings:
• Name—Name of the client authentication configuration.
• OS—Operating systems on which the portal can be accessed.
• Authentication Profile—Authentication profile to which your Kerberos keytab file is imported.
• (Optional) Username Label—Custom username label for GlobalProtect portal login.
• (Optional) Password Label—Custom password label for GlobalProtect portal login.
• (Optional) Authentication Message—Message that is displayed when end users log in to the
portal.
STEP 6 | Configure the GlobalProtect app behavior for Kerberos authentication failure.
2. Select a portal configuration.
3. Select the agent configuration that you want to modify, or Add a new one (Network >
GlobalProtect > Portals > <portal-config> > Agent).
4. In the App Configurations area (Network > GlobalProtect > Portals > <portal-config> > Agent >
<agent-config> > App), select one of the following options for Use Default Authentication on
Kerberos Authentication Failure:
• Yes—Enables authentication to fall back so that when Kerberos authentication fails, GlobalProtect
authenticates users through the default authentication method.
• No—GlobalProtect can use only Kerberos to authenticate users.

6. Click OK to complete your configuration.
STEP 7 | Commit the configuration.
SAML SSO for GlobalProtect on Chromebooks
OS Support: Chrome OS 45 and later releases
The GlobalProtect app for Chromebooks (Chrome OS) now supports Security Assertion Markup Language
(SAML) single sign-on (SSO). If you configure SAML as the authentication standard for Chromebooks, end
users authenticate to GlobalProtect by leveraging the same login they use to access their Chromebook
applications. This feature enables end users to connect to GlobalProtect automatically without having to re-
enter their credentials on the GlobalProtect app.
In this implementation, Google acts as the SAML service provider while the GlobalProtect app authenticates
users directly to their organization’s SAML identity provider.
GlobalProtect currently supports only the Post SAML HTTP binding method.
To use SAML SSO for Chrome applications, end users must install the SAML SSO for Chrome Apps Google
extension on their Chromebooks. This extension allows users to access multiple Chrome applications during
a single login session by sending the user’s SAML SSO cookies to all applications that are whitelisted by an
administrator.
Use the following steps to configure SAML SSO for Chrome applications:
STEP 1 | Set up SAML authentication for GlobalProtect.

• Create a server profile with settings for access to the SAML authentication service.
• Create an authentication profile that refers to the SAML server profile.
STEP 2 | Configure a GlobalProtect gateway.

1. Specify a SAML authentication profile for Chrome gateway users.
• On the Authentication tab of the GlobalProtect gateway configuration, select a SAML
Authentication Profile or create a new SAML profile for the gateway. This profile is used to
authenticate endpoints seeking access to the gateway.
2. (Optional) Select a Certificate Profile for client gateway authentication. The client certificate must be
pre-deployed or deployed using the Simple Certificate Enrollment Protocol (SCEP).
STEP 3 | Define the GlobalProtect client authentication configurations on the GlobalProtect portal.
1. Specify a SAML authentication profile for the portal.
• On the Authentication tab of the GlobalProtect portal configuration, select a SAML
Authentication Profile or create a new SAML profile for the portal. This profile is used to
authenticate endpoints seeking access to the portal.
2. (Optional) Select a Certificate Profile for client portal authentication. A valid client certificate must be
pre-deployed on all Chromebooks if you configure the Certificate Profile.
STEP 4 | Install the SAML SSO for Chrome Apps extension from Google. This extension enables SAML
SSO for Chrome applications.
Launch the Chrome Web Store and install the SAML SSO for Chrome Apps extension.
STEP 5 | Configure SAML SSO for Chrome apps.
• For GlobalProtect to support SAML SSO, you must add the GlobalProtect application ID
(nicidmbokaedpmoegdbcebhnchpegcdc) to the whitelist in the SAML SSO for Chrome Apps
extension configuration file.
GlobalProtect Credential Provider Pre-Logon
Connection Status
OS Support: Windows 7 and 10
The GlobalProtect™ credential provider logon screen on Windows 7 and Windows 10 endpoints now
displays the pre-logon connection status when you configure pre-logon for remote users. The pre-logon
connection status indicates the state of the pre-logon VPN connection prior to user logon, which allows the
end user to determine if they can access internal network resources upon logon. If GlobalProtect cannot
connect prior to user logon, the end user may not be able to access all internal network resources until
GlobalProtect establishes the pre-logon VPN connection. When the user is remote, the GlobalProtect
credential provider password change feature requires you to configure pre-logon settings on the
GlobalProtect portal, gateways, and app as a prerequisite. Pre-logon tunnels are required for remote users
in order for the Windows endpoints to reach and communicate with the Windows Domain Controller.
If the GlobalProtect app detects that an endpoint is internal (connected to the corporate network), the
logon screen displays the GlobalProtect connection status as Internal. If the GlobalProtect app detects
that an endpoint is external (connected to a remote network), the logon screen displays the GlobalProtect
connection status as Connected or Not Connected.
Active Directory Password Change Using the
GlobalProtect Credential Provider
OS Support: Windows 10
End users can now change their active directory (AD) password using the GlobalProtect credential provider
on Windows 10 endpoints. This enhancement improves the single sign-on (SSO) experience by allowing
users to update their AD password and access resources secured by GlobalProtect using the same
credential provider. Users change their AD password through the GlobalProtect credential provider only
when their password expires or an administrator requires a password change at the next login.
The maximum password age indicates the number of days for which a password can be
used before the user is required to change it. You can set a value between 1 and 999 days,
or set a value of 0 to mean that passwords never expire.
Expired Active Directory Password Change for
Remote Users
OS Support: iOS 10 and later releases (notifications only), Android 4.4 and later releases, Chrome OS 45
and later releases, Windows 7 and later releases, and macOS 10.10 and later releases
Remote end users can now change their RADIUS or Active Directory (AD) passwords through the
GlobalProtect app when their password expires or when a RADIUS or AD administrator requires a password
change at the next login. With this feature, users can change their RADIUS or AD password when they are
unable to access the corporate network locally and their only option is to connect remotely using RADIUS
authentication. This feature is enabled only when the user is authenticated with a RADIUS server using
the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MSCHAPv2).
Ensure that you enable Active Directory dial-in network access permissions for your users.
Use the following steps to configure RADIUS authentication with PEAP-MSCHAPv2:
STEP 1 | Set up RADIUS authentication.

• Create a RADIUS server profile. The server profile identifies the external authentication service and
instructs the firewall on how to connect to the authentication service and access user credentials. For
this setup, select PEAP-MSCHAPv2 from the Authentication Protocol drop-down.
• Create an authentication profile. The authentication profile identifies the server profile used for
authentication on the GlobalProtect portal or gateway.
STEP 2 | (Optional) Add a password change message. Password change messages allow you to specify
password policies or requirements for your users (for example, passwords must contain at least
one number and one uppercase letter).
2. Select a portal from the list to open the GlobalProtect Portal Configuration dialog.
3. On the Agent tab, select an existing agent from the list or Add a new one.
4. Select the App tab in the Configs dialog.
5. Under App Configurations, enter a Change Password Message(255 characters or less).
6. Click OK to save your GlobalProtect agent changes and return to the GlobalProtect Portal
Configuration dialog.
7. Click OK to complete the configuration.
STEP 3 | Commit the configuration.
Multiple Portal Support
End users can now save multiple portals in a list on the GlobalProtect app for Windows and macOS
endpoints. This enhancement enables end users to manage their deployments more efficiently, as they
can switch between different portals without having to re-enter the portal address each time they want to
connect.
When an end user launches the GlobalProtect app, the most recently connected portal is pre-selected from
the portal drop-down on the GlobalProtect status panel (default). To connect to a different portal, the user
can select another portal from the portal drop-down. To add, delete, or modify a portal, the user can select
Manage Portals from the portal drop-down.
The status panel displays the portal drop-down only when a user saves multiple portals on
the GlobalProtect app.
Static IP Address Assignment
OS Support: Windows 7 and later releases
You can now assign static IP addresses to your endpoints by configuring the reserved-ipv4 or reserved-
ipv6 entries in the Windows Registry prior to GlobalProtect app installation or the RESERVEDIPV4 or
RESERVEDIPV6 options in the Windows Installer (Msiexec) during GlobalProtect app installation. This
feature ensures that the GlobalProtect tunnel IP addresses that you assign to your endpoints do not change,
which enables you to locate and troubleshoot errors in IP address assignment.
With this feature, the PreferredIP and PreferredIPV6 options are deprecated.
You must deploy Windows Registry settings before installing the GlobalProtect app so that
the app can read the registry settings during installation.
The GlobalProtect app can only create a tunnel between the endpoint and gateway when the gateway
returns the same reserved tunnel IP address that you have assigned to the endpoint. If the gateway does
not return the reserved IP address, the GlobalProtect app displays the following error message:
Could not connect to the gateway with the specified tunnel IP address. Please
contact your IT administrator.
• Use the following steps to configure the reserved-ipv4 or reserved-ipv6 entry in the Windows
Registry:
1. Locate the Globalprotect app customization settings in the Windows Registry.
1. Open the Windows Registry by entering regedit on the command prompt.
2. Go to the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\
2. Configure the reserved tunnel IP address to deploy to your Windows endpoint.
1. Select Edit > New > String Value.
2. When prompted, set the Name of the new registry entry to reserved-ipv4 or reserved-
ipv6.
3. Right-click the registry entry and then select Modify....
4. Enter the IPv4 or IPv6 address in the Value data field.
5. Click OK.
• Use the following steps to configure the RESERVEDIPV4 or RESERVEDIPV6 option in the
Windows Installer (Msiexec):
1. Launch the command prompt.
2. Enter one of the following commands to configure the reserved tunnel IP address for your Windows
endpoint:
• msiexec /i GlobalProtect.msi RESERVEDIPV4=”<reserved-ipv4>”
• msiexec /i GlobalProtect.msi RESERVEDIPV6=”<reserved-ipv6>”
Customizable Username and Password Labels
OS Support: Google Android 4.4 and later releases, iOS 10.0 and later releases, Windows 7 and later
releases, Windows 10 UWP, macOS 10.10 and later releases, and Linux (CentOS 7, RHEL 7, Ubuntu 14.04
and later releases, and Ubuntu 16)
You can now customize the Username Label and Password Label that are displayed on the GlobalProtect
app for GlobalProtect portal and gateway authentication. For example, you can configure the GlobalProtect
app to display Email Address as the Username Label and Passcode (for two-factor, token-based
authentication) as the Password Label.
Use the following steps to configure a custom Username Label and Password Label for GlobalProtect portal
or gateway authentication:
STEP 1 | Configure a GlobalProtect portal or gateway.

1. Select Network > GlobalProtect > Portals or Gateways.
2. Select an existing portal or gateway configuration or Add a new one.
STEP 2 | Customize the Username Label and Password Label for portal or gateway authentication.
1. On the Authentication tab, select an existing Client Authentication configuration or Add a new one.
2. In the GlobalProtect App Login Screen area, enter a custom Username Label.
3. Enter a custom Password Label.
STEP 3 | Save your portal or gateway configuration.
1. Click OK twice.
Gateway-Level IP Pools
Software Support: PAN-OS® 8.1 and later releases
GlobalProtect gateways now support gateway-level IP pools that enable you to assign IPv4 or IPv6
addresses to all endpoints that connect to the gateway. This enhancement simplifies gateway configuration
by allowing you to define a global IP pool for the entire gateway instead of requiring separate IP pools
for each client setting within the gateway configuration. GlobalProtect previously supported IP pool
configuration at only the client-level.
You must configure IP pools at only the gateway-level (Network > GlobalProtect >
Gateways > <gateway-config> > Agent > Client IP Pool) or only the client-level (Network >
GlobalProtect > Gateways > <gateway-config> > Agent > Client Settings > <client-setting-
config> > IP Pools).
Use the following steps to configure a gateway-level IP pool for a GlobalProtect gateway:
STEP 1 | Configure a GlobalProtect Gateway.

1. Select Network > GlobalProtect > Gateways.
2. Select an existing gateway configuration or Add a new one.
STEP 2 | Enable tunneling.

1. On the Agent > Tunnel Settings tab, enable Tunnel Mode.
2. When the tunnel settings become editable, configure the tunnel parameters for the gateway.
STEP 3 | Configure the global IP pool used to assign IPv4 or IPv6 addresses to the virtual network
adapters on all endpoints that connect to the gateway.
Select Agent > Client IP Pool and then Add the IP address subnet/range or address object that you
want to use to assign IPv4 or IPv6 addresses to all endpoints that connect to the gateway. To ensure
proper routing back to the gateway, you must use a different range of IP addresses from those assigned
to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to
your LAN. We recommend that you use a private IP addressing scheme.
STEP 4 | Save the gateway configuration.
1. Click OK to save your settings.
2. Commit the changes.
Primary Username Visibility on GlobalProtect
Gateways
Software Support: PAN-OS® 8.1 and later releases
The GlobalProtect gateway now displays the primary username of all current gateway users and previous
gateway users in the gateway User Information. The primary username indicates the Primary Username
attribute used for identification and policy enforcement on the GlobalProtect gateway. This enhancement
provides improved user visibility and reporting for end users who are currently connected to the gateway or
have previously connected to the gateway.
The GlobalProtect gateway retrieves the primary username during user login. If you change the Primary
Username attribute in the group mapping configuration, the primary username is not updated on the
gateway.
Use the following steps to view the primary username of all current gateway users or previous gateway
users:
STEP 1 | Open the user information for a GlobalProtect gateway.

1. Select Network > GlobalProtect > Gateways.
2. From the gateway configuration list, select Remote Users for the gateway on which you want to view
user information.
STEP 2 | In the User Information dialog, select one of the following tabs to view the Primary Username
of all current gateway users or previous gateway users.
• Select Current User to view the Primary Username of all end users who are currently connected to
the gateway.
• Select Previous User to view the Primary Username of all end users who have previously connected
to the gateway.
STEP 3 | Close the User Information dialog.
OPSWAT SDK V4 Support
Software Support: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases.
OS Support: Windows 7 and later releases and macOS 10.12 and later releases.
GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess the endpoint state and the
third-party security applications running on the endpoint. OPSWAT is a security tool leveraged by the Host
Information Profile (HIP) to collect information about the security status of the endpoints in the network,
which is used for policy enforcement on the GlobalProtect gateway. This integration follows the end-of-
life (EoL) announcement for OPSWAT SDK V3, which is the OPSWAT SDK version that GlobalProtect
previously supported.
With this migration from OPSWAT SDK V3 to OPSWAT SDK V4, GlobalProtect introduces the following
changes to the HIP Match log and HIP Object:
• The Antivirus and Anti-Spyware categories merged to form the new Anti-Malware category.
• Vendor and product names are based on OPSWAT SDK V4.
OPSWAT SDK is unable to detect the following Anti-Malware information for the Gatekeeper
security feature on macOS endpoints:
• Engine Version
• Definition Version
• Date
• Last Scanned
GlobalProtect App for Android Enhancements
Software Support: Starting with GlobalProtect™ App 4.1.5
OS Support: Android 4.4 and later releases
GlobalProtect app 4.1.5 for Android endpoints introduces the following enhancements:
• Upgrade to API Level 26
• Managed Configuration Enhancements
• Always On VPN Notification
Upgrade to API Level 26

The GlobalProtect app for Android endpoints has been upgraded from API level 24 to API level 26.
Managed Configuration Enhancements

If you use managed configurations to define GlobalProtect app settings remotely, you can now configure
the following settings for the GlobalProtect app for Android endpoints:
Definition Description
Client Certificate Alias
The Client Certificate Alias is a descriptive

<restriction name that can help users identify and
android:title="Client Certificate Alias"
select client certificates during certificate-
android:key="client_cert_alias"
android:description="Descriptive name based GlobalProtect portal or gateway
that can help users identify and select authentication.
client certificates during
certificate-based portal or gateway
authentication."
android:restrictionType="string"
android:defaultValue=""/>
Allow Network Bypass
In GlobalProtect app 4.1.4 and earlier

<restriction releases for Android endpoints, all traffic
android:title="Allow Network Bypass"
is required to traverse the VPN tunnel
android:key="allow_nework_bypass"
android:description="Flag to allow for inspection and policy enforcement.
application traffic to bypass the VPN With the Allow Network Bypass setting,
tunnel." Android applications can now select which
android:restrictionType="bool" network adapter (virtual or physical) to use
android:defaultValue="false"/>
for their network traffic, as determined by
the application manager. If an application
selects the virtual network adapter, all
traffic for that application goes through
the VPN tunnel for inspection and policy
enforcement. If an application selects the
Definition Description
physical network adapter, all traffic for that
application bypasses the VPN tunnel and
proceeds directly to the physical adapter on
the endpoint. By granting applications the
option to bypass the VPN tunnel, you can
help decrease bandwidth consumption on
the GlobalProtect gateway.
Always On VPN Notification

If you enable Always-on VPN from a device policy controller (DPC) or end users enable Always-on
VPN from their Android VPN settings (Settings > More > Network and Internet > VPN), the following
notification is now displayed persistently in the Android notification tray until Always-on VPN is disabled:
If GlobalProtect is connected when you or a user enables Always-on VPN, this notification is
displayed only after the user reboots the endpoint or restarts the GlobalProtect app.
If GlobalProtect is disconnected when you or a user disables Always-on VPN, this

notification is dismissed only after the user reboots the endpoint or restarts the GlobalProtect
app.
Tunnel Connections Over Proxies
Software Support: Starting with GlobalProtect™ App 4.1.7 and with PAN-OS® 8.1 and later releases
You can now configure GlobalProtect to bypass proxies so that all HTTP/HTTPS traffic that matches the
proxy/PAC file rules is required to traverse the GlobalProtect VPN tunnel before reaching the intended
destination. When you configure the option to bypass proxies, you can prevent users from setting up a
personal proxy to access web resources without going through the VPN tunnel for inspection and policy
enforcement.
If you enable GlobalProtect to use proxies on Windows endpoints, only the HTTP/HTTPS traffic that
matches the proxy/PAC file rules goes through the proxy directly after users establish the GlobalProtect
connection. All other traffic that matches the access routes configured on the GlobalProtect gateway
goes through the tunnel established over the proxy. On macOS endpoints, proxies are disabled after users
establish the GlobalProtect connection. This occurs because proxy settings are not copied from the physical
network adapter of the endpoint to the virtual network adapter of the endpoint, and the virtual network
adapter becomes the primary adapter from which the macOS endpoint receives proxy settings.
The following tables describe network traffic behavior based on the endpoint OS, tunnel type, and
GlobalProtect proxy use.
Table 3: Network Traffic Behavior on Windows Endpoints
Tunnel GlobalProtect Uses Proxies GlobalProtect Bypasses Proxies

Type
SSL
1—All login requests go through the proxy. 1—All login requests bypass the proxy and go
directly to the gateway.
2—SSL tunnel setup goes through the proxy. 2—SSL tunnel setup bypasses the proxy and
goes directly to the gateway.
3—HTTP/HTTPS traffic that matches the 3—HTTP/HTTPS traffic that matches the
proxy/PAC file rules goes through the proxy proxy/PAC file rules goes through the SSL
and bypasses the SSL tunnel. tunnel and then through the proxy.
Type
If the proxy is unreachable
from the gateway, HTTP/
HTTPS traffic is dropped,
and users cannot access the
intended destination.
4—Other traffic that matches the access 4—Other traffic that matches the access
routes configured on the gateway goes routes configured on the gateway bypasses
through the SSL tunnel built over the proxy. the proxy and goes through the SSL tunnel.
IPSec
You cannot set up an IPSec

tunnel through a proxy
because proxies do not
support UDP traffic.
1—All login requests go through the proxy. 1—All login requests bypass the proxy and go
directly to the gateway.
2—IPSec tunnel setup bypasses the proxy 2—IPSec tunnel setup bypasses the proxy
and goes directly to the gateway. and goes directly to the gateway.
proxy/PAC file rules goes through the proxy proxy/PAC file rules goes through the IPSec
and bypasses the IPSec tunnel. tunnel and then through the proxy.
If the proxy is unreachable

from the gateway, HTTP/
HTTPS traffic is dropped,
and users cannot access the
intended destination.
routes configured on the gateway bypasses routes configured on the gateway bypasses
the proxy and goes through the IPSec tunnel. the proxy and goes through the IPSec tunnel.
Table 4: Network Traffic Behavior on Mac Endpoints

Type
SSL
1—All login requests go through the proxy. 1—All login requests go through the proxy.
2—SSL tunnel setup goes through the proxy. 2—SSL tunnel setup bypasses the proxy and
goes directly to the gateway.
proxy/PAC file rules goes through the SSL proxy/PAC file rules bypasses the proxy and
tunnel built over the proxy. goes through the SSL tunnel.
routes configured on the gateway goes routes configured on the gateway bypasses
through the SSL tunnel built over the proxy. the proxy and goes through the SSL tunnel.
IPSec
You cannot set up an IPSec tunnel through a proxy because proxies do not
support UDP traffic.
1—All login requests go through the proxy.
3—IPSec tunnel setup bypasses the proxy and goes directly to the gateway.
3—HTTP/HTTPS traffic that matches the proxy/PAC file rules bypasses the proxy and goes
through the IPSec tunnel.
Type
4—Other traffic that matches the access routes configured on the gateway bypasses the
proxy and goes through the IPSec tunnel.
Use the following steps to configure GlobalProtect to use proxies or bypass proxies:
STEP 1 | Configure a GlobalProtect Gateway.
STEP 2 | Enable tunneling.

1. From your gateway configuration (Network > GlobalProtect > Gateways > <gateway-config>), select
Agent > Tunnel Settings to enable Tunnel Mode.
• To specify whether GlobalProtect must use an IPSec tunnel or SSL tunnel for the gateway
connection, configure one of the following options:
• To enable GlobalProtect to use IPSec tunnels for the gateway connection, select the check box
to Enable IPSec. If a user fails to establish a connection using an IPSec tunnel, GlobalProtect
then uses an SSL tunnel.
• To enable GlobalProtect to use SSL tunnels for the gateway connection, clear the Enable IPSec
check box.
STEP 3 | Set Up Access to the GlobalProtect Portal.
STEP 4 | Define the GlobalProtect Agent Configurations

• To specify whether you want to deploy your agent configuration to Windows or Mac endpoints,
select User/User Group and then configure one of the following OS options:
• To deploy your agent configuration to Windows endpoints, Add and select Windows.
• To deploy your agent configuration to Mac endpoints, Add and select Mac.
STEP 5 | Customize the GlobalProtect App.

• Configure one of the following options to require GlobalProtect to use proxies or bypass proxies:
• To require GlobalProtect to use proxies, set the Set Up Tunnel Over Proxy (Windows & Mac only)
option to Yes.
• To require GlobalProtect to bypass proxies, set the Set Up Tunnel Over Proxy (Windows & Mac
only) option to No.
STEP 6 | Commit your changes.
Captive Portal Notification Delay
If your users must log in to a captive portal to access the internet, and you enable the GlobalProtect app
to display a notification message when it detects a captive portal, you can now configure a captive portal
notification delay to indicate the amount of time (in seconds) after which the GlobalProtect app displays this
notification message.
This feature requires Content Release version 8118-5277 or later.
Use the following steps to configure a captive portal detection message with a captive portal notification
delay:
STEP 1 | Set up access to the GlobalProtect portal.
STEP 2 | Define the GlobalProtect agent configuration.
STEP 3 | Customize the GlobalProtect app.

• In the Captive Portal Exception Timeout (sec) field, enter the amount of time (in seconds) within
which users can log in to a captive portal (range is 0 to 3600 seconds; default is 0 seconds). If users
do not log in within this time period, the captive portal login page times out and users will be blocked
from using the network.
• To enable the GlobalProtect app to display a notification message when it detects a captive portal,
set the Display Captive Portal Detection Message to Yes.
• (Optional) Customize the Captive Portal Detection Message that displays when GlobalProtect
detects a captive portal.
• In the Captive Portal Notification Delay (sec) field, enter the amount of time (in seconds) after
which the GlobalProtect app displays the captive portal detection message (range is 1 to 120
seconds; default is 5 seconds). GlobalProtect initiates this timer after the captive portal has been
detected but before the internet becomes reachable.
STEP 4 | Commit the changes.

Globalprotect App New Features IP Estática Pag35

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Globalprotect App New Features IP Estática Pag35

Uploaded by

Copyright:

Available Formats

GlobalProtect App New Features Guide

About the Documentation

2 GLOBALPROTECT APP NEW FEATURES GUIDE |

TABLE OF CONTENTS iii

> GlobalProtect User Experience Enhancements

The following enhancements are introduced in GlobalProtect app 4.1:

The VPN connection states include:

Figure 1: Connection Tab When in Internal Mode

Figure 4: Troubleshooting Tab on macOS Endpoints

• Select the Notifications tab on the GlobalProtect Settings panel.

GlobalProtect App for Linux Requirements and Features

Table 1: GlobalProtect App for Linux Requirements

Processor x86 instruction set with 64-bit processor

RAM 256MB minimum

Disk space 100MB minimum

Portal and gateway PAN-OS 7.1 and later releases

License GlobalProtect Subscription on each gateway that supports Linux endpoints.

Table 2: GlobalProtect App for Linux Features

GlobalProtect app for Linux supports one tunnel per Linux

User interface Command-line interface (CLI) only

Portal and gateway • Two-factor authentication

Networking • IP addressing—IPv4 and IPv6 addresses

Proxy Manual proxy server configuration

HIP data collection Host state information only

Upgrade capability Manual upgrades only

Status reporting • Notifications

Connect method • User-logon

App customization • Connect Method (see above for options)

Get Started with the GlobalProtect App for Linux

STEP 3 | Download the GlobalProtect app for Linux.

macUser@mac:~$ scp ~/Downloads/PanGPLinux-4.1.0.tgz

user@linuxhost:~$ tar -xvf ~/pkgs/PanGPLinux-4.1.0.tgz

This enhancement requires a GlobalProtect subscription.

This enhancement enables you to:

This feature supports both IPv4 and IPv6 traffic.

• Configure a split tunnel to exclude video streaming traffic:

If the physical adapter on a Windows or macOS endpoint supports only IPv4

STEP 1 | Create a Kerberos keytab file.

ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype

STEP 2 | Create a server profile for Kerberos authentication.

STEP 3 | Import the Kerberos keytab file to an authentication profile.

STEP 5 | Assign the authentication profile to the GlobalProtect portal.

5. Click OK to save your changes.

STEP 7 | Commit the configuration.

STEP 1 | Set up SAML authentication for GlobalProtect.

STEP 2 | Configure a GlobalProtect gateway.

STEP 5 | Configure SAML SSO for Chrome apps.

Use the following steps to configure RADIUS authentication with PEAP-MSCHAPv2:

STEP 1 | Set up RADIUS authentication.

STEP 3 | Commit the configuration.

STEP 1 | Configure a GlobalProtect portal or gateway.

STEP 1 | Configure a GlobalProtect Gateway.

STEP 2 | Enable tunneling.

STEP 1 | Open the user information for a GlobalProtect gateway.

Upgrade to API Level 26

Managed Configuration Enhancements

Client Certificate Alias

The Client Certificate Alias is a descriptive

Allow Network Bypass

In GlobalProtect app 4.1.4 and earlier

Always On VPN Notification

If GlobalProtect is disconnected when you or a user disables Always-on VPN, this

Table 3: Network Traffic Behavior on Windows Endpoints

Tunnel GlobalProtect Uses Proxies GlobalProtect Bypasses Proxies