Global Protect VPN

Palo Alto Networks
GlobalProtect™ Administrator’s Guide

Version 6.2
Contact Information
Corporate Headquarters:
Palo Alto Networks

4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
About this Guide
This guide takes you through the configuration and maintenance of your GlobalProtect infrastructure. For additional
information, refer to the following resources:
 For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
 For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
 For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.
 For the latest release notes, go to the software downloads page at

https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.

www.paloaltonetworks.com
© 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at
http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective
companies.
Revision Date: January 27, 2016
2 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Table of Contents
GlobalProtect Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
About the GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
GlobalProtect Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
GlobalProtect Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
What Client OS Versions are Supported with GlobalProtect?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
About GlobalProtect Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Set Up the GlobalProtect Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Create Interfaces and Zones for GlobalProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Enable SSL Between GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About GlobalProtect Certificate Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
GlobalProtect Certificate Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Deploy Server Certificates to the GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Set Up GlobalProtect User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
About GlobalProtect User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Set Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Set Up Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Set Up Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Set Up Authentication for strongSwan Ubuntu and CentOS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Enable Group Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configure GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Prerequisite Tasks for Configuring the GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure a GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure the GlobalProtect Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Prerequisite Tasks for Configuring the GlobalProtect Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Set Up Access to the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Define the GlobalProtect Client Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Customize the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Customize the GlobalProtect Portal Login, Welcome, and Help Pages . . . . . . . . . . . . . . . . . . . . . . . . 63
Deploy the GlobalProtect Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Deploy the GlobalProtect Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Download and Install the GlobalProtect Mobile App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Deploy Agent Settings Transparently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Customizable Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Deploy Agent Settings to Windows Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Deploy Agent Settings to Mac Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Use the GlobalProtect iOS App with a Third-Party MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Example GlobalProtect iOS App Device-Level VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Example GlobalProtect iOS App App-Level VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Reference: GlobalProtect Agent Cryptographic Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 3

Table of Contents
Set Up the GlobalProtect Mobile Security Manager . . . . . . . . . . . . . . . . . . . 85

Mobile Security Manager Deployment Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Set Up Management Access to the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Register, License, and Update the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Register the GP-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Activate/Retrieve the Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Install Content and Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Set Up the Mobile Security Manager for Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure the Mobile Security Manager for Device Check-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure the Mobile Security Manager for Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Enable Gateway Access to the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Define Deployment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
About Mobile Security Manager Policy Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Mobile Security Manager Policy Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Integrate the Mobile Security Manager with your LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Define HIP Objects and HIP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Create Configuration Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Create Deployment Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Verify the Mobile Security Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Set Up Administrative Access to the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Set Up Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Create an Administrative Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Manage Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Group Devices by Tag for Simplified Device Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Manually Tag Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Pre-Tag Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Monitor Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Administer Remote Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Interact With Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Take Action on a Lost or Stolen Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Remove Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Create Security Policies for Mobile Device Traffic Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Manage Business Apps and Data with an Enterprise App Store . . . . . . . . 163
Enterprise App Store Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Enterprise App Store Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Managed Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Required and Optional Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Apple Volume Purchase Program (VPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Add Managed Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add an Enterprise App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add Google Play or Apple Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Add VPP Apps as Managed Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Set Up the App Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Table of Contents
Manage and Monitor Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Isolate Business Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Isolate Business Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Enable Single App Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Use Host Information in Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . .187

About Host Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
What Data Does the GlobalProtect Agent Collect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
How Does the Gateway Use the Host Information to Enforce Policy? . . . . . . . . . . . . . . . . . . . . . . . 190
How Do Users Know if Their Systems are Compliant? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
How Do I Get Visibility into the State of the End Clients? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Configure HIP-Based Policy Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Collect Application and Process Data From Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
GlobalProtect Quick Configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Remote Access VPN (Authentication Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Remote Access VPN (Certificate Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Remote Access VPN with Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Always On VPN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Remote Access VPN with Pre-Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
GlobalProtect Multiple Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
GlobalProtect for Internal HIP Checking and User-Based Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Mixed Internal and External Gateway Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Table of Contents

GlobalProtect Overview
Whether checking email from home or updating corporate documents from the airport, the majority of today's
employees work outside the physical corporate boundaries. This increased workforce mobility brings increased
productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the
building with their laptops or mobile devices they are bypassing the corporate firewall and associated policies
that are designed to protect both the user and the network. GlobalProtect solves the security challenges
introduced by roaming users by extending the same next-generation firewall-based policies that are enforced
within the physical perimeter to all users, no matter where they are located.
The following sections provide conceptual information about the Palo Alto Networks GlobalProtect offering
and describe the components of GlobalProtect and the various deployment scenarios:
 About the GlobalProtect Components
 What Client OS Versions are Supported with GlobalProtect?
 About GlobalProtect Licenses

About the GlobalProtect Components GlobalProtect Overview
About the GlobalProtect Components

GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access
for all your users, regardless of what devices they are using or where they are located. This infrastructure
includes the following components:
 GlobalProtect Portal
 GlobalProtect Gateways
 GlobalProtect Client
 GlobalProtect Mobile Security Manager
GlobalProtect Portal
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every
client system that participates in the GlobalProtect network receives configuration information from the portal,
including information about available gateways as well as any client certificates that may be required to connect
to the GlobalProtect gateway(s) and/or the Mobile Security Manager. In addition, the portal controls the
behavior and distribution of the GlobalProtect agent software to both Mac and Windows laptops. (On mobile
devices, the GlobalProtect app is distributed through the Apple App Store for iOS devices or through Google
Play for Android devices.) If you are using the Host Information Profile (HIP) feature, the portal also defines
what information to collect from the host, including any custom information you require. You Configure the
GlobalProtect Portal on an interface on any Palo Alto Networks next-generation firewall.
GlobalProtect Gateways
GlobalProtect gateways provide security enforcement for traffic from GlobalProtect agents/apps. Additionally,
if the HIP feature is enabled, the gateway generates a HIP report from the raw host data the clients submit and
can use this information in policy enforcement.
 External gateways—Provide security enforcement and/or virtual private network (VPN) access for your
remote users.
 Internal gateways—An interface on the internal network configured as a GlobalProtect gateway for
applying security policy for access to internal resources. When used in conjunction with User-ID™ and/or
HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and
controlling traffic by user and/or device state. Internal gateways are useful in sensitive environments where
authenticated access to critical resources is required. You can configure an internal gateway in either tunnel
mode or non-tunnel mode.
You Configure GlobalProtect Gateways on an interface on any Palo Alto Networks next-generation firewall.
You can run both a gateway and a portal on the same firewall, or you can have multiple, distributed gateways
throughout your enterprise.

GlobalProtect Overview About the GlobalProtect Components
GlobalProtect Client
The GlobalProtect client software runs on end user systems and enables access to your network resources via
the GlobalProtect portals and gateways you have deployed. There are two types of GlobalProtect clients:
 The GlobalProtect Agent—Runs on Windows and Mac OS systems and is deployed from the
GlobalProtect portal. You configure the behavior of the agent—for example, which tabs the users can see,
whether or not users can uninstall the agent—in the client configuration(s) you define on the portal. See
Define the GlobalProtect Client Configurations, Customize the GlobalProtect Agent, and Deploy the
GlobalProtect Agent Software for details.
 The GlobalProtect App—Runs on iOS and Android devices. Users must obtain the GlobalProtect app
from the Apple App Store (for iOS) or Google Play (for Android).
See What Client OS Versions are Supported with GlobalProtect? for more details.
The following diagram illustrates how the GlobalProtect portals, gateways, and agents/apps work together to
enable secure access for all your users, regardless of what devices they are using or where they are located.

About the GlobalProtect Components GlobalProtect Overview
GlobalProtect Mobile Security Manager
The GlobalProtect Mobile Security Manager provides management, visibility, and automated configuration
deployment for mobile devices—either company provisioned or employee owned—on your network. Because
the Mobile Security Manager is part of the integrated GlobalProtect mobile solution, the GlobalProtect gateway
can leverage information about managed devices and use the extended host information collected by the Mobile
Security Manager to provide enhanced security policy enforcement for managed devices. Gateways retrieve the
extended HIP profiles from the Mobile Security Manager and use the information to enforce security policies
for devices that connect to your network. The GlobalProtect Mobile Security Manager extends security for
mobile devices to users to safely access and use apps for business on their devices. Business data is contained
to business apps and accounts on mobile devices, while the native user experience is maintained and the user’s
personal data is separate and private.
 The deployment policies you create on the Mobile Security Manager provide simplified account provisioning
to mobile device users for access to your corporate applications (such as email and VPN configurations).
You can also perform certain actions such as locking the device, sounding an alarm to help locate the device,
or even wiping a device that has been compromised.
 To communicate with a device, the Mobile Security Manager sends a push notification over the air (OTA).
For iOS devices, it sends push notifications over the Apple Push Notification service (APNs) and for
Android devices it sends them using the Google Cloud Messaging (GCM). When a device receives a push
notification, it checks in by establishing an HTTPS connection to the device check-in interface on the Mobile
Security Manager.
 Approve apps for your users to use for business on their mobile devices. Apps that you approve and add to
the Mobile Security Manager as managed apps can be pushed to your users through policy deployment.
Users can browse and then install apps assigned to them from the enterprise app store in the GlobalProtect
app.
 Enable security settings for managed apps with the Mobile Security Manager so that business data is
contained to only managed apps and accounts on a mobile device, and so that managed apps’ traffic is routed
through the corporate VPN (while personal traffic on the mobile device is not).
 When a device checks in with the Mobile Security Manager, it submits host information that includes
additional information beyond what the GlobalProtect gateway collects, including a list of installed apps that
are managed, a list of installed apps that are not managed (this can be disabled), the location of the device at
the time of check-in (this can be disabled), whether the device has a passcode set, and/or whether it is
rooted/jailbroken. In addition, if the Mobile Security Manager has a WildFire™ subscription, it can detect
whether a device has Malware (Android devices only).
 By leveraging the extended HIP data that the Mobile Security Manager collects, you can create a very
granular security policy for mobile device users on your GlobalProtect gateways.

GlobalProtect Overview About the GlobalProtect Components
See Set Up the GlobalProtect Mobile Security Manager for more information.

What Client OS Versions are Supported with GlobalProtect? GlobalProtect Overview
What Client OS Versions are Supported with

GlobalProtect?
The following table summarizes the supported GlobalProtect desktop, laptop, and mobile device operating
systems and the minimum PAN-OS® and GlobalProtect agent/app versions required to support each one.
Supported Client OS Versions Minimum Agent/App Minimum PAN-OS Version

Version
Apple Mac OS 10.6 1.1 4.1.0 or later

Apple Mac OS 10.7 1.1
Apple Mac OS 10.8 1.1.6
Apple Mac OS 10.11 2.3.2
Windows XP (32-bit) 1.0 4.0 or later

Windows Vista (32-bit and 64-bit) 1.0
Windows 7 (32-bit and 64-bit) 1.0
Windows 8 (32-bit and 64-bit) 1.2
Windows 8.1 (32-bit and 64-bit) 1.2
Windows Surface Pro 1.2
Apple iOS 6.0 1.3 app 4.1.0 or later

Apple iOS 7.0 1.3 app
Apple iOS 8.0 2.1 app
Apple iOS 9.0 2.3.2 app
Google Android 4.0.3 or later* 1.3 app 4.1.6 or later
Third-party X-Auth IPsec Clients: N/A 5.0 or later

• iOS built-in IPsec client
• Android built-in IPsec client
• VPNC on Ubuntu Linux 10.04 and later versions
and CentOS 6 and later versions N/A 6.1
• strongSwan on Ubuntu Linux and CentOS*
*For details on enabling strongSwan Ubuntu and CentOS clients to access GlobalProtect VPN, refer to Set Up
Authentication for strongSwan Ubuntu and CentOS Clients.
Users must obtain the GlobalProtect app from the Apple App Store (for iOS) or Google Play (for Android).
For information on how to distribute the GlobalProtect agent, see Deploy the GlobalProtect Agent Software.

GlobalProtect Overview About GlobalProtect Licenses
About GlobalProtect Licenses

If you simply want to use GlobalProtect to provide a secure, remote access or virtual private network (VPN)
solution via a single, external gateway, you do not need any GlobalProtect licenses. However, to use some of the
more advanced features, such as multiple gateways, mobile apps, mobile security management, host information
checks, or internal gateways, you may need to purchase one or more of the following licenses:
 Portal license—A one-time perpetual license that must be installed on the firewall running the portal to
enable internal gateway support, multiple gateways (internal or external), and/or HIP checks.
 Gateway subscription—An annual subscription that enables HIP checks and associated content updates.
This license must be installed on each firewall running a gateway(s) that performs HIP checks. In addition,
the gateway license enables support for the GlobalProtect mobile app for iOS and Android.
 GlobalProtect Mobile Security Manager Capacity License on the GP-100 appliance—A one-time
perpetual license for the Mobile Security Manager based on the number of mobile devices to be managed.
This license is only required if you plan to manage more than 500 mobile devices. Perpetual licenses are
available for up to 1,000, 2,000, 5,000, 10,000, 25,000, 50,000, or 100,000 mobile devices.
 GlobalProtect Mobile Security Manager WildFire subscription on the GP-100 appliance—Used with
GlobalProtect Mobile Security Manager for detecting APK malware on managed Android devices. To enable
malware detection for use with the GlobalProtect Mobile Security Manager, you must purchase a WildFire
subscription that matches the capacity of your GlobalProtect Mobile Security Manager license.
See Activate Licenses for information on installing licenses on the firewall. See Activate/Retrieve the Licenses
for information on installing licenses on the Mobile Security Manager.

About GlobalProtect Licenses GlobalProtect Overview

Set Up the GlobalProtect Infrastructure
In order for GlobalProtect to work, you must set up the basic infrastructure that allows all of the components
to communicate. At a basic level, this means setting up the interfaces and zones that the GlobalProtect end users
will connect to in order to access the portal and gateways. Because the GlobalProtect components communicate
over secure channels, you must acquire and deploy all of the required SSL certificates on the various
components. The following sections walk you through the basic steps to set up the GlobalProtect infrastructure:
 Create Interfaces and Zones for GlobalProtect
 Enable SSL Between GlobalProtect Components
 Set Up GlobalProtect User Authentication
 Enable Group Mapping
 Configure GlobalProtect Gateways
 Configure the GlobalProtect Portal
 Deploy the GlobalProtect Client Software
 Deploy Agent Settings Transparently
 Use the GlobalProtect iOS App with a Third-Party MDM
 Reference: GlobalProtect Agent Cryptographic Functions

Create Interfaces and Zones for GlobalProtect Set Up the GlobalProtect Infrastructure
Create Interfaces and Zones for GlobalProtect

You must configure the following interfaces and zones for your GlobalProtect infrastructure:
 GlobalProtect portal—Requires a Layer 3 or loopback interface for GlobalProtect clients to connect to. If
the portal and gateway are on the same firewall, they can use the same interface. The portal must be in a zone
that is accessible from outside your network, for example: untrust.
 GlobalProtect gateways—The interface and zone requirements for the gateway depend on whether you
are configuring an external gateway or an internal gateway as follows:
– External gateways—Requires a Layer 3 or loopback interface and a logical tunnel interface for the
client to connect to in order to establish a VPN tunnel. The Layer 3/loopback interface must be in an
external zone, such as untrust. The tunnel interface can either be in the same zone as the interface
connecting to your internal resources, for example trust, or, for added security and better visibility, you
can create a separate zone, such as corp-vpn. If you create a separate zone for your tunnel interface,
you will need to create security policies to enable traffic to flow between the VPN zone and the trust
zone.
– Internal gateways—Requires a Layer 3 or loopback interface in your trust zone. You can also create
a tunnel interface for access to your internal gateways, but this is not required.
For tips on how to use a loopback interface to provide access to GlobalProtect on different ports
and addresses, refer to Can GlobalProtect Portal Page be Configured to be Accessed on any
Port?
For more information about portals and gateways, see About the GlobalProtect Components.
Set Up Interfaces and Zones for GlobalProtect
Step 1 Configure a Layer 3 interface for each 1. Select Network > Interfaces > Ethernet or Network >
portal and/or gateway you plan to deploy. Interfaces > Loopback and then select the interface you want to
configure for GlobalProtect. In this example, we are configuring
If the gateway and portal are on the
ethernet1/1 as the portal interface.
same firewall, you can use a single
interface for both. 2. (Ethernet only) Select Layer3 from the Interface Type
drop-down.
As a best practice use static IP
3. On the Config tab, select the zone to which the portal or
addresses for the portal and
gateway interface belongs as follows:
gateway.
• Place portals and external gateways in an untrust zone for
access by hosts outside your network, such as l3-untrust.
• Place internal gateways in an internal zone, such as l3-trust.
• If you have not yet created the zone, select New Zone from
the Security Zone drop-down. In the Zone dialog, define a
Name for the new zone and then click OK.
4. In the Virtual Router drop-down, select default.
5. To assign an IP address to the interface, select the IPv4 tab, click
Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 208.80.56.100/24.
6. To save the interface configuration, click OK.

Set Up the GlobalProtect Infrastructure Create Interfaces and Zones for GlobalProtect
Set Up Interfaces and Zones for GlobalProtect (Continued)
Step 2 On the firewall(s) hosting GlobalProtect 1. Select Network > Interfaces > Tunnel and click Add.
gateway(s), configure the logical tunnel 2. In the Interface Name field, specify a numeric suffix, such as .2.
interface that will terminate VPN tunnels
3. On the Config tab, expand the Security Zone drop-down to
established by the GlobalProtect agents.
define the zone as follows:
IP addresses are not required on the • To use your trust zone as the termination point for the
tunnel interface unless you require tunnel, select the zone from the drop-down.
dynamic routing. In addition,
assigning an IP address to the • (Recommended) To create a separate zone for VPN tunnel
tunnel interface can be useful for termination, click New Zone. In the Zone dialog, define a
troubleshooting connectivity issues. Name for new zone (for example, vpn-corp), select the
Enable User Identification check box, and then click OK.
Make sure to enable User-ID in the
4. In the Virtual Router drop-down, select default.
zone where the VPN tunnels
terminate. 5. (Optional) If you want to assign an IP address to the tunnel
interface, select the IPv4 tab, click Add in the IP section, and
enter the IP address and network mask to assign to the interface,
for example 10.31.32.1/32.
6. To save the interface configuration, click OK.
Step 3 If you created a separate zone for tunnel For example, the following policy rule enables traffic between the
termination of VPN connections, create a corp-vpn zone and the l3-trust zone.
security policy to enable traffic flow
between the VPN zone and your trust
zone.
Step 4 Save the configuration. Click Commit.

If you enabled management access
to the interface hosting the portal,
you must add a :4443 to the URL. For
example, to access the web interface for
the portal configured in this example, you
would enter the following:
https://208.80.56.100:4443
Or, if you configured a DNS record for

the FQDN, such as gp.acme.com, you
would enter:
https://gp.acme.com:4443

Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure
Enable SSL Between GlobalProtect Components

All interaction between the GlobalProtect components occurs over an SSL connection. Therefore, you must
generate and/or install the required certificates before configuring each component so that you can reference
the appropriate certificate(s) in the configurations. The following sections describe the supported methods of
certificate deployment, descriptions and best practice guidelines for the various GlobalProtect certificates, and
provide instructions for generating and deploying the required certificates:
 About GlobalProtect Certificate Deployment
 GlobalProtect Certificate Best Practices
 Deploy Server Certificates to the GlobalProtect Components
About GlobalProtect Certificate Deployment
There are three basic approaches to Deploy Server Certificates to the GlobalProtect Components:
 (Recommended) Combination of third-party certificates and self-signed certificates—Because the

end clients will be accessing the portal prior to GlobalProtect configuration, the client must trust the
certificate to establish an HTTPS connection. Similarly, if you are using GlobalProtect Mobile Security
Manager, the same is true for mobile devices accessing the Mobile Security Manager for enrollment.
Therefore, the recommended approach is to purchase the portal server certificate and the server certificate
for the Mobile Security Manager device check-in interface from a trusted CA that most end clients will
already trust in order to prevent certificate errors. After the client successfully connects, the portal can push
any other required certificates (for example, the root CA certificate for the gateway) to the end client.
 Enterprise Certificate Authority—If you already have your own enterprise certificate authority, you can
use this internal CA to issue certificates for each of the GlobalProtect components and then import them
onto the firewalls hosting your portal and gateway(s) and onto the Mobile Security Manager. In this case, you
must also ensure that the end user systems/mobile devices trust the root CA certificate used to issue the
certificates for the GlobalProtect services to which they must connect.
 Self-Signed Certificates—You can generate a self-signed CA certificate on the portal and use it to issue
certificates for all of the GlobalProtect components. However, this solution is less secure than the other
options and is therefore not recommended. If you do choose this option, end users will see a certificate error
the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate
to all end user systems manually or using some sort of centralized deployment, such as an Active Directory
Group Policy Object (GPO).

Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components
GlobalProtect Certificate Best Practices
The following table summarizes the SSL certificates you will need, depending on which features you plan to use:
Table: GlobalProtect Certificate Requirements
Certificate Usage Issuing Process/Best Practices
CA certificate Used to sign certificates issued If you plan to use self-signed certificates, it is a best practice to
to the GlobalProtect generate a CA certificate on the portal and then use that
components. certificate to issue the required GlobalProtect certificates.
Portal server certificate Enables GlobalProtect • As a best practice, use a certificate issued by a well-known,
agents/apps to establish an third-party CA. This is the most secure option and it ensures
HTTPS connection with the that the end clients will be able to establish a trust relationship
portal. with the portal without requiring you to deploy the root CA
The Common Name (CN) and, certificate.
if applicable, the Subject • If you do not use a well-known, public CA, you should export
Alternative Name (SAN) fields the root CA certificate used to generate the portal server
of the certificate must exactly certificate to all client systems that will run GlobalProtect to
match the IP address or fully prevent the end users from seeing certificate warnings during
qualified domain name (FQDN) the initial portal connection.
of the interface hosting the
• If you are deploying a single gateway and portal on the same
portal.
interface/IP address for basic VPN access, you must use a
single server certificate for both components.
Gateway server Enables GlobalProtect • Each gateway must have its own server certificate.
certificate agents/apps to establish an • As a best practice, generate a CA certificate on the portal and
HTTPS connection with the use that CA certificate to generate all gateway certificates.
gateway.
• The portal distributes the gateway root CA certificates to
The Common Name (CN) and,
agents in the client configuration, so the gateway certificates
if applicable, the Subject
do not need to be issued by a public CA.
Alternative Name (SAN) fields
of the certificate must exactly • If you do not deploy the root CA certificates for the
match the FQDN or IP address GlobalProtect gateways in the client configuration, the
of the interface where you plan agent/app will not perform certificate checks when
to configure the gateway. connecting, thereby making the connection vulnerable to
man-in-the-middle attacks.
• If you are deploying a single gateway and portal on the same
interface/IP address for basic VPN access, you must use a
single server certificate for both components. As a best
practice, use a certificate from a public CA.

(Optional) Client Used to enable mutual • For simplified deployment of client certificates, configure the
certificate authentication between the portal to deploy the client certificate to the agents upon
GlobalProtect agents and the successful login. In this configuration, a single client
gateways/portal. certificate is shared across all GlobalProtect agents using the
In addition to enabling mutual same configuration; the purpose of this certificate is to ensure
authentication in establishing an that only clients from your organization are allowed to
HTTPS session between the connect.
client and the portal/gateway, • You can use other mechanisms to deploy unique client
you can also use client certificates to each client system for use in authenticating the
certificates to authenticate end end user.
users.
• Consider testing your configuration without the client
certificate first, and then add the client certificate after you are
sure that all other configuration settings are correct.
(Optional) Machine Ensures that only trusted If you plan to use the pre-logon feature, you must use your own
certificates machines can connect to PKI infrastructure to deploy machine certificates to each client
GlobalProtect. In addition, system prior to enabling GlobalProtect access. For more
machine certificates are required information, see Remote Access VPN with Pre-Logon.
for use of the pre-logon connect
method, which allows for
establishment of VPN tunnels
before the user logs in.
Mobile Security • Enables mobile devices to • Because mobile devices must trust the Mobile Security
Manager server establish HTTPS sessions Manager in order to enroll, as a best practice purchase a
certificate(s) with the Mobile Security certificate for the Mobile Security Manager device check-in
Manager, for enrollment and interface from a well-known, trusted CA. If you do not use a
check-in. trusted CA to issue certificates for the Mobile Security
Manager device check-in interface, you will have to deploy the
• Enables gateways to connect
Mobile Security Manager root CA certificate to the mobile
to the Mobile Security
devices via the portal configuration (to enable the device to
Manager to retrieve HIP
establish an SSL connection with the Mobile Security
reports for managed mobile
Manager for enrollment).
devices.
• If the device check-in interface is on a different interface than
• The Common Name (CN)
the interface where gateways connect for HIP retrieval, you
and, if applicable, the Subject
will need separate server certificates for each interface.
Alternative Name (SAN)
fields of the certificate must For detailed instructions, see Set Up the GlobalProtect Mobile
exactly match the IP address Security Manager.
or fully qualified domain
name (FQDN) of the
interface.

Apple Push Notification Allows the Mobile Security • You must generate the certificate signing request (CSR) for
service (APNs) Mobile Manager to send push this certificate on the Mobile Security Manager and then send
Security Manager notifications to managed iOS it to the Apple iOS Provisioning Portal (login required) for
certificate devices. signing.
• Apple only supports CSRs signed using the SHA 1 message
digest and 2048 bit keys.
See Configure the Mobile Security Manager for Device Check-in
for details on how to set this up.
Identity certificates Enables the Mobile Security The Mobile Security Manager manages the deployment of
Manager and optionally the identity certificates for the devices it manages. See Configure
gateway to establish mutually the Mobile Security Manager for Enrollment for details on how
authenticated SSL sessions with to set this up.
mobile devices.
For details about the types of keys used to establish secure communication between the GlobalProtect agent
and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.
Deploy Server Certificates to the GlobalProtect Components
The following workflow shows the best practice steps for deploying SSL certificates to the GlobalProtect
components:
Deploy SSL Server Certificates to the GlobalProtect Components
• Import a server certificate from a well-known, To import a certificate and private key from a public CA, make sure
third-party CA. the certificate and key files are accessible from your management
system and that you have the passphrase to decrypt the private key
Use a server certificate from a well-known,
and then complete the following steps:
third-party CA for the GlobalProtect
portal and Mobile Security Manager. This 1. Select Device > Certificate Management > Certificates >
ensures that the end clients will be able to Device Certificates.
establish an HTTPS connection without 2. Click Import and enter a Certificate Name.
receiving certificate warnings. 3. Enter the path and name to the Certificate File received from
The Common Name (CN) and, if the CA, or Browse to find the file.
applicable, the Subject Alternative Name 4. Select Encrypted Private Key and Certificate (PKCS12) as the
(SAN) fields of the certificate must match File Format.
the fully qualified domain name (FQDN)
5. Select the Import private key check box.
or IP address or of the interface where you
plan to configure the portal and/or the 6. Enter the path and name to the PKCS#12 file in the Key File
device check-in interface on the Mobile field or Browse to find it.
Security Manager. Wildcard matches are 7. Enter and re-enter the Passphrase that was used to encrypt the
supported. private key and then click OK to import the certificate and key.

Deploy SSL Server Certificates to the GlobalProtect Components (Continued)
• Create the root CA certificate for issuing To use self-signed certificates, you must first create the root CA
self-signed certificates for the GlobalProtect certificate that will be used to sign the certificates for the
components. GlobalProtect components as follows:
Create the Root CA certificate on the 1. To create a root CA certificate, select Device > Certificate
portal and use it to issue server certificates Management > Certificates > Device Certificates and then
for the gateways and optionally for clients. click Generate.
2. Enter a Certificate Name, such as GlobalProtect_CA. The
certificate name cannot contain any spaces.
3. Do not select a value in the Signed By field (this is what
indicates that it is self-signed).
4. Select the Certificate Authority check box and then click OK to
generate the certificate.
• Generate a self-signed server certificate. 1. Select Device > Certificate Management > Certificates >
Device Certificates and then click Generate.
Use the root CA on the portal to generate
server certificates for each gateway you 2. Enter a Certificate Name. The Certificate Name cannot contain
plan to deploy and optionally for the any spaces.
Mobile Security Manager management 3. Enter the FQDN (recommended) or IP address of the interface
interface (if this is the interface the where you plan to configure the gateway in the Common Name
gateways will use to retrieve HIP reports). field.
In the gateway server certificates, the values 4. In the Signed By field, select the GlobalProtect_CA you
in the Common Name (CN) and Subject previously created.
Alternative Name (SAN) fields of the
5. In the Certificate Attributes section, click Add and define the
certificate must be identical or the
attributes to uniquely identify the gateway. Keep in mind that if
GlobalProtect agent will detect the
you add a Host Name attribute (which populates the SAN field
mismatch when it checks the certificate
of the certificate), it must exactly match the value you defined
chain of trust and will not trust the
for the Common Name.
certificate. Self-signed certificates will only
contain a SAN field if you add a Host 6. Click OK to generate the certificate.
Name certificate attribute. 7. Commit the changes.

Deploy SSL Server Certificates to the GlobalProtect Components (Continued)
• Deploy the self-signed server certificates. 1. On the portal, select Device > Certificate Management >
Certificates > Device Certificates, select the gateway certificate
Best Practices:
you want to deploy, and click Export.
• Export the self-signed server certificates
2. Select Encrypted Private Key and Certificate (PKCS12) from
issued by the root CA on the portal and
the File Format drop-down.
import them onto the gateways.
3. Enter (and re-enter) a Passphrase to encrypt the private key
• Be sure to issue a unique server certificate and then click OK to download the PKCS12 file to your
for each gateway. computer.
• When using self-signed certificates, you 4. On the gateway, select Device > Certificate Management >
must distribute the Root CA certificate to Certificates > Device Certificates and click Import.
the end clients in the portal client
5. Enter a Certificate Name.
configurations.
6. Enter the path and name to the Certificate File you just
downloaded from the portal, or Browse to find the file.
7. Select Encrypted Private Key and Certificate (PKCS12) as the
File Format.
8. Enter the path and name to the PKCS12 file in the Key File field
or Browse to find it.
9. Enter and re-enter the Passphrase you used to encrypt the
private key when you exported it from the portal and then click
OK to import the certificate and key.
10. Commit the changes to the gateway.

Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure
Set Up GlobalProtect User Authentication

The portal and gateway require the end-user authentication credentials before the GlobalProtect agent/app will
be allowed access to GlobalProtect resources. Because the portal and gateway configurations require you to
specify which authentication mechanisms to use, you must configure authentication before continuing with the
portal and gateway setup. The following sections detail the supported authentication mechanisms and how to
configure them:
 About GlobalProtect User Authentication
 Set Up External Authentication
 Set Up Client Certificate Authentication
 Set Up Two-Factor Authentication
 Set Up Authentication for strongSwan Ubuntu and CentOS Clients
About GlobalProtect User Authentication
The first time a GlobalProtect agent/app connects to the portal, the user is prompted to authenticate to the
portal in order to download the GlobalProtect configuration, which includes the list of gateways the agent can
connect to, the location of the Mobile Security Manager, and optionally a client certificate for connecting to the
gateways. After successfully downloading and caching the configuration, the agent/app attempts to connect to
one of the gateways specified in the configuration and/or to the specified Mobile Security Manager. Because
these components provide access to your network resources and settings, they also require the end user to
authenticate.
The level of security required on the portal, Mobile Security Manager, and the gateways (and even from gateway
to gateway) varies depending on the sensitivity of the resources each protects; GlobalProtect provides a flexible
authentication framework that allows you to choose the authentication profile and/or certificate profile that is
appropriate on each component.
The following sections describe the authentication features available on the portal and the
gateway. For details on how to set up authentication on the Mobile Security Manager, see
Configure the Mobile Security Manager for Enrollment.

Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication
Supported GlobalProtect Authentication Methods
Authentication Method Description
Local Authentication Both the user account credentials and the authentication mechanisms are local to the firewall.
This authentication mechanism is not scalable because it requires an account for every
GlobalProtect end user and is therefore only recommended in very small deployments.
External authentication The user authentication functions are offloaded to an existing LDAP, Kerberos, or RADIUS
service (including support for two-factor token-based authentication mechanisms such as
one-time password (OTP) authentication). To enable external authentication, you must first
create a server profile that defines access settings for the external authentication service and
then create an authentication profile referencing the server profile. You then reference the
authentication profile in the portal, gateway, and/or Mobile Security Manager configurations.
You can use different authentication profiles for each GlobalProtect component. See Set Up
External Authentication for instructions on setting this up. See Remote Access VPN
(Authentication Profile) for an example configuration.
Client certificate The portal or the gateway uses a client certificate to obtain the username and authenticate
authentication the user before granting access to the system. With this type of authentication, you must issue
a client certificate to each end user; the certificates you issue must contain the username in
one of the certificate fields, such as the Subject Name field. If a certificate profile is
configured on the GlobalProtect portal, the client must present a certificate in order to
connect. This means that certificates must be pre-deployed to the end clients before their
initial portal connection.
In addition, the certificate profile specifies which certificate field to obtain the username
from. If the certificate profile specifies Subject in the Username Field, the certificate
presented by the client must contain a common-name in order to connect. If the certificate
profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the
certificate presented by the client must contain the corresponding fields, which will be used
as the username when the GlobalProtect agent authenticates to the portal or gateway.
GlobalProtect also supports common access card (CAC) and smart card-based
authentication, which rely on a certificate profile. In this case, the certificate profile must
contain the root CA certificate that issued the certificate in the smart card/CAC.
If you are using client certificate authentication, you should not configure a client certificate
in the portal configuration as the client system will provide it when the end user connects.
For an example of how to configure client certificate authentication, see Remote Access VPN
(Certificate Profile).

Authentication Method Description
Two-factor authentication You can enable two-factor authentication by configuring both a certificate profile and an
authentication profile and adding them both to the portal and/or gateway configuration.
Keep in mind that with two-factor authentication, the client must successfully authenticate
via both mechanisms in order to gain access to the system.
In addition, if the certificate profile specifies a Username Field from which to obtain the
username from the certificate, the username will automatically be used for authenticating to
the external authentication service specified in the authentication profile. For example, if the
Username Field in the certificate profile is set to Subject, the value in the common-name field
of the certificate will by default be used as the username when the user attempts to
authenticate to the authentication server. If you do not want to force users to authenticate
with a username from the certificate, make sure the certificate profile is set to None for the
Username Field. See Remote Access VPN with Two-Factor Authentication for an example
configuration.
How Does the Agent Know What Credentials to Supply to the Portal and Gateway?
By default, the GlobalProtect agent attempts to use the same login credentials for the gateway that it used for
portal login. In the simplest case, where the gateway and the portal use the same authentication profile and/or
certificate profile, the agent will connect to the gateway transparently. However, if the portal and the gateway
require different credentials (such as unique OTPs), this default behavior would cause delays in connecting to
the gateway because the gateway would not prompt the user to authenticate until after it tried and failed to
authenticate using the portal credentials the agent supplied.
There are two options for modifying the default agent authentication behavior on a per-client configuration
basis:
 Cookie authentication on the portal—The agent uses an encrypted cookie to authenticate to the portal
when refreshing a configuration that has already been cached (the user will always be required to authenticate
for the initial configuration download and upon cookie expiration). This simplifies the authentication
process for end users because they will no longer be required to log in to both the portal and the gateway in
succession or enter multiple OTPs for authenticating to each. In addition, this enables use of a temporary
password to re-enable VPN access after password expiration.
 Disable forwarding of credentials to some or all gateways—The agent will not attempt to use its portal
credentials for gateway login, enabling the gateway to immediately prompt for its own set of credentials. This
option speeds up the authentication process when the portal and the gateway require different credentials
(either different OTPs or different login credentials entirely). Or, you can choose to use a different password
on manual gateways only. With this option, the agent will forward credentials to automatic gateways but not
to manual gateways, allowing you to have the same security on your portals and automatic gateways, while
requiring a second factor OTP or a different password for access to those gateways that provide access to
your most sensitive resources.
For an example of how to use these options, see Enable Two-Factor Authentication Using One-Time Passwords
(OTPs).

Set Up External Authentication
The following workflow describes how to set up the portal and/or gateway to authenticate users against an
existing authentication service. GlobalProtect supports external authentication using LDAP, Kerberos, or
RADIUS.
GlobalProtect also supports local authentication. To use this authentication method create a local
user database that contains the users and groups you want allow into the VPN (Device > Local
User Database) and then reference it in the authentication profile.
For more information, see Supported GlobalProtect Authentication Methods or watch a video.
Set Up External User Authentication
Step 1 Create a server profile. 1. Select Device > Server Profiles and select type of profile (LDAP,
Kerberos, or RADIUS).
The server profile instructs the firewall
how to connect to an external 2. Click Add and enter a Name for the profile, such as
authentication service and access the GP-User-Auth.
authentication credentials for your users. 3. (LDAP only) Select the Type of LDAP server you are
connecting to.
If you are using LDAP to connect
to Active Directory (AD), you must 4. Click Add in the Servers section and then enter information
create a separate LDAP server required to connect to the authentication service, including the
profile for every AD domain. server Name, IP Address (or FQDN), and Port.
5. (RADIUS and LDAP only) Specify settings to enable the
firewall to authenticate to the authentication service as follows:
• RADIUS—Enter the shared Secret when adding the server
entry.
• LDAP—Enter the Bind DN and Bind Password.
6. (LDAP and Kerberos only) Specify where to search for users in
the directory service:
• LDAP—The Base DN specifies where in the LDAP tree to
begin searching for users and groups. This field should
populate automatically when you enter the server address and
port. If it doesn’t, check the service route to the LDAP
server.
• Kerberos—Enter the Kerberos Realm name.
7. Specify the Domain name (without dots, for example acme not
acme.com). This value will be appended to the username in the
IP address to username mappings for User-ID.
8. Click OK to save the server profile.

Set Up External User Authentication (Continued)
Step 2 Create an authentication profile. 1. Select Device > Authentication Profile and click Add. a new
profile.
The authentication profile specifies which
server profile to use to authenticate users. 2. Enter a Name for the profile and then select the Authentication
You can attach an authentication profile type (LDAP, Kerberos, or RADIUS).
to a portal or gateway configuration. 3. Select the Server Profile you created in Step 1.
Best Practices: 4. (LDAP AD) Enter sAMAccountName as the Login Attribute.
•To enable users to connect and 5. (LDAP) Set the Password Expiry Warning, which indicates the
change their own expired number of days before password expiration that users will be
passwords without administrative notified. By default, users will be notified seven days prior to
intervention, consider using the password expiration. Because users must change their
pre-logon connect method. See passwords before they expire to ensure continued access to the
Remote Access VPN with VPN, make sure you provide a notification period that is
Pre-Logon for details. adequate for your user base.
•If users allow their passwords to 6. Click OK.
expire, you may assign a temporary
LDAP password to enable them to
log in to the VPN. In this case, the
temporary password may be used to
authenticate to the portal, but the
gateway login may fail because the
same temporary password cannot
be re-used. To prevent this, set the
Authentication Modifier in the
portal configuration (Network >
GlobalProtect > Portal) to Cookie
authentication for config refresh
to enable the agent to use a cookie
to authenticate to the portal and the
temporary password to authenticate
the gateway.
Set Up Client Certificate Authentication
With client certificate authentication, the agent/app must present a client certificate in order to connect to the
GlobalProtect portal and/or gateway. The following workflow shows how to set up this configuration. For more
information, see About GlobalProtect User Authentication. For an example configuration, see Remote Access
VPN (Certificate Profile).

Set Up Client Certificate Authentication
Step 1 Issue client certificates to GlobalProtect To issue unique certificates for individual clients or machines, use
users/machines. your enterprise CA or a public CA. However, if you want to use client
certificates to validate that the user belongs to your organization,
The method for issuing client certificates
generate a self-signed client certificate as follows:
depends on how you are using client
1. Create the root CA certificate for issuing self-signed certificates
authentication:
for the GlobalProtect components.
• To authenticate individual users—
2. Select Device > Certificate Management > Certificates >
You must issue a unique client
Device Certificates and then click Generate.
certificate to each GlobalProtect user
and deploy them to the client systems 3. Enter a Certificate Name. The certificate name cannot contain
prior to enabling GlobalProtect. any spaces.
• To validate that the client system 4. In the Common Name field enter a name to identify this
belongs to your organization—Use certificate as an agent certificate, for example
your own public-key infrastructure GP_Windows_clients. Because this same certificate will be
(PKI) to issue and distribute machine deployed to all agents using the same configuration, it does not
certificates to each client system need to uniquely identify a specific end user or system.
(recommended) or generate a 5. (Optional) In the Certificate Attributes section, click Add and
self-signed machine certificate for define the attributes to identify the GlobalProtect clients as
export. This is required for pre-logon. belonging to your organization if required as part of your
This option requires that you also security requirements.
configure an authentication profile in
6. In the Signed By field, select your root CA.
order to authenticate the user. See
Two-factor authentication. 7. Click OK to generate the certificate.
• To validate that a user belongs to
your organization—In this case you
can use a single client certificate for all
agents, or generate separate certificates
to be deployed with a particular client
configuration. Use the procedure in
this step to issue self-signed client
certificates for this purpose.

Set Up Client Certificate Authentication (Continued)
Step 2 Install certificates in the personal For example, to install a certificate on a Windows system using the
certificate store on the client systems. Microsoft Management Console:
If you are using unique user certificates or 1. From the command prompt, enter
mmc to launch the console.
machine certificates, each certificate must 2. Select File > Add/Remove Snap-in.
be installed in the personal certificate 3. Select Certificates, click Add and then select one of the
store on the client system prior to the first following, depending on what type of certificate you are
portal/gateway connection. Install importing:
machine certificates to the Local • Computer account— Select this option if you are importing
Computer certificate store on Windows a machine certificate.
and in the System Keychain on Mac OS.
Install user certificates to the Current • My user account— Select this option if you are importing a
User certificate store on Windows and in user certificate.
the Personal Keychain on Mac OS.
4. Expand Certificates and select Personal and then in the

Actions column select Personal > More Actions > All Tasks >
Import. and follow the steps in the Certificate Import Wizard to
import the PKCS file you got from the CA.
5. Browse to the .p12 certificate file to import (select Personal

Information Exchange as the file type to browse for) and enter
the Password that you used to encrypt the private key. Select
Personal as the Certificate store.

Set Up Client Certificate Authentication (Continued)
Step 3 Verify that the certificate has been added Look to see that the certificate you just installed is there.
to the personal certificate store.
Step 4 Import the root CA certificate used to 1. Download the root CA certificate used to issue the client
issue the client certificates onto the certificates (Base64 format).
firewall. 2. Import the root CA certificate from the CA that generated the
This step is only required if the client client certificates onto the firewall:
certificates were issued by an external CA, a. Select Device > Certificate Management > Certificates >
such as a public CA or an enterprise PKI Device Certificates and click Import.
CA. If you are using self-signed b. Enter a Certificate Name that identifies the certificate as
certificates, the root CA is already trusted your client CA certificate.
by the portal/gateway.
c. Browse to the Certificate File you downloaded from the
CA.
d. Select Base64 Encoded Certificate (PEM) as the File Format
and then click OK.
e. Select the certificate you just imported on the Device
Certificates tab to open it.
f. Select Trusted Root CA and then click OK.
Step 5 Create a client certificate profile. 1. Select Device > Certificates > Certificate Management >
Certificate Profile and click Add and enter a profile Name.
If you setting up the portal and/or
gateway for two-factor 2. Select a value for the Username Field to specify which field in
authentication, the username from the certificate will contain the user’s identity information.
the client certificate will be used as 3. In the CA Certificates field, click Add, select the Trusted Root
the username when authenticating CA certificate you imported in Step 4 and then click OK.
the user to your external
authentication service. This ensures
that the user who is logging is in is
actually the user to whom the
certificate was issued.

Set Up Two-Factor Authentication
If you require strong authentication in order to protect your sensitive resources and/or comply with regulatory
requirements—such as PCI, SDX, or HIPAA—configure GlobalProtect to use an authentication service that
uses a two-factor authentication scheme such as one-time passwords (OTPs), tokens, smart cards, or a
combination of external authentication and client certificate authentication. A two-factor authentication scheme
requires two things: something the end user knows (such as a PIN or password) and something the end user has
(a hardware or software token/OTP, smart card, or certificate).
The following sections provide examples for how to set up two-factor authentication on GlobalProtect:
 Enable Two-Factor Authentication
 Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
 Enable Two-Factor Authentication Using Smart Cards
Enable Two-Factor Authentication
The following workflow shows how to configure GlobalProtect client authentication requiring the user to
authenticate both to a certificate profile and an authentication profile. The user must successfully authenticate
using both methods in order to connect to the portal/gateway. For more details on this configuration, see
Remote Access VPN with Two-Factor Authentication.

Enable Two-Factor Authentication
Step 1 Create a server profile. 1. Select Device > Server Profiles and select type of profile (LDAP,
Kerberos, or RADIUS).
how to connect to an external 2. Click Add and enter a Name for the profile, such as
authentication service and access the GP-User-Auth.
authentication credentials for your users. 3. (LDAP only) Select the Type of LDAP server you are
connecting to.
If you are using LDAP to connect
to Active Directory (AD), you must 4. Click Add in the Servers section and then enter information
create a separate LDAP server required to connect to the authentication service, including the
profile for every AD domain. server Name, IP Address (or FQDN), and Port.
5. (RADIUS and LDAP only) Specify settings to enable the
firewall to authenticate to the authentication service as follows:
• RADIUS—Enter the shared Secret when adding the server
entry.
• LDAP—Enter the Bind DN and Bind Password.
6. (LDAP and Kerberos only) Specify where to search for users in
the directory service:
• LDAP—The Base DN specifies where in the LDAP tree to
begin searching for users and groups. This field should
populate automatically when you enter the server address and
port. If it doesn’t, check the service route to the LDAP
server.
• Kerberos—Enter the Kerberos Realm name.
7. Specify the Domain name (without dots, for example acme not
acme.com). This value will be appended to the username in the
IP address to username mappings for User-ID.
Step 2 Create an authentication profile. 1. Select Device > Authentication Profile and click Add. a new
profile.
The authentication profile specifies which
server profile to use to authenticate users. 2. Enter a Name for the profile and then select the Authentication
You can attach an authentication profile type (LDAP, Kerberos, or RADIUS).
to a portal or gateway configuration. 3. Select the Server Profile you created in Step 1.
4. (LDAP AD) Enter sAMAccountName as the Login Attribute.
5. Click OK.

Enable Two-Factor Authentication (Continued)
Step 3 Create a client certificate profile. 1. Select Device > Certificates > Certificate Management >
Certificate Profile and click Add and enter a profile Name.
If you setting up the portal and/or
gateway for two-factor 2. Select a value for the Username Field:
authentication, if the client • If you are deploying the client certificate from the portal,
certificate contains a username leave this field set to None.
field, the username value from the • If you are setting up a certificate profile for use with
certificate will be used as the pre-logon, leave the field set to None.
username when authenticating the
user to your external authentication • If you are using the client certificate to authenticate individual
service. This ensures that the user users (including smart card users), select the certificate field
who is logging is in is actually the that will contain the user’s identity information.
user to whom the certificate was 3. In the CA Certificates field, click Add, select the Trusted Root
issued. CA certificate you just imported and then click OK.
Step 4 (Optional) Issue client certificates to 1. Use your enterprise PKI or a public CA to issue a unique client
GlobalProtect users/machines. certificate to each GlobalProtect user.
2. Install certificates in the personal certificate store on the client
systems.
Step 5 Save the GlobalProtect configuration. Click Commit.
Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
On the firewall, the process for setting up access to a two-factor authentication service is similar to setting up
any other type of authentication: create a server profile (usually to a RADIUS server), add the server profile to
an authentication profile, and then reference that authentication profile in the configuration for the device that
will be enforcing the authentication—in this case, the GlobalProtect portal and/or gateway.
By default, the agent will supply the same credentials it used to log in to the portal and to the gateway. In the
case of OTP authentication, this behavior will cause the authentication to initially fail on the gateway and,
because of the delay this causes in prompting the user for a login, the user’s OTP may expire. To prevent this,
the portal allows for modification of this behavior on a per-client configuration basis—either by allowing the
portal to authenticate using an encrypted cookie or by preventing the agent from using the same credentials it
used for the portal on the gateway. Both of these options solve this problem by enabling the gateway to
immediately prompt for the appropriate credentials.
Enable OTP Support
Step 1 Set up your RADIUS server to interact For specific instructions, refer to the documentation for your
with the firewall. RADIUS server. In most cases, you will need to set up an
authentication agent and a client configuration on the RADIUS
This procedure assumes that your
server to enable communication between the firewall and the
RADIUS service is already configured for
RADIUS server. You will also define the shared secret that will be
OTP or token-based authentication and
used to encrypt sessions between the firewall and the RADIUS
that necessary devices (such as hardware
server.
tokens) have been deployed to users.

Enable OTP Support (Continued)
Step 2 On the firewall that will act as your 1. Select Device > Server Profiles > RADIUS, click Add and enter
gateway and/or portal, create a RADIUS a Name for the profile.
server profile. 2. Enter the RADIUS Domain name.
Best Practice: 3. To add a RADIUS server entry, click Add in the Servers section
and then enter the following information:
When creating the RADIUS
server profile, always enter a • A descriptive name to identify this RADIUS Server
Domain name because this value • The IP Address of the RADIUS Server
will be used as the default domain
• The shared Secret used to encrypt sessions between the
for User-ID mapping if users don’t
firewall and the RADIUS server
supply one upon login.
• The Port number on which the RADIUS server will listen for
authentication requests (default 1812)
4. Click OK to save the profile.
Step 3 Create an authentication profile. 1. Select Device > Authentication Profile, click Add, and enter a
Name for the profile. The authentication profile name cannot
contain any spaces.
2. Select RADIUS from the Authentication drop-down.
3. Select the Server Profile you created for accessing your
RADIUS server.
4. Click OK to save the authentication profile.
Step 4 Assign the authentication profile to the 1. Select Network > GlobalProtect > Gateways or Portals and
GlobalProtect gateway(s) and/or portal. select the configuration (or Add one).
This section only describes how to add 2. On the General tab (on the gateway) or the Portal
the authentication profile to the gateway Configuration tab (on the portal), select the Authentication
or portal configuration. For details on Profile you just created.
setting up these components, see 3. Enter an Authentication Message to guide users as to which
Configure GlobalProtect Gateways and authentication credentials to use.
Configure the GlobalProtect Portal. 4. Click OK to save the configuration.
Step 5 (Optional) Modify the default 1. Select Network > GlobalProtect > Gateways or Portals and
authentication behavior on the portal. select the configuration (or Add one).
This section only describes how to 2. Select the Client Configuration tab and then select or Add a
modify the portal authentication client configuration.
behavior. For more details, see Define the 3. On the General tab, select one of the following values from the
GlobalProtect Client Configurations. Authentication Modifier field:
• Cookie authentication for config refresh—Enables the
portal to use an encrypted cookie to authenticate users so
they don’t have to enter multiple OTPs or credentials.
• Different password for external gateway—Prevents the
agent from forwarding the user credentials it used for portal
authentication on to the gateway to prevent OTP
authentication failures.
4. Click OK twice to save the configuration.

Enable OTP Support (Continued)
Step 7 Verify the configuration. From a client system running the GlobalProtect agent, try to connect
to a gateway or portal on which you enabled OTP authentication.
This step assumes that your gateway and
You should see two prompts similar to the following:
portal are already configured. For details
on setting up these components, see The first will prompt you for a PIN (either a user- or
Configure GlobalProtect Gateways and system-generated PIN):
Configure the GlobalProtect Portal.
The second will prompt you for your token or OTP:
Enable Two-Factor Authentication Using Smart Cards
If you want to enable your end users to authenticate using a smart card or common access card (CAC), you must
import the Root CA certificate that issued the certificates contained on the end user CAC/smart cards onto the
portal/gateway. You can then create a certificate profile that includes that Root CA and apply it to your portal
and/or gateway configurations to enable use of the smart card in the authentication process.
Enable Smart Card Authentication
Step 1 Set up your smart card infrastructure. For specific instructions, refer to the documentation for the user
authentication provider software. In most cases, setting up the smart
This procedure assumes that you have
card infrastructure requires generating certificates for end users and
deployed smart cards and smart card
for the servers participating in the system, which are the
readers to your end users.
GlobalProtect portal and/or gateway(s) in this case.

Enable Smart Card Authentication (Continued)
Step 2 Import the Root CA certificate that issued Make sure the certificate is accessible from your management
the client certificates contained on the system and then complete the following steps:
end user smart cards. 1. Select Device > Certificate Management > Certificates >
Device Certificates.
2. Click Import and enter a Certificate Name.
3. Enter the path and name to the Certificate File received from
the CA, or Browse to find the file.
4. Select Base64 Encoded Certificate (PEM) as the File Format
and then click OK to import the certificate.
Step 3 Create the certificate profile. Create the certificate profile on each portal/gateway on which you
plan to use CAC/smart card authentication:
For details on other certificate
profile fields, such as whether to use 1. Select Device > Certificate Management > Certificate Profile
and click Add and enter a profile Name.
CRL or OCSP, refer to the online
help. 2. In the Username field, select the certificate field that PAN-OS
uses to match the IP address for User-ID, either Subject to use
a common name, Subject Alt: Email to use an email address, or
Subject Alt: Principal Name to use the Principal Name.
3. In the CA Certificates field, click Add, select the trusted root
CA Certificate you imported in Step 2 and then click OK.
4. Click OK to save the certificate profile.
Step 4 Assign the certificate profile to the 1. Select Network > GlobalProtect > Gateways or Portals and
GlobalProtect gateway(s) and/or portal. select the configuration (or click Add to add one).
This section only describes how to add 2. On the General tab (on the gateway) or the Portal
the certificate profile to the gateway or Configuration tab (on the portal), select the Certificate Profile
portal configuration. For details on you just created.
setting up these components, see 3. Enter an Authentication Message to guide users as to which
Configure GlobalProtect Gateways and authentication credentials to use.
Configure the GlobalProtect Portal. 4. Click OK to save the configuration.
Step 6 Verify the configuration. From a client system running the GlobalProtect agent, try to
connect to a gateway or portal on which you set up smart
card-enabled authentication. When prompted, insert your smart
card and verify that you can successfully authenticate to
GlobalProtect.

Set Up Authentication for strongSwan Ubuntu and CentOS Clients
Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 are tested for PAN-OS 6.1 only.
Ubuntu 14.0.4 with strongSwan 5.2.1 is tested for PAN-OS 7.0. If you are using a different version of
strongSwan, see Set Up Authentication for strongSwan Ubuntu and CentOS Clients in the GlobalProtect 7.0
Administrator’s Guide for reference information.

Set Up the GlobalProtect Infrastructure Enable Group Mapping
Enable Group Mapping

Because the agent or app running on your end-user systems requires the user to successfully authenticate before
being granted access to GlobalProtect, the identity of each GlobalProtect user is known. However, if you want
to be able to define GlobalProtect configurations and/or security policies based on group membership, the
firewall must retrieve the list of groups and the corresponding list of members from your directory server. This
is known as group mapping.
To enable this functionality, you must create an LDAP server profile that instructs the firewall how to connect
and authenticate to the directory server and how to search the directory for the user and group information.
After the firewall successfully connects to the LDAP server retrieves the group mappings, you will be able to
select groups when defining your client configurations and security policies. The firewall supports a variety of
LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE
Directory Server.
Use the following procedure to connect to your LDAP directory to enable the firewall to retrieve user-to-group
mapping information:

Enable Group Mapping Set Up the GlobalProtect Infrastructure
Map Users to Groups
Step 1 Create an LDAP Server Profile that 1. Select Device > Server Profiles > LDAP.
specifies how to connect to the directory 2. Click Add and then enter a Name for the profile.
servers to which the firewall should
3. (Optional) Select the virtual system to which this profile applies
connect to obtain group mapping
from the Location drop-down.
information.
4. Click Add to add a new LDAP server entry and then enter a
Server name to identify the server (1-31 characters) and the IP
Address and Port number the firewall should use to connect to
the LDAP server (default=389 for LDAP; 636 for LDAP over
SSL). You can add up to four LDAP servers to the profile,
however, all the servers you add to a profile must be of the same
type. For redundancy you should add at least two servers.
5. Enter the LDAP Domain name to prepend to all objects learned
from the server. The value you enter here depends on your
deployment:
• If you are using Active Directory, you must enter the
NetBIOS domain name; NOT a FQDN (for example, enter
acme, not acme.com). Note that if you need to collect data
from multiple domains you must create a separate server
profile for each domain. Although the domain name can be
determined automatically, it is a best practice to enter the
domain name whenever possible.
• If you are using a global catalog server, leave this field blank.
6. Select the Type of LDAP server you are connecting to. The
group mapping values will automatically be populated based on
your selection. However, if you have customized your LDAP
schema you may need to modify the default settings.
7. In the Base field, specify the point where you want the firewall
to begin its search for user and group information within the
LDAP tree.
8. Enter the authentication credentials for binding to the LDAP
tree in the Bind DN, Bind Password, and Confirm Bind
Password fields. The Bind DN can be in either User Principal
Name (UPN) format (i.e. administrator@acme.local) or it
can be a fully qualified LDAP name (i.e.
cn=administrator,cn=users,dc=acme,dc=local).
9. If you want the firewall to communicate with the LDAP
server(s) over a secure connection, select the SSL check box. If
you enable SSL, make sure that you have also specified the
appropriate port number.

Set Up the GlobalProtect Infrastructure Enable Group Mapping
Map Users to Groups (Continued)
Step 2 Add the LDAP server profile to the 1. Select Device > User Identification > Group Mapping Settings
User-ID Group Mapping configuration. and click Add.
2. Enter a Name for the configuration.

3. Select the Server Profile you just created.
4. Make sure the Enabled check box is selected.
5. (Optional) If you want to limit which groups are displayed
within security policy, select the Group Include List tab and then
browse through the LDAP tree to locate the groups you want to
be able to use in policy. For each group you want to include,
select it in the Available Groups list and click the add icon to
move it to the Included Groups list. Repeat this step for every
group you want to be able to use in your policies.
6. Click OK to save the settings.

Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure
Configure GlobalProtect Gateways

Because the GlobalProtect configuration that the portal delivers to the agents includes the list of gateways the
client can connect to, it is a good idea to configure the gateways before configuring the portal.
The GlobalProtect Gateways can be configured to provide two main functions:
 Enforce security policy for the GlobalProtect agents and apps that connect to it. You can also enable HIP
collection on the gateway for enhanced security policy granularity. For more information on enabling HIP
checks, see Use Host Information in Policy Enforcement.
 Provide virtual private network (VPN) access to your internal network. VPN access is provided through an
IPSec or SSL tunnel between the client and a tunnel interface on the gateway firewall.
You can also configure GlobalProtect gateways on VM-Series firewalls deployed in the AWS
cloud. By deploying the VM-Series firewall in the AWS cloud you can quickly and easily deploy
GlobalProtect gateways in any region without the expense or IT logistics that are typically
required to set up this infrastructure using your own resources. For details, see Use Case:
VM-Series Firewalls as GlobalProtect Gateways in AWS.
Prerequisite Tasks for Configuring the GlobalProtect Gateway
Before you can configure the GlobalProtect gateway, you must have completed the following tasks:
 Created the interfaces (and zones) for the interface where you plan to configure each gateway. For
gateways that require tunnel connections you must configure both the physical interface and the virtual
tunnel interface. See Create Interfaces and Zones for GlobalProtect.
 Set up the gateway server certificates required for the GlobalProtect agent to establish an SSL connection
with the gateway. See Enable SSL Between GlobalProtect Components.
 Defined the authentication profiles and/or certificate profiles that will be used to authenticate
GlobalProtect users. See Set Up GlobalProtect User Authentication.
Configure a GlobalProtect Gateway
After you have completed the prerequisite tasks, configure the GlobalProtect Gateways as follows:
Configure the Gateway
Step 1 Add a gateway. 1. Select Network > GlobalProtect > Gateways and click Add.
2. On the General tab, enter a Name for the gateway. The gateway
name should not contain any spaces and as a best practice it
should include the location or other descriptive information that
will help users and other administrators identify the gateway.
3. (Optional) Select the virtual system to which this gateway
belongs from the Location field.

Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways
Configure the Gateway (Continued)
Step 2 Specify the network information to 1. Select the Interface that agents will use for ingress access to the
enable agents to connect to the gateway. gateway.
If you have not yet created the network 2. Select the IP Address for the gateway web service.
interface for the gateway, see Create 3. Select the Server Certificate for the gateway from the
Interfaces and Zones for drop-down.
GlobalProtectfor instructions. If you The Common Name (CN) and, if applicable, the Subject
haven’t yet created a server certificate for Alternative Name (SAN) fields of the certificate must
the gateway, see Deploy Server match the IP address or fully qualified domain name
Certificates to the GlobalProtect (FQDN) of the interface where you configure the
Components. gateway.
Step 3 Specify how the gateway will authenticate • To authenticate users using a local user database or an external
end users. authentication service such as LDAP, Kerberos, or RADIUS
(including OTP), select the corresponding Authentication Profile.
If you have not yet set up the
authentication profiles and/or certificate • To provide help to users as to what login credentials to supply,
profiles, see Set Up GlobalProtect User enter an Authentication Message.
Authentication for instructions. • To authenticate users based on a client certificate or smart card,
select the corresponding Certificate Profile.
• To use two-factor authentication, select both an authentication
profile and an certificate profile. Keep in mind that the user must
successfully authenticate using both methods to be granted access.

Step 4 Configure the tunnel parameters and 1. On the GlobalProtect Gateway dialog, select Client
enable tunneling. Configuration > Tunnel Settings.
The tunnel parameters are required if you 2. Select the Tunnel Mode check box to enable tunneling.
are setting up an external gateway. If you 3. Select the Tunnel Interface you defined in Step 2 in Create
are configuring an internal gateway, they Interfaces and Zones for GlobalProtect.
are optional. 4. (Optional) Select Enable X-Auth Support if you have end
If you want to force use of clients that need to connect to the gateway using a third-party
SSL-VPN tunnel mode, clear the VPN client, such as a VPNC client running on Linux. If you
Enable IPSec check box. By enable X-Auth you also must provide the Group name and
default, SSL-VPN will only be used Group Password if required by the client.
if the client fails to establish an Although X-Auth access is supported on iOS and
IPSec tunnel. Extended Android devices, it provides limited GlobalProtect
authentication (X-Auth) is only functionality. Instead use the GlobalProtect app for
supported on IPSec tunnels. simplified access to the full security feature set
GlobalProtect provides on iOS and Android devices. The
GlobalProtect app for iOS is available from the Apple
App Store and the GlobalProtect app for Android is
available from Google Play.
5. (Optional) Modify the default timeout settings for
GlobalProtect clients:
• Modify the Login Lifetime for a single gateway login session.
The default login lifetime is 30 days--at this time, the login
session automatically logs out.
• Modify the amount of time after which an inactive session is
automatically logged out. The default Inactivity Logout
period is 3 hours. A client is logged out of GlobalProtect if
the gateway does not receive a HIP check from the client
during the configured amount of time.
• Modify the number of minutes after which idle users are
logged out of GlobalProtect. The default period for
Disconnect on Idle is 180 minutes. Clients are logged out of
GlobalProtect if the GlobalProtect app has not routed traffic
through the VPN tunnel in the configured amount of time.

Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways
Step 5 (Tunnel Mode only) Configure the 1. On the GlobalProtect Gateway dialog, select Client
network settings to assign the clients’ Configuration > Network Settings.
virtual network adapter when an agent 2. Specify the network configuration settings for the clients in one
establishes a tunnel with the gateway. of the following ways:
Network settings are not required in • You can manually assign the DNS server(s) and suffix, and
internal gateway configurations in WINS servers by completing the corresponding fields.
non-tunnel mode because in this • If the firewall has an interface that is configured as a DHCP
case agents use the network settings client, you can set the Inheritance Source to that interface
assigned to the physical network and the GlobalProtect agent will be assigned the same
adapter. settings received by the DHCP client.
3. To specify the IP Pool to use to assign client IP addresses, click
Add and then specify the IP address range to use. As a best
practice, use a different range of IP addresses from those
assigned to clients that are physically connected to your LAN to
ensure proper routing back to the gateway.
4. To define what destination subnets to route through the tunnel
click Add in the Access Route area and then enter the routes as
follows:
• To route all client traffic GlobalProtect (full-tunneling), enter
0.0.0.0/0 as the access route. You will then need to use
security policy to define what zones the client can access
(including untrust zones). The benefit of this configuration is
that you have visibility into all client traffic and you can
ensure that clients are secured according to your policy even
when they are not physically connected to the LAN. Note
that in this configuration traffic destined for the local subnet
goes through the physical adapter, rather than being tunneled
to the gateway.
• To route only some traffic—likely traffic destined for your
LAN—to GlobalProtect (split-tunneling), specify the
destination subnets that must be tunneled. In this case, traffic
that is not destined for a specified access route will be routed
through the client’s physical adapter rather than through the
virtual adapter (the tunnel).
The firewall supports up to 100 access routes.

Step 6 (Optional) Define the notification 1. On the Client Configuration > HIP Notification tab, click Add.
messages end users will see when a 2. Select the HIP Profile this message applies to from the
security rule with a host information drop-down.
profile (HIP) is enforced.
3. Select Match Message or Not Match Message, depending on
This step only applies if you have created whether you want to display the message when the
host information profiles and added them corresponding HIP profile is matched in policy or when it is not
to your security policies. For details on matched. In some cases you might want to create messages for
configuring the HIP feature and for more both a match and a non-match, depending on what objects you
detailed information about creating HIP are matching on and what your objectives are for the policy.
notification messages, see Use Host 4. Select the Enable check box and select whether you want to
Information in Policy Enforcement. display the message as a Pop Up Message or as a System Tray
Balloon.
5. Enter the text of your message in the Template text box and
then click OK.
6. Repeat these steps for each message you want to define.
Step 7 Save the gateway configuration. Click OK to save the settings and close the GlobalProtect Gateway
dialog.
Step 8 (Optional) Set up access to the Mobile 1. Select Network > GlobalProtect > MDM and click Add.
Security Manager. 2. Enter a Name for the Mobile Security Manager.
This step is required if you are using the 3. (Optional) Select the virtual system to which this Mobile
GlobalProtect Mobile Security Manager Security Manager configuration belongs from the Location
to manage end user devices and you are field.
using HIP-enabled policy enforcement. 4. Enter the IP address or FQDN of the Mobile Security Manager
This configuration allows the gateway to Server interface where the gateway will connect to retrieve HIP
communicate with the Mobile Security reports.
Manager to retrieve the HIP reports for
5. (Optional) Set the Connection Port on which the Mobile
managed mobile devices. For more
Security Manager will be listening for HIP retrieval requests.
details, see Enable Gateway Access to the
This value must match the value set on the Mobile Security
Mobile Security Manager.
Manager. By default, this port is set to 5008, which is the port
that the GlobalProtect Mobile Security Manager listens on.
6. If the Mobile Security Manager requires the gateway to present
a certificate to establish an HTTPS connection, select the Client
Certificate to use.
7. If the gateway does not trust the Mobile Security Manager
certificate for the interface where it will be connecting, click Add
in the Trusted Root CA section and select or Import the root
CA certificate that was used to issue the Mobile Security
Manager server certificate.
8. Click OK to save the Mobile Security Manager settings.
Step 9 Save the configuration. Commit the changes.

Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal
Configure the GlobalProtect Portal

The GlobalProtect Portal provides the management functions for your GlobalProtect infrastructure. Every
client system that participates in the GlobalProtect network receives configuration information from the portal,
including information about available gateways as well as any client certificates that may be required to connect
to the gateways. In addition, the portal controls the behavior and distribution of the GlobalProtect agent
software to both Mac and Windows laptops.
The portal does not distribute the GlobalProtect app for use on mobile devices. To get the
GlobalProtect app for iOS, end users must download it from the App Store. To get the
GlobalProtect app for Android, end users must down load it from Google Play. However, the client
configurations that get deployed to mobile app users does control what gateway(s) the mobile
devices have access to and if the mobile device is required to enroll with the GlobalProtect Mobile
Security Manager. For more details on supported versions, see What Client OS Versions are
Supported with GlobalProtect?
The following sections provide procedures for setting up the portal:
 Prerequisite Tasks for Configuring the GlobalProtect Portal
 Set Up Access to the GlobalProtect Portal
 Define the GlobalProtect Client Configurations
 Customize the GlobalProtect Agent
 Customize the GlobalProtect Portal Login, Welcome, and Help Pages
Prerequisite Tasks for Configuring the GlobalProtect Portal
Before you can configure the GlobalProtect Portal, you must have completed the following tasks:
 Created the interfaces (and zones) for the firewall interface where you plan to configure the portal. See
Create Interfaces and Zones for GlobalProtect.
 Set up the portal server certificate, gateway server certificate, and, optionally, any client certificates to be
deployed to end users to enable mutual SSL connections to the GlobalProtect services. See Enable SSL
Between GlobalProtect Components.
 Defined the authentication profiles and/or certificate profiles that will be used to authenticate
GlobalProtect users. See Set Up GlobalProtect User Authentication.
 Configured the global protect gateways. See Configure GlobalProtect Gateways.

Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure
Set Up Access to the GlobalProtect Portal
After you have completed the prerequisite tasks, configure the GlobalProtect Portal as follows:
Set Up Access to the Portal
Step 1 Add the portal. 1. Select Network > GlobalProtect > Portals and click Add.
2. On the Portal Configuration tab, enter a Name for the portal.
The portal name should not contain any spaces.
3. (Optional) Select the virtual system to which this portal belongs
from the Location field.
Step 2 Specify the network information to 1. Select the Interface that agents will use for ingress access to the
enable agents to connect to the portal. portal.
If you have not yet created the network 2. Select the IP Address for the portal web service.
interface for the portal, see Create 3. Select the Server Certificate for the portal from the
Interfaces and Zones for GlobalProtect drop-down.
for instructions. If you haven’t yet created The Common Name (CN) and, if applicable, the Subject
a server certificate for the portal and Alternative Name (SAN) fields of the certificate must
issued gateway certificates, see Deploy exactly match the IP address or fully qualified domain
Server Certificates to the GlobalProtect name (FQDN) of the interface where you configure the
Components. portal or HTTPS connections to the portal will fail.
Step 3 Specify how the portal will authenticate • To authenticate users using a local user database or an external
end users. authentication service (including OTP authentication), select the
corresponding Authentication Profile.
If you have not yet set up the
authentication profiles and/or certificate • Enter an Authentication Message to guide users as to which
profiles, see Set Up GlobalProtect User authentication credentials to use.
Authentication for instructions. • To authenticate users based on a client certificate or a smart
card/CAC, select the corresponding Certificate Profile.
• To use two-factor authentication, select both an authentication
profile and a certificate profile. Keep in mind that the user must
successfully authenticate using both methods to be granted access.
Step 4 Save the portal configuration. 1. Click OK to save the settings and close the GlobalProtect
Gateway dialog.
2. Commit the changes.

Define the GlobalProtect Client Configurations
When a GlobalProtect agent/app connects and successfully authenticates to the GlobalProtect portal, the
portal delivers the GlobalProtect client configuration to the agent/app based on the settings you defined. If you
have different classes of users requiring different configurations, you can create a separate client configuration
for each. The portal will then use the username/group name and or OS of the client to determine which client
configuration to deploy. As with security rule evaluation, the portal looks for a match starting from the top of
the list. When it finds a match, it delivers the corresponding configuration to the agent/app.
The configuration may include the following:
 A list of gateways the agent/app can connect to, and whether the user can establish manual connections with
those gateways.
 The root CA certificate required to enable the agent/app to establish an SSL connection with the
GlobalProtect gateway(s) and/or the Mobile Security Manager.
 The client certificate that agent should present to the gateway when it connects. This is only required if
mutual authentication is required between the agent and the gateway.
 The settings the agent uses to determine whether it is connected to the local network or to an external
network.
 Agent configuration settings, such as what agent views the end users can see, whether users can save their
GlobalProtect passwords, and whether users are prompted to upgrade the agent software.
If the portal is down or unreachable, the agent will use the cached version of its client
configuration from its last successful portal connection to obtain settings, including which
gateway(s) to connect to, what root CA certificate(s) to use to establish secure communication
with the gateway(s), and what connect method to use.
Use the following procedure to create a client configuration.

Create a GlobalProtect Client Configuration
Step 1 Add the trusted Root CA certificates that 1. If you are still in the GlobalProtect gateway dialog, select the
the agent/app will use to perform Client Configuration tab. Otherwise, select Network >
certificate checks when connecting to the GlobalProtect > Portals and select the portal configuration for
GlobalProtect gateway(s) and/or the which you want to add a client configuration and then select the
Mobile Security Manager. If you do not Client Configuration tab.
add a trusted root CA certificate to the 2. In the Trusted Root CA field, click Add and then select the CA
client configuration, the associated certificate that was used to issue the gateway server certificates.
agents/apps will not perform certificate As a best practice, all of your gateways should use the same
checks when connecting. issuer.
As a best practice, always deploy 3. (Optional) If your Mobile Security Manager server certificate
the trusted root CA certificates in was not issued by a well-known CA (that is, it is not trusted by
the client configuration to ensure the devices that will need to connect to it to enroll), click Add in
that the agents/apps perform the the Trusted Root CA field and then select the CA certificate that
certificate checks to validate the was used to issue the Mobile Security Manager server certificate.
identity of the gateway before If the root CA certificate used to issue your gateway
establishing a connection. This and/or Mobile Security Manager server certificates is not
prevents the agents/apps from on the portal, you can Import it now. See Enable SSL
falling prey to man-in-the-middle Between GlobalProtect Components for SSL best
attacks. practices.
Step 2 Add a client configuration. In the Client Configuration section, click Add and enter a Name for
the configuration.
The client configuration specifies the
GlobalProtect configuration settings to If you plan to create multiple configurations, make sure the name you
deploy to the connecting agents/apps. define for each is descriptive enough to allow you to distinguish
You must define at least one client them.
configuration.
Step 3 If you do not require the GlobalProtect 1. Select the Internal Host Detection check box.
agent to establish tunnel connections 2. Enter the IP Address of a host that can only be reached from
when on the internal network, enable the internal network.
internal host detection.
3. Enter the DNS Hostname that corresponds to the IP address
you entered. Agents attempting to connect to GlobalProtect will
attempt to do a reverse DNS lookup on the specified address; if
the lookup fails, the agent will determine that it is on the
external network and begin trying to establish tunnel
connections with the external gateways on its list.

Create a GlobalProtect Client Configuration (Continued)
Step 4 Specify how the agent will connect to 1. Select a Connect Method:
GlobalProtect. • on-demand—Users will have to manually launch the agent
Best Practices: to connect to GlobalProtect. Use this connect method for
external gateways only.
•Only use the on-demand option if
you are using GlobalProtect for • user-logon—GlobalProtect will automatically connect as
VPN access to external gateways. soon as the user logs in to the machine (or domain). When
•Do not use the on-demand option used in conjunction with SSO (Windows users only),
if you plan to run the GlobalProtect GlobalProtect login is transparent to the end user.
agent in hidden mode. See • pre-logon—Authenticates the user and establishes the VPN
Customize the GlobalProtect tunnel to the GlobalProtect gateway using a pre-installed
Agent. machine certificate before the user has logged in to the
•For faster connection times, use machine. This option requires that you deploy machine
internal host detection in certificates to each end user system using an external PKI
configurations where you have solution. See Remote Access VPN with Pre-Logon for more
enabled SSO. details on setting up this option.
2. (Configurations for Windows users only) Select Use single
sign-on to enable GlobalProtect to use the Windows login
credentials to automatically authenticate the user upon login to
Active Directory.
With Single Sign-On (SSO) enabled, the GlobalProtect
agent uses the user’s Windows login credentials to
automatically authenticate to and connect to the
GlobalProtect portal and gateway. GlobalProtect with
SSO enabled also allows for the GlobalProtect agent to
wrap third-party credentials to ensure that Windows users
can authenticate and connect, even when a third-party
credential provider is being used to wrap the Windows
login credentials.
Step 5 Set up access to the Mobile Security 1. Enter the IP address or FQDN of the Mobile Security
Manager. Manager device check-in interface. The value you enter here
must exactly match the value in the CN field of Mobile Security
This step is required if the mobile devices
Manager server certificate associated with the device check-in
using this configuration will be managed
interface.
by the GlobalProtect Mobile Security
Manager. All devices will initially connect 2. Specify the Enrollment Port on which the Mobile Security
to the portal and, if Mobile Security Manager will be listening for enrollment requests. This value
Manager is configured on the must match the value set on the Mobile Security Manager
corresponding portal client configuration, (default=443). For more details, see Set Up the Mobile Security
the device will be redirected to it for Manager for Device Management.
enrollment. For more information, see
Set Up the GlobalProtect Mobile Security
Manager.

Step 6 Specify which users to deploy this Select the User/User Group tab and then specify the user/user
configuration to. There are two ways to groups and/or operating systems to which this configuration should
specify who will get the configuration: by apply:
user/group name and/or the operating • To restrict this configuration to a specific user or group, click Add
system the agent is running on. in the User/User Group section of the window and then select the
The portal uses the User/User Group user or group you want to receive this configuration from the
settings you specify to determine which drop-down. Repeat this step for each user/group you want to add.
configuration to deliver to the • To restrict the configuration to users who have not yet logged in
GlobalProtect agents that connect. to their systems, select pre-logon from the User/User Group
Therefore, if you have multiple drop-down.
configurations, you must make sure to
• To deliver this configuration to agents or apps running on specific
order them properly. As soon as the
operating systems, click Add in the OS section of the window and
portal finds a match, it will deliver the
then select the OS (Android, iOS, Mac, or Windows) to which this
configuration. Therefore, more specific
configuration applies.
configurations must precede more
general ones. See Step 11 for instructions
on ordering the list of client
configurations.
Before you can restrict the
configuration to specific groups,
you must map users to groups as
described in Enable Group
Mapping.
Step 7 Customize the behavior of the Select the Agent tab and then modify the agent settings as desired.
GlobalProtect agent for users with this For more details about each option, see Customize the
configuration. GlobalProtect Agent.

Step 8 Specify the gateways that users with this 1. On the Gateways tab, click Add in the section for Internal
configuration can connect to. Gateways or External Gateways, depending on which type of
gateway you are adding.
Best Practices:
2. Enter a descriptive Name for the gateway. The name you enter
•If you are adding both internal and
here should match the name you defined when you configured
external gateways to the same
the gateway and should be descriptive enough for users to know
configuration, make sure to enable
the location of the gateway they are connected to.
Internal Host Detection. See Step 3
in Define the GlobalProtect Client 3. Enter the FQDN or IP address of the interface where the
Configurations for instructions. gateway is configured in the Address field. The address you
specify must exactly match the Common Name (CN) in the
•Make sure you do not use
gateway server certificate.
on-demand as the connect method
if your configuration includes 4. (External gateways only) Set the Priority of the gateway by
internal gateways. clicking in the field and selecting a value:
• If you have only one external gateway, you can leave the value
set to Highest (the default).
• If you have multiple external gateways, you can modify the
priority values (ranging from Highest to Lowest) to indicate
a preference for the specific user group to which this
configuration applies. For example, if you prefer that the user
group connects to a local gateway you would set the priority
higher than that of more geographically distant gateways. The
priority value is then used to weight the agent’s gateway
selection algorithm.
• If you do not want agents to automatically establish tunnel
connections with the gateway, select Manual only. This
setting is useful in testing environments.
5. (External gateways only) Select the Manual check box if you
want to allow users to be able to manually switch to the gateway.
Step 9 (Optional) Define any custom host • Select Data Collection > Custom Checks and then define any
information profile (HIP) data that you custom data you want to collect from hosts running this client
want the agent to collect and/or exclude configuration. For more details, see Step 2 in Use Host
HIP categories from collection. Information in Policy Enforcement.
This step only applies if you plan to use • Select Data Collection > Exclude Categories and then click Add to
the HIP feature and there is information exclude specific categories and/or vendors, applications, or
you want to collect that cannot be versions within a category. For more details, see Step 3 in
collected using the standard HIP objects Configure HIP-Based Policy Enforcement.
or if there is HIP information that you are
not interested in collecting. See Use Host
Information in Policy Enforcement for
details on setting up and using the HIP
feature.
Step 10 Save the client configuration. 1. Click OK to save the settings and close the Configs dialog.
2. If you want to add another client configuration, repeat Step 2
through Step 10.

Step 11 Arrange the client configurations so that • To move a client configuration up on the list of configurations,
the proper configuration is deployed to select the configuration and click Move Up.
each agent. • To move a client configuration down on the list of configurations,
When an agent connects, the portal will select the configuration and click Move Down.
compare the source information in the
packet against the client configurations
you have defined. As with security rule
evaluation, the portal looks for a match
starting from the top of the list. When it
finds a match, it delivers the
corresponding configuration to the agent
or app.
Step 12 Save the portal configuration. 1. Click OK to save the settings and close the GlobalProtect Portal
dialog.

Customize the GlobalProtect Agent
The portal client configuration allows you to customize how your end users interact with the GlobalProtect
agents installed on their systems or the GlobalProtect app installed on their mobile devices. You can define
different agent settings for the different GlobalProtect client configurations you create. For more information
on client system requirements, see What Client OS Versions are Supported with GlobalProtect?
You can customize:
 What menus and views the users can access.
 Whether or not the users can save their passwords within the agent.
 Whether the users can disable the agent (applies to the user-logon Connect Method only).
 Whether to display a welcome page upon successful login. You can also create custom welcome pages and
help pages that direct your users on how to use GlobalProtect within your environment. See Customize the
GlobalProtect Portal Login, Welcome, and Help Pages.
 Whether agent upgrades will happen automatically or whether the users will be prompted to upgrade.
You can also define agent settings directly from the Windows registry or the global Mac plist. For
Windows clients you can also define agent settings directly from the Windows installer
(MSIEXEC). Settings defined in the portal client configurations in the web interface take
precedence over settings defined in the Windows registry/MSIEXEC or the Mac plist. For more
details, see Deploy Agent Settings Transparently.
Customize the GlobalProtect Agent
Step 1 Go to the Agent tab in the client 1. Select Network > GlobalProtect > Portals and select the portal
configuration you want to configuration for which you want to add a client configuration (or
customize. Add a new configuration).
2. Select Client Configuration and select the client configuration you
want to modify (or Add a new configuration).
1. Select Agent.

Customize the GlobalProtect Agent (Continued)
Step 2 Define what the end users with this By default, the agent functionality is fully enabled (meaning all check boxes
configuration can do from the are selected). To remove functionality, clear the corresponding check box
agent. for any or all of the following options:
The settings on the Agent tab • If you want users to only be able to see basic status information from
can also be configured in the within the application, clear the Enable advanced view check box. By
end client via group policy by default, the advanced view is enabled, which allows end users to see
adding settings to the detailed statistical, host, and troubleshooting information and perform
Windows Registry/Mac plist. tasks such as changing their passwords.
On Windows systems, you • If you want hide the GlobalProtect agent on the end user systems, clear
can also set them using the the Show GlobalProtect icon check box. When the icon is hidden, users
msiexec utility from the cannot perform other tasks such as changing passwords, rediscovering
command line during the the network, resubmitting host information, viewing troubleshooting
agent installation. However, information, or performing an on-demand connection. However, HIP
settings defined in the web notification messages, login prompts, and certificate dialogs will still
interface or the CLI take display as necessary for interacting with the end user.
precedence over
• Clear the Allow user to change portal address check box to disable
Registry/plist settings. See
the Portal field on the Settings tab in the GlobalProtect agent. Because
Deploy Agent Settings
the user will then be unable to specify a portal to which to connect, you
Transparently for details.
must supply the default portal address in the Windows Registry:
Another option for (HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
specifying whether the agent Networks\GlobalProtect\PanSetup with key Portal) or
should prompt the end user the Mac plist (/Library/Preferences/com.
for credentials if Windows paloaltonetworks.GlobalProtect.pansetup.plist
SSO fails is available through with key Portal under dictionary PanSetup). For more
the Windows command line information, see Deploy Agent Settings Transparently.
(MSIEXEC) or Windows
• If you do not want users to be able to save their passwords on the agent
Registry only. By default this
(that is, you want to force them to provide the password—either
Registry setting—
transparently via the user agent or by manually entering one—each time
can-prompt-user-cr
they connect), clear the Allow user to save password check box.
edential—is set to yes.
To modify this behavior, you • To prevent users from performing a network rediscovery, clear the
must change the value in the Enable Rediscover Network option check box.
Registry or during the agent • To prevent users from manually resubmitting HIP data to the gateway,
installation via MSIEXEC: clear the Enable Resubmit Host Profile option check box. This option
msiexec.exe /i is enabled by default, and is useful in cases where HIP-based security
GlobalProtect.msi policy prevents users from accessing resources because it allows the
CANPROMPTUSERCREDE user to fix the compliance issue on the computer and then resubmit the
NTIAL="no" HIP.
• If you do not want the agent to establish a connection with the portal if
the portal certificate is not valid, clear the Allow user to continue if
portal certificate is invalid check box. Keep in mind that the portal
provides the agent configuration only; it does not provide network
access and therefore security to the portal is less critical than security to
the gateway. However, if you have deployed a trusted server certificate
for the portal, deselecting this option can help prevent man in the
middle (MITM) attacks.

Step 3 Specify whether users can • To prevent users in user-logon mode from disconnecting, select
disconnect from GlobalProtect. disabled from the Agent User Override drop-down.
This only applies to client An additional option specifying whether the user is allowed to
configurations that have the disable GlobalProtect without providing a reason is available
Connect Method (on the General through the Mac plist
tab) set to user-logon. In (/Library/Preferences/com.paloaltonetworks.GlobalProtect.setti
user-logon mode, the agent ngs.plist), Windows command line (MSIEXEC), or Windows
automatically connects to Registry. By default, this setting—disable-allowed—is set to no.
GlobalProtect as soon as the user To modify this behavior, you must create the string and enter the
logs in to the system. This mode is value in the Mac plist or Registry. You can also change the value
sometimes referred to as “always during the agent installation via MSIEXEC: msiexec.exe
on,” which is why the user must /i GlobalProtect.msi disable-allowed="yes"
override this behavior in order to • To allow users to disconnect if they provide a passcode, select
disconnect. with-passcode from the Agent User Override drop-down and then
By default, users in user-logon enter (and confirm) the Passcode that the end users must supply.
mode will be prompted to provide a • To allow users to disconnect if they provide a ticket, select with-ticket
comment in order to disconnect from the Agent User Override drop-down. In this case, the disconnect
(Agent User Override set to action triggers the agent to generate a Request Number. The end user
with-comment). must then communicate the Request Number to the administrator. The
administrator then clicks Generate Ticket on Network > GlobalProtect
If the agent icon is not
> Portals and enters the Request Number from the end user to generate
displayed, users will not be
the ticket. The administrator then provides the ticket to the end user,
able to disconnect. See Step 2
who enters it into the Disable GlobalProtect dialog to enable the agent
for details.
to disconnect.
• To restrict how long the user may be disconnected, enter a value (in
minutes) in the Agent User Override Timeout field. A value of 0 (the
default) indicates that there is no restriction as to how long the user may
remain disconnected.
• To limit the number of times the user may disconnect, enter a value in
the Agent User Overrides field. A value of 0 (the default) indicates that
the user disconnect is not limited.

Step 4 Specify how GlobalProtect agent By default, the Agent Upgrade field is set to prompt the end user to
upgrades will occur. upgrade. To modify this behavior, select one of the following options:
If you want to control when users • If you want upgrades to occur automatically without interaction with
can upgrade, for example if you the user, select transparent.
want to test a release on a small • To prevent agent upgrades, select disable.
group of users before deploying it
• To allow end users to initiate agent upgrades, select manual. In this
to your entire user base, you can
case, the user would select Check Version in the agent to determine if
customize the agent upgrade
there is a new agent version and then upgrade if desired. Note that this
behavior on a per-configuration
option will not work if the GlobalProtect agent is hidden from the user.
basis. In this case, you could create
See Step 2 for details.
a configuration that applies to users
in your IT group only to allow them
to upgrade and test and disable
upgrade in all other user/group
configurations. Then, after you
have thoroughly tested the new
version, you could modify the agent
configurations for the rest of your
users to allow the upgrade.
Step 5 Specify whether to display a By default, the only indication that the agent has successfully connected to
welcome page upon successful GlobalProtect is a balloon message that displays in the system
login. tray/menubar. You can also opt to display a welcome page in the client
browser upon successful login as follows:
A welcome page can be a useful way
1. Select the Display welcome page check box.
to direct users to internal resources
that they can only access when 2. Select which Welcome Page to display from the drop-down. By
connected to GlobalProtect, such default, there is one welcome page named factory-default. However,
as your Intranet or other internal you can define one or more custom welcome pages that provide
servers. information specific to your users, or to a specific group of users
(based on which portal configuration gets deployed). For details on
creating custom pages, see Customize the GlobalProtect Portal Login,
Welcome, and Help Pages.
Step 6 Save the agent configuration 1. If you are done creating client configurations, click OK to close the
settings. Configs dialog. Otherwise, for instructions on completing the client
configurations, return to Define the GlobalProtect Client
Configurations.
2. If you are done configuring the portal, click OK to close the
GlobalProtect Portal dialog.
3. When you finish the portal configuration, Commit the changes.

Customize the GlobalProtect Portal Login, Welcome, and Help Pages
GlobalProtect provides default login, welcome, and/or help pages. However, you can create your own custom
pages with your corporate branding, acceptable use policies, and links to your internal resources.
You can alternatively Disable Browser Access to the Portal Login Page in order to prevent
unauthorized attempts to authenticate to the GlobalProtect Portal (Network > GlobalProtect
> Portals > Portal Configuration). With the portal login page disabled, you can instead use a
software distribution tool, such as Microsoft’s System Center Configuration Manager (SCCM), to
allow your users to download and install the GlobalProtect agent.
Customize the Portal Login Page
Step 1 Export the default portal login page. 1. Select Device > Response Pages.
2. Select the GlobalProtect Portal Login Page link.
3. Select the Default predefined page and click Export.
Step 2 Edit the exported page. 1. Using the HTML text editor of your choice, edit the page.
2. If you want to edit the logo image that is displayed, host the new
logo image on a web server that is accessible from the remote
GlobalProtect clients. For example, edit the following line in the
HTML to point to the new logo image:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
3. Save the edited page with a new filename. Make sure that the
page retains its UTF-8 encoding.
Step 3 Import the new login page. 1. Select Device > Response Pages.
2. Select the GlobalProtect Portal Login Page link.
3. Click Import and then enter the path and filename in the Import
File field or Browse to locate the file.
4. (Optional) Select the virtual system on which this login page will
be used from the Destination drop-down or select shared to
make it available to all virtual systems.
5. Click OK to import the file.
Step 4 Configure the portal to use the new login 1. Select Network > GlobalProtect > Portals and select the portal
page. you want to add the login page to.
2. On the Portal Configuration tab, select the new page from the
Custom Login Page drop-down.
3. Click OK to save the portal configuration.

Customize the Portal Login Page (Continued)
Step 5 Verify that the new login page displays. From a browser, go to the URL for your portal (be sure you do not
add the :4443 port number to the end of the URL or you will be
directed to the web interface for the firewall). For example, enter
https://myportal rather than https://myportal:4443.
The portal login page will display.

Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software
Deploy the GlobalProtect Client Software

In order to connect to GlobalProtect, an end host must be running GlobalProtect client software. The software
deployment method depends on the type of client as follows:
 Mac OS and Microsoft Windows hosts—Require the GlobalProtect agent software, which is distributed
by the GlobalProtect portal. To enable the software for distribution, you must download the version you
want the hosts in your network to use to the firewall hosting your GlobalProtect portal and then activate the
software for download. For instructions on download and activating the agent software on the firewall, see
Deploy the GlobalProtect Agent Software.
 iOS and Android devices—Require the GlobalProtect app. As with other mobile device apps, the end user
must download the GlobalProtect app either from the Apple AppStore (iOS devices) or from Google Play
(Android devices). Download and Install the GlobalProtect Mobile App.
For more details, see What Client OS Versions are Supported with GlobalProtect?
Deploy the GlobalProtect Agent Software
There are several ways to deploy the GlobalProtect agent software:
 Directly from the portal—Download the agent software to the firewall hosting the portal and activate it
so that end users can install the updates when they connect to the portal. This option provides flexibility in
that it allows you to control how and when end users receive updates based on the client configuration
settings you define for each user, group, and/or operating system. However, if you have a large number of
agents that require updates, it could put extra load on your portal. See Host Agent Updates on the Portal for
instructions.
 From a web server—If you have a large number of hosts that will need to upgrade the agent simultaneously,
consider hosting the agent updates on a web server to reduce the load on the firewall. See Host Agent
Updates on a Web Server for instructions.
 Transparently from the command line—For Windows clients, you can automatically deploy agent
settings in the Windows Installer (MSIEXEC). However, to upgrade to a later agent version using
MSIEXEC, you must first uninstall the existing agent. In addition, MSIEXEC allows for deployment of
agent settings directly on the client systems by setting values in the Windows registry or Mac plist. See
Deploy Agent Settings Transparently.
 Using group policy rules—In Active Directory environments, the GlobalProtect Agent can also be
distributed to end users, using active directory group policy. AD Group policies allow modification of
Windows host computer settings and software automatically. Refer to the article at
http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to
automatically distribute programs to host computers or users.

Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure
Host Agent Updates on the Portal
The simplest way to deploy the GlobalProtect agent software is to download the new agent installation package
to the firewall that is hosting your portal and then activate the software for download to the agents connecting
to the portal. To do this automatically, the firewall must have a service route that enables it to access the Palo
Alto Networks Update Server. If the firewall does not have access to the Internet, you can manually download
the agent software package from the Palo Alto Networks Software Updates support site using an
Internet-connected computer and then manually upload it to the firewall.
You define how the agent software updates are deployed in the client configurations you define on the portal—
whether they happen automatically when the agent connects to the portal, whether the user is prompted to
upgrade the agent, or whether the end user can manually check for and download a new agent version. For
details on creating a client configuration, see Define the GlobalProtect Client Configurations.
Host the GlobalProtect Agent on the Portal
Step 1 Launch the web interface on the firewall Select Device > GlobalProtect Client.
hosting the GlobalProtect portal and go
to the GlobalProtect Client page.
Step 2 Check for new agent software images. • If the firewall has access to the Update Server, click Check Now to
check for the latest updates. If the value in the Action column is
Download it indicates that an update is available.
• If the firewall does not have access to the Update Server, go to the
Palo Alto Networks Software Updates support site and Download
the file to your computer. Then go back to the firewall to manually
Upload the file.
Step 3 Download the agent software image. Locate the agent version you want and then click Download. When
the download completes, the value in the Action column changes to
If your firewall does not have
Activate.
Internet access from the
management port, you can download the If you manually uploaded the agent software as detailed in
agent update from the Palo Alto Step 2, the Action column will not update. Continue to the
Networks Support Site next step for instructions on activating an image that was
(https://support.paloaltonetworks.com). manually uploaded.
You can then manually Upload the update
your firewall and then activate it by
clicking Activate From File.
Step 4 Activate the agent software image so that • If you downloaded the image automatically from the Update
end users can download it from the Server, click Activate.
portal. • If you manually uploaded the image to the firewall, click Activate
Only one version of agent software From File and then select the GlobalProtect Client File you
image can be activated at a time. If uploaded from the drop-down. Click OK to activate the selected
you activate a new version, but have image. You may need to refresh the screen before the version
some agents that require a displays as Currently Activated.
previously activated version, you
will have to activate the required
version again to enable it for
download.

Host Agent Updates on a Web Server
If you have a large number of client systems that will need to install and/or update the GlobalProtect agent
software, consider hosting the GlobalProtect agent software images on an external web server. This helps
reduce the load on the firewall when users connect to download the agent. To use this feature, the firewall
hosting the portal must be running PAN-OS 4.1.7 or later.
Host GlobalProtect Agent Images on a Web Server
Step 1 Download the version of the Follow the steps for downloading and activating the agent software
GlobalProtect agent that you plan to host on the firewall as described in Host the GlobalProtect Agent on the
on the web server to the firewall and Portal.
activate it.
Step 2 Download the GlobalProtect agent image From a browser, go to the Palo Alto Networks Software Updates site
you want to host on your web server. and Download the file to your computer.
You should download the same image
that you activated on the portal.
Step 3 Publish the files to your web server. Upload the image file(s) to your web server.
Step 4 Redirect the end users to the web server. On the firewall hosting the portal, log in to the CLI and enter the
following operational mode commands:
> set global-protect redirect on
> set global-protect redirect location <path>
where <path> is the path is the URL to the folder hosting the image,
for example https://acme/GP.
Step 5 Test the redirect. 1. Launch your web browser and go to the following URL:
https://<portal address or name>
For example, https://gp.acme.com.
2. On the portal login page, enter your user Name and Password
and then click Login. After successful login, the portal should
redirect you to the download.

Test the Agent Installation
Use the following procedure to test the agent installation.
Test the Agent Installation
Step 1 Create a client configuration for testing As a best practice, create a client configuration that is limited to a
the agent installation. small group of users, such as administrators in the IT department
responsible for administering the firewall:
When initially installing the
1. Select Network > GlobalProtect > Portals and select the portal
GlobalProtect agent software on
the client system, the end user must configuration to edit.
be logged in to the system using an 2. Select the Client Configuration tab and either select an existing
account that has administrative configuration or click Add to add a new configuration to deploy
privileges. Subsequent agent to the test users/group.
software updates do not require 3. On the User/User Group tab, click Add in the User/User
administrative privileges. Group section and then select the user or group who will be
testing the agent.
4. On the Agent tab, make sure Agent Upgrade is set to prompt
and then click OK to save the configuration.
5. (Optional) Select the client configuration you just
created/modified and click Move Up so that it is before any
more generic configurations you have created.
Step 2 Log in to the GlobalProtect portal. 1. Launch your web browser and go to the following URL:
https://<portal address or name>
For example, https://gp.acme.com.
2. On the portal login page, enter your user Name and Password
and then click Login.

Test the Agent Installation (Continued)
Step 3 Download the agent. 1. Click the link that corresponds to the operating system you are
running on your computer to begin the download.
2. When prompted to run or save the software, click Run.

3. When prompted, click Run to launch the GlobalProtect Setup
Wizard.
When initially installing the GlobalProtect agent software
on the client system, the end user must be logged in to the
system using an account that has administrative privileges.
Subsequent agent software updates do not require
administrative privileges.
Step 4 Complete the GlobalProtect agent setup. 1. From the GlobalProtect Setup Wizard, click Next.
2. Click Next to accept the default installation folder
(C:\Program Files\Palo Alto Networks\GlobalProtect)
or Browse to choose a new location and then click Next twice.
3. After the installation successfully completes, click Close. The
GlobalProtect agent will automatically start.
Step 5 Log in to GlobalProtect. When prompted, enter your User Name and Password and then
click Apply. If authentication is successful, the agent will connect to
GlobalProtect. Use the agent to access resources on the corporate
network as well as external resources, as defined in the
corresponding security polices.
To deploy the agent to end users, create client configurations for the
user groups for which you want to enable access and set the Agent
Upgrade settings appropriately and then communicate the portal
address. See Define the GlobalProtect Client Configurations for
details on setting up client configurations.

Download and Install the GlobalProtect Mobile App
The GlobalProtect app provides a simple way to extend the enterprise security policies out to mobile devices.
As with other remote hosts running the GlobalProtect agent, the mobile app provides secure access to your
corporate network over an IPSec or SSL VPN tunnel. The app will automatically connect to the gateway that is
closest to the end user’s current location. In addition, traffic to and from the mobile device is automatically
subject to the same security policy enforcement as other hosts on your corporate network. Like the
GlobalProtect agent, the app collects information about the host configuration and can use this information for
enhanced HIP-based security policy enforcement.
For a more complete mobile device security solution, you can leverage the GlobalProtect Mobile Security
Manger as well. This service provides for automated provisioning of mobile device configurations, device
security compliance enforcement, and centralized management and visibility into the mobile devices accessing
your network. In addition, GlobalProtect Mobile Security Manager seamlessly integrates with the other
GlobalProtect services on your network, enabling secure access to your network resources from any location
and granular policy enforcement based on HIP profiles. For details, see Set Up the GlobalProtect Mobile
Security Manager.
Use the following procedure to install the GlobalProtect mobile app.
Test the App Installation
Step 1 Create a client configuration for testing As a best practice, create a client configuration that is limited to a
the app installation. small group of users, such as administrators in the IT department
responsible for administering the firewall:
1. Select Network > GlobalProtect > Portals and select the portal
configuration to edit.
2. Select the Client Configuration tab and either select an existing
configuration or click Add to add a new configuration to deploy
to the test users/group.
3. On the User/User Group tab, click Add in the User/User
Group section and then select the user or group who will be
testing the agent.
4. In the OS section, select the app you are testing (iOS or
Android).
5. (Optional) Select the client configuration you just
more generic configurations you have created.
Step 2 From the mobile device, follow the • On Android devices, search for the app on Google Play
prompts to download and install the app. • On iOS devices, search for the app at the App Store

Test the App Installation (Continued)
Step 3 Launch the app. When successfully installed, the GlobalProtect app icon displays on
the device’s Home screen. To launch the app, tap the icon.When
prompted to enable GlobalProtect VPN functionality, tap OK.
Step 4 Connect to the portal. 1. When prompted, enter the Portal name or address, Username,
and Password. The portal name must be a fully qualified
domain name (FQDN) and it should not include the https:// at
the beginning.
2. Tap Connect and verify that the app successfully establishes a

VPN connection to GlobalProtect.
If GlobalProtect Mobile Security Manager is configured, the
app will prompt you to enroll. See Verify the Mobile Security
Manager Configuration for more details on verifying that
configuration.

Deploy Agent Settings Transparently Set Up the GlobalProtect Infrastructure
Deploy Agent Settings Transparently

As an alternative to deploying agent settings from the portal configuration, you can define them directly from
the Windows registry or global MAC plist or—on Windows clients only—from the MSIEXEC installer. The
benefit of this is that it enables deployment of GlobalProtect agent settings to client systems prior to their first
connection to the GlobalProtect portal.
Settings defined in the portal configuration always override settings defined in the Windows Registry or Mac
plist. This means that if you define settings in the Registry or plist, but the portal configuration specifies
different settings, the settings the agent receives from the portal will override the settings defined on the client.
This includes login-related settings such as whether to connect on-demand, whether to use SSO, and whether
the agent can connect if the portal certificate is invalid. Therefore, make sure that you do not define conflicting
settings. In addition, the portal configuration is cached on the client system and this cached configuration will
be used if the GlobalProtect agent is restarted or the machine is rebooted.
The following sections describe the customizable agent settings available and how to deploy these settings
transparently to Windows and Mac clients:
 Customizable Agent Settings
 Deploy Agent Settings to Windows Clients
 Deploy Agent Settings to Mac Clients
In addition to using Windows registry and Mac plist to deploy GlobalProtect agent settings, you
can enable the GlobalProtect agent to collect specific Windows registry or Mac plist information
from clients, including data on applications installed on the clients, processes running on the
clients, and attributes or properties of those applications and processes. You can then monitor
the data and add it to a security rule as matching criteria. Device traffic that matches certain
registry settings you have defined can be enforced according to the security rule. Set up custom
checks to Collect Application and Process Data From Clients.
Customizable Agent Settings
In addition to pre-deploying the portal address, you can also define the agent configuration settings. Table:
Customizable Agent Settings describes each customizable agent setting. Settings defined in the GlobalProtect
portal client configuration take precedence over settings defined in the Windows Registry or the Mac plist.
With the exception of the setting to enable single sign-on (SSO), additional settings do not have
a corresponding portal configuration settings on the web interface, and must be configured using
Windows Registry or MSIEXEC. These additional settings include: disable-allowed,
certificate-store-lookup, can-prompt-user-credential, wrap-cp-guid, and
filter-non-gpcp.
Table: Customizable Agent Settings
Portal Client Configuration Windows Registry/ Mac plist MSIEXEC Parameter Default
Enable advanced view enable-advanced-view yes | no ENABLEADVANCEDVIEW=”yes|no” yes
Show GlobalProtect icon show-agent-icon yes | no SHOWAGENTICON=”yes|no” yes
Allow users to change portal can-change-portal yes | no CANCHANGEPORTAL=”yes|no” yes

address

Set Up the GlobalProtect Infrastructure Deploy Agent Settings Transparently
Allow user to save password can-save-password yes | no CANSAVEPASSWORD=”yes|no” yes
Enable rediscover network rediscover-network yes | no REDISCOVERNETWORK=”yes|no” yes

option
Enable Resubmit Host Profile resubmit-host-info yes | no RESUBMITHOSTINFO=”yes|no” yes

option
Allow user to continue if portal can-continue-if-portal-cert- CANCONTINUEIFPORTALCERTINVALID=”ye yes

invalid yes | no s|no”
server certificate is invalid
Config Refresh Interval (hours) refresh-config-interval <hours> REFRESHCONFIGINTERVAL=”<hours>” 24
Connect Method connect-method on-demand | CONNECTMETHOD=”on-demand|pre-logon user-logon

pre-logon | user-logon |user-logon”
Not in portal portal <IPaddress> PORTAL="<IPaddress>" n/a
This setting specifies the default

portal IP address (or hostname).
Not in portal disable-allowed yes | no DISABLEALLOWED="yes|no" no
This setting allows the user to

disable GlobalProtect without
providing a comment.
Not in portal certificate-store-lookup user | CERTIFICATESTORELOOKUP="user|machi user and

machine | user and machine | ne|user and machine|invalid" machine
This setting specifies the type of invalid
certificate that GlobalProtect will

look up in the personal certificate
store and use to authenticate and
establish the VPN tunnel to the
GlobalProtect gateway.
Use single sign-on use-sso yes | no USESSO=”yes|no” yes
(Windows only)
Windows only/Not in portal flushdns yes | no FLUSHDNS=”yes | no” no
This setting flushes the DNS and

forces all adapters to use the
DNS setting specified in the
gateway configuration every time
GlobalProtect establishes a VPN
tunnel.
Windows only/Not in portal can-prompt-user-credential yes CANPROMPTUSERCREDENTIAL=”yes|no” yes
| no
This setting is used in
conjunction with single sign-on
and indicates whether or not to
prompt the user for credentials if
SSO fails.

Windows only/Not in portal wrap-cp-guid {third party

credential provider guid}
WRAPCPGUID=”{guid_value]”
FILTERNONGPCP=”yes|no”
no
This setting filters the third party

credential provider’s tile from the
Windows logon page so that only
the native Windows tile is
displayed.*
Windows only/Not in portal filter-non-gpcp no
This setting is an additional

option for the setting
wrap-cp-guid, and allows the
third party credential provider
tile to be displayed on the
Windows logon page, in addition
to the native Windows logon
tile.*
*For detailed steps to enable these settings using the Windows Registry or Windows Installer (MSIEXEC), see SSO
Wrapping for Third Party Credential Providers on Windows Clients.
Deploy Agent Settings to Windows Clients
Use Windows Registry or the Windows Installer (MSIEXEC) to deploy the GlobalProtect agent and settings to
Windows clients transparently.
 Deploy Agent Settings in the Windows Registry
 Deploy Agent Settings from MSIEXEC
 SSO Wrapping for Third Party Credential Providers on Windows Clients
Deploy Agent Settings in the Windows Registry
You can enable deployment of GlobalProtect agent settings to Windows client systems prior to their first
connection to the GlobalProtect portal using the Windows Registry. Use the options described in the following
table to get started using the Windows Registry to customize agent settings for Windows clients.
In addition to using Windows registry to deploy GlobalProtect agent settings, you can enable the
GlobalProtect agent to collect specific Windows registry information from Windows clients. You
can then monitor the data and add it to a security rule as matching criteria. Device traffic that
matches certain registry settings you have defined can be enforced according to the security rule.
Set up custom checks to Collect Application and Process Data From Clients.

Use the Windows Registry to Deploy GlobalProtect Agent Settings
• Locate the GlobalProtect agent customization Open the Windows Registry (enter regedit in the command
settings in the Windows registry. prompt) and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\
• Set the portal name. If you do not want the user to manually enter the portal address even
for the first connection, you can pre-deploy the portal address
through the Windows Registry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).
• Deploy various settings to the Windows client View Table: Customizable Agent Settings for a full list of the
from the Windows registry, including configuring commands and values you can set up using the Windows Registry.
the connect method for the GlobalProtect agent
and enabling Single Sign-On (SSO).
• Enable the GlobalProtect agent to wrap Enable SSO Wrapping for Third Party Credentials with the Windows
third-party credentials on the Windows client, Registry.
allowing for SSO even when a third-party
credential provider is being used.
Deploy Agent Settings from MSIEXEC
On Windows clients you have the option to deploy both the agent and the settings automatically from the
Windows Installer (MSIEXEC) using the following syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
For example, to prevent users from connecting to the portal if the certificate is not valid, you would change
setting as follows:
msiexec.exe /i GlobalProtect.msi CANCONTINUEIFPORTALCERTINVALID="no"
For a complete list of settings and the corresponding default values, see Table: Customizable Agent Settings.

To set up the GlobalProtect agent to wrap third-party credentials on a Windows client from
MSIEXEC, see Enable SSO Wrapping for Third Party Credentials with the Windows Installer.
SSO Wrapping for Third Party Credential Providers on Windows Clients
With Single Sign-On (SSO), the GlobalProtect agent wraps the user’s Windows login credentials to
automatically authenticate and connect to the GlobalProtect portal and gateway. SSO has been enhanced in this
release so that when a third-party credential provider is being used to wrap the user’s Windows login credentials,
the GlobalProtect agent can also wrap the third-party credentials. With this feature enabled, users can
successfully authenticate to Windows, GlobalProtect, and the third-party credential provider in one step, by
using their Windows logon credentials to log on to their Windows system. This extended SSO functionality is
supported on Windows 7 and Windows Vista clients.
Use the Windows Registry or the Windows Installer to allow GlobalProtect to wrap third-party credentials:
 Enable SSO Wrapping for Third Party Credentials with the Windows Registry
 Enable SSO Wrapping for Third Party Credentials with the Windows Installer
GlobalProtect SSO wrapping for third-party credential providers (CPs) is dependent on the
third-party CP settings and in some cases, GlobalProtect SSO wrapping might not work correctly
if the third-party CP implementation does not allow GlobalProtect to successfully wrap their CP.
Enable SSO Wrapping for Third Party Credentials with the Windows Registry
Use the following steps enable SSO to wrap third party credentials on Windows 7 and Windows Vista clients.
For more information about using the Windows Registry, see Deploy Agent Settings in the Windows Registry.

Use the Windows Registry to Enable SSO Wrapping for Third Party Credentials
Step 1 Open the Windows Registry and locate 1. In the Command Prompt, enter the command regedit to open
the globally unique identifier (GUID) for the Windows Registry.
the third party credential provider that 2. Locate currently installed credential providers at the following
you want to wrap. location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\Credential Providers.
3. Copy the GUID key for the credential provider that you want to
wrap (including the curly brackets— { and } —on either end
of the GUID):

Use the Windows Registry to Enable SSO Wrapping for Third Party Credentials (Continued)
Step 2 Enable SSO wrapping for third party 1. Go to the following Windows Registry location:
credential providers by adding the setting HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
wrap-cp-guid to the GlobalProtect Networks\GlobalProtect:
registry.
2. Add a new String Value:
3. Enter values for the String Value:

• Name: wrap-cp-guid
• Value data: {third party credential provider GUID}
For the Value data field, the GUID value that you
enter must be enclosed with curly brackets: { and }.
The following is an example of what a third party credential
provider GUID in the Value data field might look like:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
For the new String Value, wrap-cp-guid is displayed as the

String Value’s Name and the GUID is displayed as the Data.
Next Steps... • SSO wrapping for third party credential providers is successfully
set up by completing steps 1 and 2. With this setup, the native
Windows logon tile is displayed to users. Users click the tile and log
on to the system with their Windows credentials. The single logon
authenticates the users to Windows, GlobalProtect, and the third
party credential provider.
• (Optional) If you want to display two tiles to users at logon, the
native Windows tile and the tile for the third party credential
provider, continue to Step 3.

Use the Windows Registry to Enable SSO Wrapping for Third Party Credentials (Continued)
Step 3 (Optional) Allow the third party Add a second String Value with the Name filter-non-gpcp and
credential provider tile to be displayed to enter no for the string’s Value data:
users at logon.
With this string value added to the GlobalProtect settings, users will
be presented with two logon options when logging on to their
Windows system: the native Windows tile and the third party
credential provider’s tile.
Enable SSO Wrapping for Third Party Credentials with the Windows Installer
Use the following options in Windows Installer (MSIEXEC) to enable SSO to wrap third party credential
providers on Windows 7 and Windows Vista clients. For more information on using MSIEXEC, see Deploy
Agent Settings from MSIEXEC.
Use the Windows Installer to Enable SSO Wrapping for Third Party Credentials
• Wrap third party credentials and display the native tile to users at logon. Users click the tile and log on to the
system with their native Windows credentials. The single logon authenticates users to Windows,
GlobalProtect, and the third-party CP.
Use the following syntax from the Windows Installer (MSIEXEC):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID=”{guid_value}” FILTERNONGPCP=”yes”
In the syntax above, the FILTERNONGPCP parameter simplifies authentication for the user by filtering the
option to log on to the system using the third party credentials.
• If you would like users to have the option to log in with the third party credentials, use the following syntax
from the MSIEXEC:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID=”{guid_value}” FILTERNONGPCP=”no”
In the syntax above, the FILTERNONGPCP parameter, which filters out the third party credential provider’s
logon tile so that only the native tile displays, is set to “no”. In this case, both the native Windows tile and the
third party credential provider tile is displayed to users when logging on to the Windows system.
Deploy Agent Settings to Mac Clients
You can set the GlobalProtect agent customization settings in the Mac global plist (Property list) file. This
enables deployment of GlobalProtect agent settings to Mac client systems prior to their first connection to the
GlobalProtect portal.
On Mac systems, plist files are either located in /Library/Preferences or in
~/Library/Preferences (where the tilde symbol, ~ ,indicates that the location is in the current user's
home folder). The GlobalProtect agent on a Mac client first checks for the GlobalProtect plist settings to use
in /Library/Preferences. If the plist does not exist at that location, the GlobalProtect agent searches
for plist settings in ~/Library/Preferences.

In addition to using the Mac plist to deploy GlobalProtect agent settings, you can enable the
GlobalProtect agent to collect specific Mac plist information from clients. You can then monitor
the data and add it to a security rule as matching criteria. Device traffic that matches certain
registry settings you have defined can be enforced according to the security rule. Set up custom
checks to Collect Application and Process Data From Clients.
Get Started using the Mac Plist to Deploy GlobalProtect Agent Settings.
• Locate the GlobalProtect agent customization Go to the following Mac global plist file location:
settings in the Mac Property List. /Library/Preferences/com.paloaltonetworks.GlobalProtec
t.settings.plist
• Set the portal name. If you do not want the user to manually enter the portal address even
for the first connection, you can pre-deploy the portal address
through the Mac plist. Go to the location
/Library/Preferences/com.paloaltonetworks.GlobalProtec
t.settings.plist and configure key Portal under dictionary
PanSetup.
• Deploy various settings to the Mac client from Go to the following Mac global plist file location:
the Mac plist, including configuring the connect /Library/Preferences/com.paloaltonetworks.GlobalProtec
method for the GlobalProtect agent and enabling t.settings.plist and then go to /Palo Alto
Single Sign-On (SSO). Networks/GlobalProtect/Settings. If Settings does not exist,
create the new dictionary named Settings. Then add each key to the
Settings dictionary as a string.
View Table: Customizable Agent Settings for a full list of the keys
and values that you can configure using the Mac plist.

Set Up the GlobalProtect Infrastructure Use the GlobalProtect iOS App with a Third-Party MDM
Use the GlobalProtect iOS App with a Third-Party MDM

Although the GlobalProtect Mobile Security Manager is integrated with the Palo Alto next-generation security
platform to provide a seamless security perimeter for your enterprise, the GlobalProtect app for iOS also can
be used with third-party MDM services. You can use a third-party MDM to deploy the GlobalProtect app from
the iOS App Store and then use the MDM to deploy a VPN configuration profile to set up the GlobalProtect
app for end user automatically.
The following topics show example XML configurations and payloads to help you configure the GlobalProtect
app using a third-party MDM to enable the MDM to provide both device-level and app-level VPN
configurations for the GlobalProtect app for iOS:
 Example GlobalProtect iOS App Device-Level VPN Configuration
 Example GlobalProtect iOS App App-Level VPN Configuration

Use the GlobalProtect iOS App with a Third-Party MDM Set Up the GlobalProtect Infrastructure
Example GlobalProtect iOS App Device-Level VPN Configuration
Example: GlobalProtect iOS App Device-Level VPN Configuration
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample Device Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN.vpn</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011d</string>
<key>UserDefinedName</key>
<string>Sample Device Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>DisconnectOnIdle</key>
<key>OnDemandEnabled</key>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Sample Device Level VPN</string>

Set Up the GlobalProtect Infrastructure Use the GlobalProtect iOS App with a Third-Party MDM
Example GlobalProtect iOS App App-Level VPN Configuration
Example: GlobalProtect iOS App App-Level VPN Configuration
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<string>Configures VPN settings, including authentication.</string>
<string>VPN (Sample App Level VPN)</string>
<string>Sample App Level VPN.vpn</string>
<string>com.apple.vpn.managed.applayer</string>
<key>VPNUUID</key>
<string>cGFuU2FtcGxlIEFwcCBMZXZlbCBWUE52cG5TYW1wbGUgQXBwIExldmVsIFZQTg==</string>
<key>SafariDomains</key>
<array>
<string>*.paloaltonetworks.com</string>
</array>
<string>54370008-205f-7c59-0000-01a1</string>
<key>UserDefinedName</key>
<string>Sample App Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>OnDemandMatchAppEnabled</key>
<key>OnDemandEnabled</key>
<key>DisconnectOnIdle</key>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>OnlyAppLevel</key>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Profile Description</string>
<string>Configuration</string>

Use the GlobalProtect iOS App with a Third-Party MDM Set Up the GlobalProtect Infrastructure
Example: GlobalProtect iOS App App-Level VPN Configuration (Continued)
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

Set Up the GlobalProtect Infrastructure Reference: GlobalProtect Agent Cryptographic Functions
Reference: GlobalProtect Agent Cryptographic Functions

The GlobalProtect agent uses the OpenSSL library 0.9.8p to establish secure communication with the
GlobalProtect portal and GlobalProtect gateways. The following table lists each GlobalProtect agent function
that requires a cryptographic function and details the cryptographic keys the GlobalProtect agent uses:
Crypto Function Key Usage
Winhttp (Windows) and Dynamic key negotiated between Used to establish the HTTPS
NSURLConnection (MAC) the GlobalProtect agent and the connection between the GlobalProtect
AES256-SHA GlobalProtect portal and/or agent and the GlobalProtect portal and
gateway for establishing the HTTPS GlobalProtect gateway for
connection. authentication.
OpenSSL Dynamic key negotiated between Used to establish the SSL connection
AES256-SHA the GlobalProtect agent and the between the GlobalProtect agent and the
GlobalProtect gateway during the GlobalProtect gateway for HIP report
SSL handshake. submission, SSL tunnel negotiation, and
network discovery.
IPsec encryption and authentication The session key sent from the Used to establish the IPsec tunnel
AES128-SHA1 GlobalProtect gateway. between the GlobalProtect agent and the
GlobalProtect gateway.

Reference: GlobalProtect Agent Cryptographic Functions Set Up the GlobalProtect Infrastructure

Set Up the GlobalProtect Mobile
Security Manager
As mobile devices become more powerful, end users increasingly rely on them to perform business tasks.
However, these same devices that are accessing your corporate network are also connecting to the Internet
without protection against threats and vulnerabilities. The GlobalProtect Mobile Security Manager provides
mechanisms to configure device settings and accounts and perform device actions, such as locking and/or
wiping lost or stolen mobile devices. The Mobile Security Manager also publishes the state of the device to
GlobalProtect gateways (in the form of HIP reports) so that you can create granular access policies, for example,
allowing you to deny access to devices that are rooted/jailbroken.
The following topics describe the GlobalProtect Mobile Security Manager service and walk you through the
basic steps to get your Mobile Security Manager set up for device management.
 Mobile Security Manager Deployment Best Practices
 Set Up Management Access to the Mobile Security Manager
 Register, License, and Update the Mobile Security Manager
 Set Up the Mobile Security Manager for Device Management
 Enable Gateway Access to the Mobile Security Manager
 Define Deployment Policies
 Verify the Mobile Security Manager Configuration
 Set Up Administrative Access to the Mobile Security Manager

Mobile Security Manager Deployment Best Practices Set Up the GlobalProtect Mobile Security Manager
Mobile Security Manager Deployment Best Practices

GlobalProtect Mobile Security Manager (running on the GP-100 appliance) works in concert with the rest of
the GlobalProtect infrastructure to ensure a complete mobile security solution. A Mobile Security Manager
deployment requires connectivity between the following components:
 Palo Alto Updates—The Mobile Security Manager retrieves WildFire signature updates that enable it to
detect malware on managed Android devices. By default, the Mobile Security Manager retrieves WildFire
updates from the Palo Alto Networks Update server over its MGT interface. However, if your management
network does not provide access to the Internet, you will have to modify the service route for the Palo Alto
Updates service to use the ethernet1 interface.
 GlobalProtect Gateways—To Configure HIP-Based Policy Enforcement for managed devices, the
GlobalProtect gateways retrieve the mobile device HIP reports from the Mobile Security Manager. The best
practice deployment is to enable the GlobalProtect Gateways management service on ethernet1.
 Push Notification Services—Because the Mobile Security Manager cannot directly connect to the mobile
devices it manages, it must send push notifications over the Apple Push Notification service (APNs) or
Google Cloud Messaging (GCM) services whenever it needs to interact with a device, for example to send
a check-in request or perform an action such as sending a message or pushing a new policy. The best practice
is to configure the Push Notification service route to use the ethernet1 interface.
 Mobile Devices—Mobile devices connect from the external network initially for enrollment and then to
check in and receive deployment policy. The best practice is to use ethernet1 for device enrollment and
check-in, but to use separate listening ports. To prevent the end user from seeing certificate warnings, use
port 443 (the default) for enrollment and use a different port (configurable to 7443 or 8443) for check-in.
Because the device check-in port is pushed to the device upon enrollment, changing it after initial
configuration will require devices to re-enroll with the Mobile Security Manager.

Set Up the GlobalProtect Mobile Security Manager Mobile Security Manager Deployment Best Practices
Figure: Mobile Security Manager Best Practice Deployment

Set Up Management Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Set Up Management Access to the Mobile Security

Manager
By default, the management port (MGT) on the GP-100 appliance (also called the Mobile Security Manager)
has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must
change these settings before continuing with other Mobile Security Manager configuration. These initial
configuration tasks must be performed using a direct physical connection to the appliance (either a serial
connection to the Console port or an RJ-45 connection to the MGT interface). During initial configuration, you
will assign the network settings that will allow you to connect to the appliance’s web interface for all subsequent
configuration tasks.
Set Up Network Access to the GP-100 Appliance
Step 1 Rack mount the GP-100 appliance. Refer to the GP-100 Appliance Hardware Reference Guide for
instructions.
Step 2 Obtain the required network settings for • IP address for MGT port
the MGT interface. • Netmask
• Default gateway
• DNS server address
Step 3 Connect your computer to the GP-100 Connect to the appliance in one of the following ways:
appliance. • Connect a serial cable from your computer to the Console port
and connect to the appliance using terminal emulation software
(9600-8-N-1). Wait a few minutes for the boot-up sequence to
complete; when the appliance is ready, the login prompt displays.
• Connect an RJ-45 Ethernet cable from your computer to the
MGT port on the appliance. From a browser, go to
https://192.168.1.1. If necessary, change the IP address on your
computer to an address in the 192.168.1.0/24 network, such as
192.168.1.2, in order to access this URL.
Step 4 When prompted, log in to the appliance. Log in using the default username and password (admin/admin).
The appliance will begin to initialize.
Step 5 Define the network settings and services 1. Select Setup > Settings and then edit the Management Interface
to allow on the MGT interface. Settings. Enter the IP Address, Netmask, and Default Gateway
to enable network access on the MGT interface.
2. Make sure Speed is set to auto-negotiate.
3. Select which management services to allow on the interface. At
a minimum, select HTTPS, SSH and Ping.
4. (Optional) To restrict Mobile Security Manager management
access to specific IP addresses, enter the Permitted IP
Addresses.
5. Click OK.

Set Up the GlobalProtect Mobile Security Manager Set Up Management Access to the Mobile Security Manager
Set Up Network Access to the GP-100 Appliance (Continued)
Step 6 (Optional) Configure general appliance 1. Select Setup > Settings > Management and edit the General
settings. Settings.
2. Enter a Hostname for the appliance and enter your network
Domain name. The domain name is just a label; it will not be
used to join the domain.
3. Enter any informative text you want to display to administrators
at login in the Login Banner field.
4. Select the Time Zone and, if you do not plan to use NTP, enter
the Date and Time.
5. Click OK.
Step 7 Configure DNS and optionally set up 1. Select Setup > Settings > Services and edit the Services.
access to an NTP server. 2. Enter the IP address of the Primary DNS Server and optionally
the Secondary DNS Server.
3. To use the virtual cluster of time servers on the Internet, enter
the hostname ntp.pool.org as the Primary NTP Server or add
the IP address of your Primary NTP Server and optionally your
Secondary NTP Server.
4. Click OK.
Step 8 Set a secure password for the admin 1. Select Setup > Administrators.
account. 2. Select the admin role.
For instructions on adding 3. Enter the current default password and the new password.
additional administrative accounts, 4. Click OK to save your settings.
see Set Up Administrative Access to
the Mobile Security Manager.
Step 9 Commit the changes. Click Commit. The appliance may take up to 90 seconds to save your
changes.
When the configuration changes are
saved, the web interface will lose
connectivity to the appliance
because the IP address will have
changed.
Step 10 Connect the appliance to your network. 1. Disconnect the appliance from your computer.
2. Connect the MGT port to a switch port on your management
network using an RJ-45 Ethernet cable. Make sure that the
switch port you cable the appliance to is configured for
auto-negotiation.

Set Up Management Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Set Up Network Access to the GP-100 Appliance (Continued)
Step 11 Open an SSH management session to the Using a terminal emulation software, such as PuTTY, launch an SSH
GP-100 appliance. session to the appliance using the new IP address you assigned to it:
1. Enter the IP address you assigned to the MGT port in the SSH
client.
2. Use port 22.
3. Enter your administrative access credentials when prompted.
After successfully logging in, the CLI prompt displays in
operational mode. For example:
admin@GP-100>
Step 12 Verify network access to external services Verify that you have access to and from the appliance by using the
required for appliance management, such ping utility from the CLI. Make sure you have connectivity to the
as the Palo Alto Networks Update Server. default gateway, DNS server, and the Palo Alto Networks Update
Server as shown in the following example:
admin@GP-100> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms
After you have verified connectivity, press Ctrl+C to stop the
pings.
Step 13 Log in to the Mobile Security Manager 1. Open a browser window and navigate to the following URL:
web interface. https://<IP_Address>
For instructions on creating where <IP_Address> is the address you just assigned to the
additional administrative accounts, MGT interface.
see Set Up Administrative Access to If you enable device check-in on the MGT interface, you
the Mobile Security Manager. must include the port number 4443 in the URL in order
to access the web interface as follows:
https://<IP_Address>:4443
2. Log in using the new password you assigned to the admin
account.

Set Up the GlobalProtect Mobile Security Manager Register, License, and Update the Mobile Security Manager
Register, License, and Update the Mobile Security Manager

Before you can begin using the Mobile Security Manager to manage mobile devices, you must register the
GP-100 appliance and retrieve the licenses. If you plan to manage more than 500 mobile devices you must
purchase a one-time GlobalProtect Mobile Security Manager perpetual license based on number of mobile
devices to be managed. In addition, the appliance comes with 90-days of free support. However, after the 90-day
period is up, you must purchase a support license to enable the Mobile Security Manager to retrieve software
updates and dynamic content updates. The following sections describe the registration, licensing, and update
processes:
 Register the GP-100 Appliance
 Activate/Retrieve the Licenses
 Install Content and Software Updates
Register the GP-100 Appliance
To manage all the assets purchased from Palo Alto Networks, create an account and register the serial numbers
with the account as follows.
Register the GP-100 Appliance
Step 1 Log in to the Mobile Security Manager Using a secure connection (https) from a web browser, log in using
web interface. the IP address and password assigned during initial configuration
(https://<IP address> or https://<IP address>:4443 if device
check-in is enabled on the interface).
Step 2 Locate the serial number and copy it to The serial number for the GP-100 appliance displays on the
the clipboard. Dashboard; locate the Serial Number in the General Information
section of the screen.
Step 3 Go to the Palo Alto Networks Support Select Setup > Support > Links and click the link to Support Home.
site. If your appliance does not have Internet connectivity from the
MGT interface, in a new browser tab or window, go to
https://support.paloaltonetworks.com.
Step 4 Register the GP-100 appliance. The steps • If this is the first Palo Alto Networks appliance you are registering
for registering depend on whether you and you do not yet have a login, click Register on the right side of
already have a login to the support site. the page. To register, provide your email address and the serial
number for the Mobile Security Manager (which you can paste
from your clipboard). When prompted, set up a username and
password for access to the Palo Alto Networks support
community.
• If you already have a support account, log in and then click My
Devices. Scroll down to Register Device section at the bottom of
the screen and enter the serial number for the Mobile Security
Manager (which you can paste from your clipboard), your city and
postal code and then click Register Device.

Register, License, and Update the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Activate/Retrieve the Licenses
The Mobile Security Manager requires a valid support license, enabling it to retrieve software updates and
dynamic content updates. The appliance comes with 90-days of free support; however, you must purchase a
support license to continue receiving updates after this introductory period. If you plan to manage more than
500 mobile devices, a GlobalProtect Mobile Security Manager license is required. This one-time perpetual
license enables management of up to 1,000, 2,000, 5,000, 10,000, 25,000, 50,000, or 100,000 mobile devices.
You can purchase a WildFire subscription for the Mobile Security Manager to enable dynamic updates
containing malware signatures created as a result of the analysis done by the WildFire cloud. By keeping malware
updates current, you can prevent managed Android devices containing malware-infected apps from connecting
to your network resources. You must purchase a WildFire subscription that supports the same number of
devices that your Mobile Security Manager license supports. For example, if you have a Mobile Security Manager
perpetual license for 10,000 devices and you want to enable support for detecting the latest malware you would
need to purchase a WildFire subscription for 10,000 devices.
To purchase licenses, contact your Palo Alto Networks Systems Engineer or reseller. For information licensing
requirements, see About GlobalProtect Licenses.
After obtaining a license, navigate to Setup > Licenses to perform the following tasks depending on how you
receive your licenses:
 Retrieve license keys from license server—Use this option if the license has been activated on the
support portal.
 Activate feature using authorization code—Use the authorization code to activate a license that has not
been previously activated on the support portal.
 Manually upload license key—Use this option if the GP-100 MGT interface does not have connectivity
to the Palo Alto Networks update server. In this case, first download the license key file from the support
site to an Internet-connected computer and then upload it to the appliance.
Activate the Licenses
Step 1 Locate the authorization codes for the Locate the email from Palo Alto Networks customer support listing
product/subscription you purchased. the authorization code associated with the license(s) you purchased.
If you cannot locate this email, contact customer support to obtain
the codes before proceeding.

Set Up the GlobalProtect Mobile Security Manager Register, License, and Update the Mobile Security Manager
Activate the Licenses (Continued)
Step 2 Activate the license(s). 1. To activate your support subscription (required after 90 days),
select Setup > Support.
If the Mobile Security Manager will
manage more than 500 mobile devices, a 2. Select Activate feature using authorization code. Enter the
GlobalProtect Mobile Security Manager Authorization Code and then click OK.
perpetual license is required. 3. Verify that the subscription was successfully activated.
If the management port (MGT) on
the Mobile Security Manager does
not have Internet access, manually
download the license files from the
support site and upload it to the 4. In the Setup > Licenses tab, select Activate feature using
appliance using the Manually authorization code.
upload license key option.
5. When prompted, enter the Authorization Code for the Mobile
Security Manager license and click OK.
6. Verify that the license was successfully activated and that it
displays support for the appropriate number of devices:
Step 3 (Not required if you completed Step 2) Use the Retrieve license keys from the license server option if you
Retrieve license keys from the license have activated the license keys on the Support portal.
server. Select Setup > Support, and select Retrieve license keys from the
license server.
Install Content and Software Updates
Use the following procedure to download the latest Android Package (APK) malware updates and/or upgrade
the Mobile Security Manager software. By keeping APK updates current, you can prevent managed Android
devices containing malware-infected apps from connecting to your network resources.
Get Software and Content Updates
Step 1 Launch the Mobile Security Manager web 1. Using a secure connection (https) from a web browser, log in
interface and go to the dynamic updates using the IP address and password you assigned during initial
page. configuration (https://<IP address> or https://<IP
address>:4443 if device check in is enabled on the interface).
Before updating the software, install the
latest dynamic updates supported in the 2. Select Setup > Dynamic Updates.
release.

Register, License, and Update the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Get Software and Content Updates (Continued)
Step 2 Check for, download, and install the latest 1. Click Check Now to check for the latest updates. If the value in
Mobile Security Manager content update. the Action column is Download it indicates that an update is
available.
The Mobile Security Manager content
updates include all Android application 2. Click Download to obtain the desired version.
package (APK) malware signatures, 3. Click the Install link in the Action column. When the
including new malware detected by installation completes, a check mark displays in the Currently
WildFire. Installed column.
Step 3 Check for software updates. 1. Select Setup > Software.

2. Click Check Now to check for the latest updates. If the value in
the Action column is Download it indicates that an update is
available.
Step 4 Download the update. Locate the version you want to upgrade to, and click Download.
When the download completes, the value in the Action column
If the Mobile Security Manager
changes to Install.
does not have Internet access from
the management port, you can
download the software update from
the Palo Alto Networks Support
Site. You can then manually Upload
it to the Mobile Security Manager.
Step 5 Install the update. 1. Click Install.

2. Reboot the appliance:
• If prompted to reboot, click Yes.
• If you are not prompted to reboot, select Setup > Settings >
Operations and click Reboot Device in the Device
Operations section of the screen.

Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management
Set Up the Mobile Security Manager for Device

Management
Before you can begin using the Mobile Security Manager to manage mobile devices, you must set up the device
management infrastructure. This includes configuring an interface for device check-in, obtaining the certificates
required for the Mobile Security Manager to send push notifications to devices over-the-air (OTA), defining
how to authenticate users/devices before allowing enrollment, and how to issue identity certificates to each
device.
 Configure the Mobile Security Manager for Device Check-in
 Configure the Mobile Security Manager for Enrollment
Configure the Mobile Security Manager for Device Check-in
Every hour (by default), the Mobile Security Manager sends a notification message to the devices it manages
requesting that they check in. To send these messages—called push notifications—the Mobile Security Manager
must connect to the devices over-the-air (OTA). To send push notifications to iOS devices, the Mobile Security
Manager must use the Apple Push Notification Service (APNs); for Android devices it must use the Google
Cloud Messaging (GCM) service.
The best practice is to configure the ethernet1 interface on the Mobile Security Manager as an external-facing
interface for mobile device and gateway access. Therefore, to configure the Mobile Security Manager for device
check-in, you must configure the ethernet1 interface and enable it for device check-in. In addition, you must
configure the Mobile Security Manager to send push notifications via APNs/GCM.
The following procedure details how to set up this recommended configuration:
Set Up the Mobile Security Manager for Device Check-In
Step 1 Configure the device check-in interface. 1. Select Setup > Network > ethernet1 to open the Network
Interface settings dialog.
Although you could use the MGT
interface for device check-in, 2. Define the network access settings for the interface, including
configuring a separate interface the IP Address, Netmask, and Default Gateway.
allows you to separate management 3. Enable the services to allow on this interface by selecting the
traffic from data traffic. If you are corresponding check boxes. At a minimum, select Mobile
using the MGT interface for device Device Check-in. You may also want to select Ping to aid in
check-in, skip to Step 4. testing connectivity.
4. To save the interface settings, click OK.
5. Connect the ethernet1 port (labeled 1 on the front panel of the
appliance) to your network using an RJ-45 Ethernet cable. Make
sure that the switch port you cable the interface to is configured
for auto-negotiation.
6. (Optional) Add a DNS “A” record to your DNS server to
associate the IP address of this interface with a hostname.

Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager
Set Up the Mobile Security Manager for Device Check-In (Continued)
Step 2 (Optional) Modify the device check-in 1. Select Setup > Settings > Server and then edit the Device
settings. Check-in Settings.
By default, the Mobile Security Manager 2. Set the Check-in Port the Mobile Security Manager will listen
listens on port 443 for both enrollment on for device check-in requests. By default, the port is set to 443.
requests and check-in requests. As a best However, as a best practice, you should change the device
practice, you should keep the enrollment check-in port to 7443 or 8443 and enrollment to prevent users
port set to 443 and use a different port from sometimes being prompted for a client certificate when
number for device check-in. The device enrolling.
check-in process requires a client 3. By default, the Mobile Security Manager will send push
certificate to establish the SSL session notifications to the devices it manages every 60 minutes to
whereas enrollment does not. If both request check-in. To change this interval, enter a new Device
services are running on the same port, the Check-in Notification Interval (range: 30 minutes to 1440
mobile device will erroneously pop-up minutes).
certificate prompts during the enrollment 4. Click OK to save the settings.
process, which may be confusing to the
end users.
Step 3 (Optional) If the MGT port on the 1. Select Setup > Settings > Services > Service Route
Mobile Security Manager does not have Configuration.
access to the Internet, configure service 2. Click the Select radio button.
routes to enable access from the device
3. Click in the Interface column that corresponds to the service
check-in interface to the required external
for which you want to change the service route and then select
resources, such as the Apple Push
the ethernet1 interface.
Notification Service (APNs) and the
Google Cloud Messaging (GCM) service
for sending push notifications.
4. Repeat these steps for each service you want to modify. For the
purposes of setting up the ethernet1 interface for device
check-in, you will want to change the service route for Push
Notification. If you do not have Internet access from the MGT
interface, you must change all service routes to this interface.

Step 4 Import a server certificate for the Mobile To import a certificate and private key, download the certificate and
Security Manager device check-in key file from the CA and then make sure they are accessible from
interface. your management system and that you have the passphrase to
decrypt the private key. Then complete the following steps on the
The Common Name (CN) and, if
Mobile Security Manager:
applicable, the Subject Alternative Name
1. Select Setup > Certificate Management > Certificates > Device
(SAN) fields of the Mobile Security
Certificates.
Manager certificate must match the IP
address or fully qualified domain name 2. Click Import and enter a Certificate Name.
(FQDN) of the device check-in interface 3. Enter the path and name to the Certificate File received from
(wildcard certificates are supported). the CA, or Browse to find the file.
Although you could generate a self-signed 4. Select Encrypted Private Key and Certificate (PKCS12) as the
server certificate for the Mobile Security File Format.
Manager device check-in interface (Setup 5. Select the Import private key check box.
> Certificate Management > Certificates 6. Enter the path and name to the PKCS#12 file in the Key File
> Generate), it is a best practice to use a field or Browse to find it.
certificate from a public CA, such as
VeriSign or Go Daddy, to ensure that the 7. Enter and re-enter the Passphrase that was used to encrypt the
private key and then click OK to import the certificate and key.
end devices will be able to connect for
enrollment. If you do not use a certificate 8. To configure the Mobile Security Manager to use this certificate
that is trusted by the devices, you must for device check-in:
add the root CA certificate to both a. Select Setup > Settings > Server and then edit the SSL
Mobile Security Manager configuration Server Settings.
and to the corresponding portal client
b. Select the certificate you just imported from the MDM Server
configuration so that the portal can
Certificate drop-down.
deploy the certificate to the devices as
described in Define the GlobalProtect c. (Optional) If the certificate was not issued by a well-known
Client Configurations. CA, select the root CA certificate for the issuer from the
Certificate Authority drop-down, or Import it now.
d. Click OK to save the settings.

Step 5 Obtain a certificate for the Apple Push 1. To create the CSR, select Setup > Certificate Management >
Notification Service (APNs). Certificates and then click Generate.
The APNs certificate is required for the 2. Enter a Certificate Name and a Common Name that identifies
Mobile Security Manager to be able to your organization.
send push notifications to the iOS devices 3. In the Number of Bits field, select 2048.
it manages. To obtain the certificate, you 4. In the Signed By field, select External Authority (CSR).
must create a certificate signing request
5. For the Digest, select sha1 and then click Generate.
(CSR) on the Mobile Security Manager,
send it to the Palo Alto Networks signing 6. Select the CSR from the certificate list and then click Export.
server for signing and then send the 7. In the Export CSR dialog, select Sign CSR for Apple Push
request to Apple. Notification Service from the File Format drop-down and then
click OK. The Mobile Security Manager automatically sends the
Create a shared Apple ID for your
CSR to the Palo Alto Networks signing server, which returns a
organization to ensure that you
signed CSR (.csr), which you should save to your local disk.
always have access to your
certificates. When the certificate expires, renew it using the same CSR
instead of creating a new one. This prevents the need to
re-enroll devices with the Mobile Security Manager.
8. Open a new browser window and navigate to the Apple Push
Certificates Portal at the following URL:
https://identity.apple.com/pushcert
9. Sign in using your Apple ID and password and then click
Create a Certificate. If this is your first login, you must Accept
the Terms of Use before you can create a certificate.
10. Click Choose File to browse to the location of the CSR you
generated and then click Upload. After the certificate is
successfully generated, a confirmation displays.
11. Click Download to save the certificate to your local computer.
12. On the Mobile Security Manager, select Setup > Certificate

Management > Certificates > Device Certificates and click
Import.
13. In the Certificate Name field, enter the same name you used
when you created the CSR.
14. In the Certificate File field, enter the path and name to the
certificate (.pem) you downloaded from Apple, or Browse to
locate the file.
15. Select Base64 Encoded Certificate (PEM) as the File Format
and then click OK. The CSR entry on the certificate list changes
to a certificate with the Issuer Apple Application Integration
Certification Authority and a Status of valid.

Step 6 Obtain a key and sender ID for the 1. Open a new browser window and navigate to the Google APIs
Google Cloud Messaging (GCM) service. console at the following URL:
The GCM key and sender ID are required https://cloud.google.com/console
for the Mobile Security Manager to send 2. Click CREATE PROJECT. The New Project page displays.
push notifications to the Android devices 3. Enter a Project name and a Project ID and then click Create. If
it manages. this is your first project, you must Accept the Terms of APIs
Service before you can create the project.
4. Select APIs & auth from the menu on the left side of the page.
5. On the APIs page, scroll down to Google Cloud Messaging for
Android and toggle the setting to ON.
6. Select Credentials from the APIs & auth menu on the left.
7. In the Public API access section of the page, click CREATE
NEW KEY.
8. On the Create a new key dialog, click Server key.
9. In the Accept requests from these server IP addresses text
box, enter the IP address of the Mobile Security Manager’s
device check-in interface and then click Create. The new API
key will display This is the key that identifies your Mobile
Security Manager application. You will need this key to
configure push notifications on the Mobile Security Manager.
10. To get your sender ID, select Overview from the menu on the
left side of the screen. The sender ID is also displayed as the
Project Number. You will need this ID to configure push
notifications on the Mobile Security Manager.
Step 7 Configure the push notification settings 1. Select Setup > Settings > Server and then edit the Push
on the Mobile Security Manager. Notification Settings.
2. To enable push notifications for iOS devices, select the iOS
APNs Certificate you generated in Step 5.
3. To enable GCM push notifications, select the Google Cloud
Messaging check box and then enter the Android GCM API Key
and Android GCM Sender ID you obtained in Step 6

Configure the Mobile Security Manager for Enrollment
In order for a mobile device to be managed by the GlobalProtect Mobile Security Manager, it must be enrolled
with the service. There are two phases to enrollment:
 Authentication—Before a mobile device can be enrolled, the device user must authenticate to the Mobile
Security Manager so that you can determine the identity of the user and ensure that he/she is a part of your
organization.The GlobalProtect Mobile Security Manager supports the same authentication methods that
are supported on the other GlobalProtect components: local authentication, external authentication to an
existing LDAP, Kerberos, or RADIUS service (including support for two-factor OTP authentication). For
details on these methods, see About GlobalProtect User Authentication.
 Identity Certificate Generation—After successfully authenticating the end user, the Mobile Security
Manager will issue an identity certificate to the device. To enable the Mobile Security Manager to issue
identity certificates, generate a self-signed CA certificate to use for signing. In addition, if you have an
enterprise Simple Certificate Enrollment Protocol (SCEP) server such as the Microsoft SCEP server, you
can configure the Mobile Security Manager to use the SCEP server to issue certificates for iOS devices. After
enrollment, the Mobile Security Manager will use the identity certificate to authenticate the mobile device
when it checks in.
In order for Android devices to receive push notifications from the Mobile Security Manager, you
must also ensure that your firewall has connectivity with GCM services. If you are using a Palo
Alto Networks firewall, configure a security policy to allow google-cloud-messaging application
traffic (on your firewall, select Policies > Security). If you are using a firewall with port
management, open ports 5228, 5229, and 5230 on the firewall for GCM to use and also set the
firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in
Google’s ASN of 15169. Refer to Google Cloud Messaging for Android for more information.
Use the following procedure to set up the enrollment infrastructure on the Mobile Security Manager:
Set Up the Mobile Security Manager for Enrollment
Step 1 Create an authentication profile for 1. Configure the Mobile Security Manager to connect to the
authenticating device users when they authentication service you plan to use so that it can access the
connect to the Mobile Security Manager authentication credentials.
for enrollment. • If you plan to authenticate using LDAP, Kerberos, or
As a best practice, use the same RADIUS you must create a server profile that instructs the
authentication service that is used to Mobile Security Manager how to connect to the service and
authenticate end users for access to access the authentication credentials for your users. Select
corporate resources, such as email and Setup > Server Profiles and add a new profile for the
Wi-Fi. This allows the Mobile Security specific service you will be accessing.
Manager to capture the credentials for use • If you plan to use local database authentication, you must
in the configuration profiles it deploys to first create the local database. Select Setup > User Database
the devices. For example, the Mobile > Local Users and add the users to be authenticated.
Security Manager can automatically
2. Create an authentication profile that references the server
deploy configurations that include the
profile or local user database you just created. Select Setup >
credentials required to access corporate
Authentication Profile and add a new profile. The
resources, such email and Wi-Fi, from the
authentication profile name cannot contain any spaces.
device.

Set Up the Mobile Security Manager for Enrollment (Continued)
Step 2 Configure the Mobile Security Manager 1. Select Setup > Settings > Server and then edit the
to use the authentication profile for Authentication Settings.
device enrollment. 2. Select the Authentication Profile from the drop-down.
3. (Optional) If you want the Mobile Security Manager to save the
password the mobile device user enters when authenticating,
make sure the Save User Password On Server check box is
selected. If you choose to save the password, the Mobile
Security Manager will be able to automatically configure the user
credentials in the configuration settings it pushes to the device.
For example, it can use the saved credentials (the username is
always saved on the server) to automatically configure the email
profile that gets pushed to the device so that the end user does
not have to manually set them.
Step 3 Set up the Mobile Security Manager to Define which CA root certificate the Mobile Security Manager
issue identity certificates. should use to issue identity certificates to Android devices and, if not
using SCEP, to iOS devices. If you are using an enterprise CA, import
Although the Mobile Security
the root CA certificate and the associated private key (Setup >
Manager can issue identity
Certificate Management > Certificates > Import). Otherwise,
certificates to all authenticated
generate a self-signed root CA certificate:
mobile devices, you may choose to
1. To create a self-signed root CA certificate on the Mobile
leverage an existing SCEP server to
Security Manager, select Setup > Certificate Management >
issue identity certificates for your
Certificates > Device Certificates and then click Generate.
iOS devices as described in the next
step. Android devices cannot use 2. Enter a Certificate Name, such as Mobility_CA. The certificate
SCEP and therefore you must name cannot contain any spaces.
configure the Mobile Security 3. Do not select a value in the Signed By field (this is what
Manager to issue identity indicates that it is self-signed).
certificates for all Android devices. 4. Select the Certificate Authority check box and then click OK to
generate the certificate. The Mobile Security Manager will
automatically use this signing certificate to issue identity
certificates for devices during enrollment.

Step 4 (Optional) Configure the Mobile Security 1. Configure the Mobile Security Manager to access the SCEP
Manager to integrate with an existing server and define the certificate properties to use when issuing
enterprise SCEP server for issuing identity certificates as described in Set Up an SCEP
identity certificates to iOS devices. Configuration.
The benefit of SCEP is that the private 2. Enable SCEP on the Mobile Security Manager:
key never leaves the mobile device. a. Select Setup > Settings > Server and then edit the SCEP
Settings.
If you plan to use SCEP to issue
identity certificates, make sure that b. Select the SCEP check box to enable SCEP.
the iOS devices that will be c. Select the SCEP configuration you just created from the
enrolling have the proper CA root Enrollment drop-down.
certificates to enable them to
establish a connection with your d. (Optional) If you want the Mobile Security Manager to verify
SCEP server. the client certificate the SCEP server issued to the device
before completing the enrollment process, you must import
the SCEP server’s root CA certificate and create a
corresponding Certificate Profile.
e. Click OK to save the settings.
Step 5 Configure the enrollment settings. 1. Select Setup > Settings > Server and then edit the Enrollment
Settings.
2. Enter the Host Name of the device check-in interface (FQDN
or IP address; it must match what is in the CN field of the
Mobile Security Manager certificate associated with the device
check-in interface).
3. (Optional) Set the Enrollment Port the Mobile Security
Manager will listen on for enrollment requests. By default, it is
set to 443 and it is recommended that you leave it set to this
value and use a different port number for the device check-in
port.
4. Enter the Organization Identifier and optionally an
Organization Name to be displayed on the configuration
profiles that the Mobile Security Manager pushes to the devices.
5. (Optional) Enter a Consent Message that lets users know that
they are enrolling in your device management service. Note that
this message will not be displayed on devices running iOS 5.1.
6. Select the CA certificate the Mobile Security Manager should
use to issue the certificates from the Certificate Authority
drop-down and optionally modify the Identity Certificate
Expiration value (default 365 days; range 60 to 3650 days).

Step 6 (Optional) Force device users to re-enroll To force mobile device users to re-enroll when certificates expire:
upon identity certificate expiry. 1. Select Setup > Settings > Server and then edit the Enrollment
Renewal Settings.
By default, mobile device users are not
required to manually re-enroll when the 2. Select the Require Re-Enroll check box.
identity certificate expires; the Mobile 3. (Optional) Customize the Renewal Message that will display
Security Manager will automatically on the mobile devices to alert the end users that they will need
re-issue the identity certificates and to unenroll and then re-enroll before the certificate expires in
re-enroll the devices. order to continue with the Mobile Security Manager device
management service. The {DAYS} variable will be replaced with
the actual number of days until certificate expiration when the
message is sent to the device.
4. Click OK to save the renewal settings.
Step 8 Configure the GlobalProtect portal to Perform the following steps on the firewall hosting your
redirect mobile devices to the Mobile GlobalProtect portal:
Security Manager for enrollment. 1. Select Network > GlobalProtect > Portals and select the portal
configuration to modify.
For more detailed instructions, see
Configure the GlobalProtect Portal. 2. Select the Client Configuration tab and select the client
configuration to enable for Mobile Security Management.
3. On the General tab, enter the IP address or FQDN of the
device check-in interface on the GlobalProtect MDM Mobile
Security Manager.
4. (Optional) Set the GlobalProtect MDM Enrollment Port on
which the Mobile Security Manager will be listening for
enrollment requests. This value must match the value set on the
5. Click OK twice to save the portal configuration.

Enable Gateway Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Enable Gateway Access to the Mobile Security Manager

If you plan to Configure HIP-Based Policy Enforcement on your firewalls, you can configure the GlobalProtect
gateways to retrieve the HIP reports for the mobile devices managed by the Mobile Security Manager.
To enable the gateway to retrieve HIP reports from the Mobile Security Manager, you must enable an interface
for gateway access and then configure the gateways to connect to it as follows:
Enable Gateway Access to Mobile Security Manager
Step 1 Decide which Mobile Security Manager • (Recommended) To use the ethernet1 interface for gateway access,
interface to use for HIP retrieval and select Setup > Network > ethernet1. Select the GlobalProtect
enable the gateway service on the Gateways check box and then click OK.
interface. • To use the MGT interface for gateway access, select Setup >
Although you can configure the gateways Settings > Management and then edit the Management Interface
to connect to either the MGT interface or Settings. Select the GlobalProtect Gateways check box and then
the ethernet1 interface, as a best practice click OK.
consider using the ethernet1 interface to If this interface is not yet configured, you must supply the
ensure that your remote gateways have network settings (IP address, netmask, and default gateway)
access to the appliance. and physically connect the Ethernet port to your network.
See Configure the Mobile Security Manager for Device
Check-in for details.
Step 2 (Optional) Import a server certificate for As a best practice, use the same CA certificate used to issue
the Mobile Security Manager MGT self-signed certificates to the other GlobalProtect components. See
interface to enable GlobalProtect Deploy Server Certificates to the GlobalProtect Components for
gateways to connect to this interface. This details on the recommended workflow.
certificate is required only if the gateways
After generating a server certificate for the Mobile Security Manager,
will connect to the MGT interface insteadimport it as follows:
of ethernet1 for HIP retrieval. 1. Select Setup > Certificate Management > Certificates > Device
The Common Name (CN) and, if Certificates and click Import.
applicable, the Subject Alternative Name 2. Enter a Certificate Name.
(SAN) fields of the Mobile Security 3. Enter the path and name to the Certificate File, or Browse to
Manager certificate must match the IP find the file.
address or fully qualified domain name
(FQDN) of the interface (wildcard 4. Select Encrypted Private Key and Certificate (PKCS12) as the
certificates are supported). File Format.
5. Enter the path and name to the PKCS12 file in the Key File field
or Browse to find it.
6. Enter and re-enter the Passphrase you used to encrypt the
private key when you exported it from the portal and then click
OK to import the certificate and key.

Set Up the GlobalProtect Mobile Security Manager Enable Gateway Access to the Mobile Security Manager
Enable Gateway Access to Mobile Security Manager (Continued)
Step 3 Specify which server certificate the 1. Select Setup > Settings > Server and then edit the
Mobile Security Manager should use GlobalProtect Gateway Settings.
enable the gateway establish an HTTPS 2. Select the HIP Report Retrieval check box to enable gateway
connection for HIP retrieval. access to the Mobile Security Manager.
3. Select the certificate you just imported from the MDM Server
Certificate drop-down and then click OK.
Step 4 (Optional) Create a certificate profile on To enable mutual authentication between the gateway and the
the Mobile Security Manager to enable Mobile Security Manager, create a client certificate for the gateway
the gateway(s) to establish a mutual SSL and then import the root CA that issued the client certificate onto
connection with the Mobile Security the Mobile Security Manager. Use the following procedure to import
Manager for HIP report retrieval. the client certificate onto the Mobile Security Manager and define a
certificate profile:
1. Download the CA certificate that was used to generate the
gateway certificates (in the recommended workflow, the CA
certificate is on the portal).
a. Select Device > Certificate Management > Certificates >
Device Certificates.
b. Select the CA certificate, and click Export.
c. Select Base64 Encoded Certificate (PEM) from the File
Format drop-down and click OK to download the certificate.
(You do not need to export the private key.)
2. On the Mobile Security Manager, import the certificate by
selecting Device > Certificate Management > Certificates >
Device Certificates, clicking Import and browsing to the
certificate you just downloaded. Click OK to import the
certificate.
3. Select Device > Certificates > Certificate Management >
Certificate Profile and click Add and enter a Name to uniquely
identify the profile, such as GPgateways.
4. In the CA Certificates field, click Add, select the CA certificate
you just imported and then click OK.
6. Configure the Mobile Security Manager to use this certificate
profile to establish an HTTPS connection with the gateways:
a. Select Setup > Settings > Server and then edit the
GlobalProtect Gateway Settings.
b. Select the certificate profile you just created from the
Certificate Profile drop-down.
c. Click OK to save the settings.
7. Commit the changes to the Mobile Security Manager.

Enable Gateway Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Enable Gateway Access to Mobile Security Manager (Continued)
Step 5 Configure the gateways to access the From each firewall hosting a GlobalProtect gateway, do the
Mobile Security Manager. following:
1. Select Network > GlobalProtect > MDM and then click Add to
add the Mobile Security Manager.
2. Enter a Name for the Mobile Security Manager and specify
which virtual system it belongs to from the Location field (if
applicable).
3. Enter the Server IP address or FQDN of the interface on the
Mobile Security Manager where the gateway will connect to
retrieve HIP reports. The value must match the CN (and, if
applicable the SAN) field in the Mobile Security Manager
certificate associated with the interface.
4. (Optional) If you want to use mutual authentication between the
gateway and the Mobile Security Manager, select the Client
Certificate the gateway will present when establishing a
connection with the Mobile Security Manager.
5. In the Trusted Root CA field, click Add and select the root CA
certificate that was used to issue the Mobile Security Manager
certificate for the interface where the gateway will connect to
retrieve HIP reports.
6. Click OK to save the settings and then Commit the changes.

Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies
Define Deployment Policies

After a mobile device successfully enrolls with the GlobalProtect Mobile Security Manager, it checks in with the
Mobile Security Manager to submit its host data at regular intervals (every hour by default). The Mobile Security
Manager uses deployment policy rules you define to determine what configuration profiles to push to the device. This
allows you to have granular control over what configuration profiles, if any, get deployed to and/or removed
from the device. For example, you could create different configurations for different user groups with varying
access needs. Or you could create policy rules that only allow configurations to be pushed to devices that are
security compliant.
The following sections provide information about how to plan your Mobile Security Management strategy and
instructions for setting up your policies and profiles:
 About Mobile Security Manager Policy Deployment
 Mobile Security Manager Policy Best Practices
 Integrate the Mobile Security Manager with your LDAP Directory
 Define HIP Objects and HIP Profiles
 Create Configuration Profiles
 Create Deployment Policies
About Mobile Security Manager Policy Deployment
After a mobile device enrolls with the GlobalProtect Mobile Security Manager, it checks in with the Mobile
Security Manager at regular intervals. The check-in process includes four parts:
 Authentication—In order to connect to the Mobile Security Manager for check-in, the mobile device
presents the identity certificate that was issued to it during enrollment. If you have enabled access to your
LDAP server, the Mobile Security Manager can use the authenticated username to determine a policy match
based on user or group membership. See Integrate the Mobile Security Manager with your LDAP Directory.
 Collection of device data—The mobile device provides HIP data, which the Mobile Security Manager
processes in order to create a full HIP Report for the device. The HIP report provides identifying
information about the device, information about the device state (such as whether it is jailbroken/rooted, if
encryption is enabled, and if a passcode is set), and a listing of all apps installed on the device. For Android
devices, the Mobile Security Manager computes a hash for each app and uses this data to determine if any
of the installed apps are known to have malware based on the latest APK content updates. For more
information about HIP data collection, see Collection of Device Data.
 Policy deployment—Each Mobile Security Manager policy rule is composed of two parts: match criteria and
configurations. When a device checks in, the Mobile Security Manager compares the user information
associated with the device and the HIP data collected from the device against the match criteria. When it
finds the first matching rule, it pushes the corresponding configuration(s) to the device.
– Match Criteria—The Mobile Security Manager uses the username of the device user and/or HIP
matching to determine a policy match. Using the username allows you to deploy policy based on group
membership. See About User and Group Matching. Using HIP matching allows you to push
deployment policies based on the security compliance of the device and/or using other identifying

Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager
characteristics of the device, such as OS version, tag, or device model. See About HIP Matching.
– Configurations—Contain the configuration settings, certificates, provisioning profiles (iOS only), and
device restrictions to push to the devices that match the corresponding policy rule. Because the iOS
and Android operating systems support different settings and use different syntax, you must create
separate configurations to push to each OS; you can attach both an iOS and an Android configuration
to the same policy rule and the Mobile Security Manager will automatically push the correct
configuration to the device. For details on how to create configurations, see Create Configuration
Profiles.
 Notification of Non-Compliance—In some cases, a device may not match any of the policy rules you have
defined due to non-compliance. For example, suppose you create a HIP profile that only matches devices
that are security compliant (that is, they are encrypted and are not rooted/jailbroken) and attach it to your
deployment policy rules. In this case, configurations are only pushed to devices that match the HIP profile.
You could then define a HIP notification message to send to devices that do not match the profile, specifying
the reason that they are not receiving any configuration. For more details, see About HIP Notification.
Collection of Device Data
The Mobile Security Manager collects the following information (as applicable) from a mobile device each time
it checks in:
Category Data Collected
Host Info Information about the device itself, including the OS and OS version, the GlobalProtect app
version, the device name and model, and identifying information including the phone
number, International Mobile Equipment Identity (IMEI) number, and serial number. In
addition, if you have assigned any tags to the device, this information is reported also.
Settings Information about the security state of the device, including whether or not it is
rooted/jailbroken, whether the device date is encrypted, and if the user has set a passcode on
the device.
Apps Includes a listing of all app packages that are installed on the device, if the device contains
apps that are known to have malware (Android devices only), and, optionally, the GPS
location of the device. You can choose to collect or exclude a list of apps installed on the
device that are not managed by the Mobile Security Manager.
GPS Location Includes the GPS location of the device if location services are enabled on it. However, for
privacy reasons you can configure the Mobile Security Manager to exclude this information
from collection.
About User and Group Matching
In order to define mobile device deployment policies based on user or group, the Mobile Security Manager must
retrieve the list of groups and the corresponding list of members from your directory server. To enable this
functionality, you must create an LDAP server profile that instructs the Mobile Security Manager how to
connect and authenticate to the LDAP server and how to search the directory for the user and group
information. After the Mobile Security Manager is successfully integrated with the directory server, you will be

able to select users or groups when defining mobile device deployment policies. The Mobile Security Manager
supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory,
and Sun ONE Directory Server. See Integrate the Mobile Security Manager with your LDAP Directory for
instructions on setting up user and group matching.
About HIP Matching
You define which device attributes you are interested in monitoring and/or using for policy deployment by
creating HIP objects and HIP profiles on the Mobile Security Manager:
 HIP Objects—Provide the matching criteria to filter out the host information you are interested in using
to enforce policy. For example, if you want to identify a device that has a vulnerability you might want to
create HIP objects that would match each device state that you consider to be a vulnerability. For example,
you might create one HIP object that matches devices that are jailbroken/rooted, another that matches
devices that are not encrypted, and a third that matches devices that contain malware.
 HIP Profiles—A collection of HIP objects that are to be evaluated together using Boolean logic such that
when HIP data is evaluated against the resulting HIP profile it will either match or not match. For example,
if you want to deploy configuration profiles only to devices that do not have a vulnerability, you might create
a HIP profile to attach to your policy that matches only if the device is not rooted/jailbroken and is
encrypted and does not have malware.
For instructions on setting up HIP matching, see Define HIP Objects and HIP Profiles.
About HIP Notification
By default, end users are not given any information about policy decisions that were made as a result of
enforcement of a HIP-enabled deployment policy. However, you can enable this functionality by defining HIP
notification messages to display when a particular HIP profile is matched and/or not matched.
The decision as to when to display a message (that is, whether to display it when the device matches a HIP
profile in the policy or when it doesn’t match it), depends largely on the policy and what a HIP match (or
non-match) means for the user. That is, does a match mean that the corresponding configuration profiles are
pushed to the device? Or does it mean that the device will not receive a configuration profile until it is
compliant?
For example, consider the following scenarios:
 You create a HIP profile that matches if the device OS version is greater than or equal to a specific version
number. In this case, you might want to create a HIP notification message for devices that do not match the
HIP profile instructing the device users they must upgrade the device OS in order to receive the corporate
configuration profiles.
 You create a HIP profile that matches if the device OS version is less than a specific version number. In this
case, you might instead create the message for devices that match the profile.

The Mobile Security Manager policies you deploy enable you to ensure that the devices accessing your network
are in compliance with your acceptable use and security policies, provide a mechanism for pushing as well as
simplifying the deployment of configuration settings, certificate, and provisioning profiles required to access
your corporate resources.
The way you choose to manage and configure to the mobile devices depends on the particular requirements in
your company and the sensitivity of the resources to which the configurations provide access. For details on
setting up HIP notification messages, see Define HIP Objects and HIP Profiles.
Mobile Security Manager Policy Best Practices
Before defining the configuration profiles, provisioning profiles, and device restrictions to push to managed
devices, consider the following best practices:
 Create a default
policy rule that
checks for device
vulnerabilities—
Because of their
utility, mobile
devices—even
those that are
corporate owned—
are used for a variety of uses beyond business, which can leave them open to vulnerabilities and theft. Just
as you would want to ensure that the laptops and computers that access your network are properly
maintained and secured, so should you ensure that the mobile devices accessing your corporate systems are
free from known vulnerabilities. By using HIP profiles that check for device compliance to the standards
you define, you can ensure that configuration profiles that enable access to your corporate resources are only
pushed based on whether or not the device has known vulnerabilities, such as whether or not it is
jailbroken/rooted or whether it contains apps that are known to have malware. The best way to do this is to
create a default policy rule that matches devices that contain a vulnerability, based on HIP match. For devices
that match the rule, the policy would either deliver an empty profile (that is, you would not attach any profiles
to it) or deliver a profile that contains a password requirement only (in case the vulnerable device contains
any corporate data or has access to corporate systems). In this case you would also want to make sure to
create a HIP Match notification to inform users as to why they are not receiving their account settings.
 Require complex passcodes and data encryption—

Due to their portable nature, mobile devices are easy to
lose and easy to steal. If a device without a passcode gets
into the wrong hands, any corporate systems that are
accessible from the device are then at risk. Therefore, you
should always require a passcode on the devices you manage. In addition, because Android devices do not
automatically encrypt data upon setting a passcode like iOS devices do, you should also always require
managed Android devices to have data encryption enabled. Although there are a couple of ways to enforce
these requirements, the easiest way is to include the passcode and encryption requirements in every
configuration profile you push. Including the device requirements within the configuration profiles that

enable access to your corporate resources—such as email, VPN, or Wi-Fi— forces the mobile device user
to set a passcode that meets your requirements and to enable data encryption before the profile is installed,
which prevents the end users from accessing the corresponding account until the device is in compliance.
Push a GlobalProtect VPN configuration profile to

simplify deployment—To simplify the deployment of the
GlobalProtect agent settings to the iOS devices you manage,
create an iOS configuration profile and configure the VPN
settings so that the device will automatically be able to connect
to your GlobalProtect VPN upon deployment of the
corresponding policy.
 Create separate configuration

profiles for access to different
accounts—Although you can create
configuration profiles that push
settings for multiple accounts, you can
simplify administration and enhance
usability by creating separate
configuration profiles for each service.
This allows users to delete profiles for
accounts that they do not need or want.
Similarly, when user access needs to a
particular service change, you can simply change the policy deployment settings so that the profile is
automatically removed from or added to user devices as appropriate. In addition, by segregating the account
configurations into separate files, you can more easily create policies that are tailored to the access needs of
your user groups.
 Use iOS provisioning profiles to simplify deployment of enterprise apps—Provisioning profiles

provide a convenient and automated method for distributing internally-developed enterprise apps to the
managed iOS devices on your network. Although the Mobile Security Manager simplifies the deployment of
provisioning profiles to a large number of mobile devices, there are some security factors to consider. When
revoking access to an app that has been enabled via a provisioning profile, the app will continue to run on
the device until the next power cycle even if the Mobile Security Manager policy removes the profile. In
addition, because provisioning profiles are synchronized with iTunes, the profile may get re-installed the next
time the end user syncs the device with iTunes. Consider the following best practice recommendations:
– Require authentication to use the app. This prevents access to users who are not longer authorized to
use the app, but still have the provisioning profile installed on their devices.
– To ensure that corporate app data is not backed up to iCloud or iTunes where it could be accessed by
unauthorized users, make sure the apps you develop internally us the application’s Caches folder to
store data because this folder is excluded from backup.
– When removing a user’s access privileges to the app, do not rely solely on removal of the provisioning
profile from the Mobile Security Manager policy, but also deactivate the user’s account on your internal
servers.
– Make sure that you have the ability to erase the local app data on the mobile device when user access
to the app is removed.

Integrate the Mobile Security Manager with your LDAP Directory
Use the following procedure to connect to your LDAP directory to enable the Mobile Security Manager to
retrieve user and group information:
Integrate with the Directory Server
Step 1 Create an LDAP Server Profile that specifies how to connect to the directory servers you want the Mobile
Security Manager to use to obtain user and group information.
1. Select Setup > Server Profiles >
LDAP.
2. Click Add and then enter a Name
for the profile.
3. Click Add to add a new LDAP
server entry and then enter a
Server name to identify the
server (1-31 characters) and the
IP Address and Port number the
firewall should use to connect to
the LDAP server (default=389
for LDAP; 636 for LDAP over
SSL). You can add up to four
LDAP servers to the profile, however, all the servers you add to a profile must be of the same type. For
redundancy you should add at least two servers.
4. Enter the LDAP Domain name to prepend to all objects learned from the server. The value you enter here
depends on your deployment:
• If you are using Active Directory, you must enter the NetBIOS domain name; NOT a FQDN (for example,
enter acme, not acme.com). If you need to collect data from multiple domains you must create separate
server profiles. Although the domain name can be determined automatically, it is a best practice to enter
the domain name whenever possible.
• If you are using a global catalog server, leave this field blank.
5. Select the Type of LDAP server you are connecting to. The group mapping values will automatically be
populated based on your selection. However, if you have customized your LDAP schema you may need to
modify the default settings.
6. In the Base field, specify the point where you want the Mobile Security Manager to begin its search for user
and group information within the LDAP tree.
7. Enter the authentication credentials for binding to the LDAP tree in the Bind DN, Bind Password, and
Confirm Bind Password fields. The Bind DN can be in either User Principal Name (UPN) format
(i.e. administrator@acme.local) or it can be a fully qualified LDAP name
(i.e. cn=administrator,cn=users,dc=acme,dc=local).
8. If you want the Mobile Security Manager to communicate with the LDAP server(s) over a secure connection,
select the SSL check box. If you enable SSL, make sure that you have also specified the appropriate port
number.

Integrate with the Directory Server (Continued)
Step 2 Add the LDAP server profile to the directory integration configuration.
1. Select Setup > User Database > Directory
Integration and click Add.
2. Select the Server Profile you just created.
3. Make sure the Enabled check box is selected.
4. (Optional) If you want to limit which groups
are displayed within deployment policy, select
the Group Include List tab and then browse
through the LDAP tree to locate the groups
you want to be able to use in policy. For each
group you want to include, select it in the
Available Groups list and click the add icon
to move it to the Included Groups list. Repeat
this step for every group you want to be able
to use in your policies.
Step 3 Click Commit to save the configuration.

Define HIP Objects and HIP Profiles
Using HIP profiles in Mobile Security Manager policy enables granular deployment of configurations and
ensures that the mobile devices are in compliance with corporate security requirements in order to receive the
configuration profile(s) that enable access to your corporate resources. For example, before pushing
configurations that enable access to your corporate systems, you might want to ensure that the device data is
encrypted and that the devices are not jailbroken/rooted. To do this, you would create a HIP profile that
matches devices that meet this criteria and attach it to your deployment policy rules.
Create HIP Objects and HIP Profiles
Step 1 Create the HIP objects to filter the data 1. Select Policies > Host Information > HIP Objects and click Add.
reported by the device. 2. On the General tab, enter a Name and optionally a Description
The tag feature allows you to create for the object.
custom labels for the devices you 3. Define the match criteria for the HIP object as follows:
manage for easy grouping. For • To match on identifying characteristics of the mobile device,
example, you could create tags to such as OS, GlobalProtect app version, or phone number
distinguish personal devices from select the Host Info check box and then set values to match
company provisioned devices. You on. For each item to match on, select an operator from the
could then create HIP objects that drop-down that indicates whether to match if the specified
match specific tags, providing value Is, Is Not, or Contains the value you enter or select. For
endless possibilities as to how you example, if you will use this object to build a profile for use
can group managed devices for in policies to be deployed to iOS devices, select Is and iOS
configuration deployment. For from the drop-downs in the OS field.
more information on creating tags,
see Group Devices by Tag for • To match on the state of the device, such as whether it is
Simplified Device Administration. jailbroken/rooted or has a passcode set, select the Settings
tab and then select Yes or No to determine how to match the
For details on a specific HIP object setting. For example, if you want the object to match devices
field, refer to the online help. that do not have a passcode set, select No in the Passcode
A HIP match will occur if any one field.
of the apps on the list is installed on • To match based on specific apps installed on the device,
the device. select the Apps > Include and click Add to specify one or
more App packages to match. The app list you define can
either be a black list or a white list, depending on how you set
up the HIP profile to match the object For example, to create
an app black list, you would add a list of apps here and then
set up the HIP profile to NOT match the object.
• (Android devices only) To match on whether or not the
device has malware-infected apps installed, select Apps >
Criteria and then select a value from the Has Malware
drop-down. Or, to allow specific apps that WildFire has
determined contain malware, select Yes and then click Add
and then specify the app packages to exclude from being
designated as malware.
4. Click OK to save the HIP object.
5. Repeat these steps to create each additional HIP objects you
require.

Create HIP Objects and HIP Profiles (Continued)
Step 2 Create the HIP profiles that you plan to 1. Select Policies > Host Information > HIP Profiles and click Add.
use in your policies. 2. Enter a descriptive Name for the profile and optionally a
When you create your HIP profiles, you Description.
can combine the HIP objects you 3. Click Add Match Criteria to open the HIP Objects/Profiles
previously created (as well as other HIP Builder.
profiles) using Boolean logic such that 4. Select the first HIP object or profile you want to use as match
when a traffic flow is evaluated against the criteria and then click add to move it over to the Match text
resulting HIP profile it will either match box on the HIP Profile dialog. Keep in mind that if you want the
or not match. If there is a match, the HIP profile to evaluate the object as a match only when the
corresponding policy rule will be criteria in the object is not true for a flow, select the NOT check
enforced; if there is not a match, the flow box before adding the object.
will be evaluated against the next rule, as
with any other policy matching criteria.
5. Continue adding match criteria as appropriate for the profile

you are building, making sure to select the appropriate Boolean
operator radio button (AND or OR) between each addition (and,
again, using the NOT check box when appropriate).
6. If you are creating a complex Boolean expression, you must
manually add the parenthesis in the proper places in the Match
text box to ensure that the HIP profile is evaluated using the
logic you intend.
7. When you are done adding match criteria, click OK to save the
profile.
8. Repeat these steps to create each additional HIP profile you
require.
Step 3 (Optional) For privacy reasons, the GPS 1. Select Policies > Host Information > Data Collection and then
location of the mobile device is not edit the Data Collection section.
included in the HIP data the app reports 2. Clear the Exclude GPS Location check box and then click OK.
by default. However, you can enable
collection of the GPS location if you
require this information for policy
deployment.
Step 4 Verify that the HIP objects and HIP Select Monitor > Logs > HIP Match. This log shows all of the matches
profiles you created are matching the Mobile Security Manager identified when evaluating the device
managed devices as expected. data reported by the app against the defined HIP objects and HIP
profiles.

Create HIP Objects and HIP Profiles (Continued)
Step 5 Define the notification messages device 1. Select Policies > Host Information > Notifications and then
users will see when a policy rule with a click Add.
HIP profile is enforced. 2. Select the HIP Profile this message applies to from the
The decision as to when to display a drop-down.
message (that is, whether to display it 3. Select Match Message or Not Match Message, depending on
when the user’s configuration matches a whether you want to display the message when the
HIP profile in the policy or when it corresponding HIP profile is matched in policy or when it is not
doesn’t match it), depends largely on your matched. In some cases you might want to create messages for
policy and what a HIP match (or both a match and a non-match, depending on what objects you
non-match) means for the user. That is, are matching on and what your objectives are for the policy.
does a match mean they are granted full 4. (Match messages only) Select the Include App List check box to
access to your network resources? Or indicate what app(s) triggered the HIP match in the notification
does it mean they have limited access due message.
to a non-compliance issue?
5. Select the Enable check box and then enter the text of your
For example, suppose you create a HIP message in the Template text box.
profile that matches if the device data is 6. Click OK to save the HIP notification message.
not encrypted as required by corporate
7. Repeat this procedure for each message you want to define.
policy. In this case, you might want to
create a HIP notification message for
users who match the HIP profile telling
them that they need to enable disk
encryption before they can receive the
configuration profiles that enable access
to corporate resources. Alternatively, if
your HIP profile matches devices that do
have disk encryption enabled, you might
instead want to create the message for
users who do not match the profile.
Step 6 Save the HIP configuration. Click Commit.

Create Configuration Profiles
Mobile Security Manager configuration profiles provide a simplified mechanism for pushing configurations,
restrictions, and apps to groups of managed devices. Because the configuration profiles you define are pushed
to mobile devices based on policy matches, you can define very specific or very broad configurations and then
deploy them to specific users and groups and/or based on the state of the device and its compliance with your
corporate security requirements.
In addition, you can use configuration profiles to enforce security restrictions for a device or for apps installed
on the device, such as forcing the use of a passcode, restricting device functionalities (such as the use of the
camera), or disabling an iOS app from backing up data to iCloud or iTunes.
 SCEP Configurations—Configurations that allow iOS devices to use the simple certificate enrollment
protocol (SCEP) to obtain certificates from a SCEP-enabled CA, such as the Microsoft SCEP Server. SCEP
can be used to issue the identity certificates that the Mobile Security Manager requires, or it can be used to
issue certificates for other services required on the device. For details, see Set Up an SCEP Configuration.
 Configuration Profiles—Contain the configuration settings, restrictions, apps, and web clips to be pushed
to managed devices upon check-in. You must create separate configuration profiles for iOS and Android
devices due to differences in OS functionality. For details on creating the profiles, see Create an iOS
Configuration Profile and Create an Android Configuration Profile. You can also use a configuration profile
to automate the process of configuring mobile devices to connect to the GlobalProtect VPN. See Define a
GlobalProtect VPN Configuration for specific instructions on this configuration.
 Web Clip Icons—If you plan to deploy web clips to provide shortcuts to web sites or web-based
applications, you must import the associated web clip icons before creating the corresponding configuration
policies. See Import Web Clip Icons.
 iOS Provisioning Profiles—To enable iOS users to launch internally-developed enterprise apps you must
deploy a provisioning profile. You can create configurations that allow you to automatically deploy
provisioning profiles to devices as described in Import an iOS Provisioning Profile.
 Fonts—If you plan to deploy fonts that can be used in apps such as Pages or Keynote, you must import the
associated TruType or OpenType fonts before creating the corresponding configuration policies. See Import
Fonts.
After you create the configuration profiles you need for the devices the Mobile Security Manager manages, you
must create the deployment policies to ensure that the configurations get pushed to the proper devices. See
Create Deployment Policies for details.
Set Up an SCEP Configuration
The simple certificate enrollment protocol (SCEP) provides a mechanism for issuing certificates to a large
number of iOS devices. On the Mobile Security Manager, you can enable SCEP for issuing identity certificates
to the devices during the enrollment process. You can also use SCEP to obtain certificates required for other
configurations. Use the following procedure to create a SCEP configuration, either for use in Mobile Security
Manager enrollment, or for use with other iOS configurations.

Set Up a SCEP Configuration
Step 1 Configure the Mobile Security Manager 1. Select Policies > Configuration > SCEP, click Add.
to integrate with an existing enterprise 2. Enter a Name to identify the CA, such as Enrollment_CA. This
SCEP server for issuing identity name distinguishes this SCEP instance from other instances you
certificates to iOS devices. may use in configuration profiles.
Step 2 Specify the type of challenge to use. The Select one of the following SCEP Challenge options:
challenge is the one-time password (OTP) • None—The SCEP server issues the certificate without an OTP.
that is shared between the Mobile Security
Manager and the SCEP server. The • Fixed—The Mobile Security Manager will provide a static OTP
Mobile Security Manager includes the that is used for all mobile devices. Get the OTP from the SCEP
OTP in the SCEP configuration it sends server and enter it in the text box. You will also need to set the
to the mobile device, and the device uses UseSinglePassword registry value on the SCEP server to force it
it to authenticate itself to the SCEP to use a single password for all client certificate enrollments.
server. • Dynamic—The Mobile Security Manager will get a unique OTP
from the SCEP server for each mobile device during enrollment
using an NTLM challenge-response exchange between the two
servers. If you select this option, you must configure the Server
Path where the Mobile Security Manager can connect to the
SCEP server and enter the credentials that it should use to log in.
In addition, you can select the SSL check box to require an
HTTPS connection for the challenge request. If you enable SSL,
you must select the SCEP server’s root CA Certificate. Optionally
enable mutual SSL authentication between the SCEP server and
the Mobile Security Manager by selecting a Client Certificate.
Step 3 Specify how to connect to the SCEP 1. Specify the Server URL that the mobile device should use to
server. reach the SCEP server. For example,
http://<hostname>/certsrv/mscep_admin/mscep.dll
2. Enter a string (up to 255 characters in length) to identify the
SCEP server in the CA-IDENT Name field.

Set Up a SCEP Configuration (Continued)
Step 4 Specify attributes of the certificates to be 1. Enter a Subject name for the certificates generated by the SCEP
generated. server. The subject must be a distinguished name in the
<attribute>=<value> format and must include the common
name (CN) key. There are two ways to specify the CN:
• (Recommended) Token-based CN—Enter one of the
supported tokens—$USERNAME or $UDID—in place of the
CN portion of the subject name. When the Mobile Security
Manager pushes the SCEP settings to the device, the CN
portion of the subject name will be replaced with the actual
username or device UDID of the certificate owner. This
method ensures that each certificate that the SCEP server
generates is unique for the specific user or device. For
example, O=acme,CN=$USERNAME.
• Static CN—The CN you specify will be used as the subject
for all certificates issued by the SCEP server. For example,
O=acme,CN=acmescep.
2. (Optional) Define any certificate extensions you want to include

in the certificates:
• Subject Alternative Name Type—If you plan to supply a
subject alternative name (SAN), specify the format of the
SAN by selecting one of the following values: rfc822Name,
dnsName, or uniformResourceIdentifier.
• Subject Alternative Name Value—The SAN value to
include in the certificate, in the format specified above.
• NT Principal Name—A user object for the device that can be
used to match the user certificate to an account.
3. Set the Key Size to match the key size defined in the certificate
template on the SCEP server.
4. (Optional) If the mobile device will obtain its certificate over
HTTP, enter the CA certificate Fingerprint (SHA1 or MD5) for
the device to use to authenticate the SCEP server. The
Fingerprint must match the Thumbprint value on the SCEP
server.
Step 5 Save the SCEP profile. 1. Click OK to save the configuration settings you defined and
close the iOS Configuration dialog.

Create an iOS Configuration Profile
The iOS configuration profile contains the configuration settings, certificates, web clips, fonts, and restrictions
to push down to a specific group of iOS devices. If you have groups of iOS device users that need access to
varying services or that require different levels of restrictions, you must create a separate iOS configuration
profile for each.
Create an iOS Configuration Profile
Step 1 Add a configuration profile. 1. Select Policies > Configuration > iOS and then click Add.
Step 2 Enter identifying information for the 1. On the General tab, enter a Name to display for the
configuration. configuration in the Mobile Security Manager web interface.
2. Enter a Display Name to show on the Detail/Profiles screen on
the mobile device as well as on the device HIP report.
3. Enter an Identifier for the configuration in reverse-DNS style
format. For example, if this profile will be used to push a base
iOS configuration to devices, you might name the configuration
something like com.acme.iosprofile.
4. (Optional) Enter a Description to display on the Detail screen
of the mobile device.
Step 3 (Optional) Define how the profile can be 1. By default, the user can remove a configuration profile from
modified. the device. To prevent users from removing this configuration,
select Never from the User Can Remove Profile drop-down.
To require a password for removal, select With Authorization
and then set the Authorization Password.
2. (iOS 6.0 and later) By default, the profile will not get removed
automatically. However, you can select a value from the
Automatically Remove Profile drop-down to have the profile
automatically removed after a specified number of days or on a
specific date.
Step 4 Specify passcode requirements for the 1. If you want to force device users receiving this configuration to
device. use a passcode on the device, select + to expand the list of
available iOS configuration profiles and then select the
If you specify passcode requirements, the
Passcode tab. Select the Passcode check box to enable the
device users will be forced to adhere to
restriction. Simply enabling this field will force use of a
the passcode settings you define.
passcode with a minimum of 4 characters, without imposing any
additional requirements.
2. (Optional) Specify any additional passcode requirements to
enforce, such as length or complexity requirements, the
frequency at which the user must change the passcode, or
whether to force the device to automatically lock after a
specified number of minutes.

Create an iOS Configuration Profile (Continued)
Step 5 (Optional) Push a managed app to the Select + to expand the list of available iOS configuration profiles, and
device. select Apps. Add an app to push to the device, and then select the
Application name from the list of managed apps that you have added
For more detail on adding managed apps
to the Mobile Security Manager.
to the Mobile Security Manager and
extending enterprise security to business When adding a new app to push to a device, or modifying an existing
apps on mobile devices, see Manage app that is installed on the device, you can specify additional settings
Business Apps and Data with an for the app, including if the app is Required or Optional for the
Enterprise App Store. device, and select a VPN configuration for the app to use to route
traffic.
Step 6 (Optional) Set restrictions on what apps • Select + to expand the list of available iOS configuration profiles,
and accounts on a device can be used to and then select and enable App Data Restrictions. Continue to
open business data from managed apps, select one or both of the options to control the Open In
accounts, or web domains. functionality available in apps and mobile email that allows users
to open documents or attachments from one app or account on a
For more details on data restrictions for
mobile device in another app or account.
apps, accounts, and web domains on
mobile devices, and how to set them up, • Select + to expand the list of available iOS configuration profiles,
see Isolate Business Data. and then select Domains. Enable Managed Domains and continue
by allowing documents opened from a specified domain in the
Safari browser on the mobile device to only be opened in managed
apps or managed accounts. You can also enable the Mail app to
highlight email contacts that are out of your network to indicate to
mobile users that they’re composing an email to a contact that is
not a part of your corporate domain.

Step 7 Provide configuration settings that enable To enable configuration settings for a specific type of resource:
device access to one or more of the 1. Select + to expand the list of available iOS configuration
following services: profiles., and then select the tab name.
• VPN (GlobalProtect) 2. Click Add to open the configuration dialog.
• Exchange Active Sync 3. Complete the fields as necessary to allow the mobile devices to
• Wi-Fi access the service (fields with a yellow background are
• Email required). Refer to the online help for information on what to
• LDAP enter in a specific field.
4. For configurations that require a Username, the configuration
Repeat this step for each service you want
will by default use the username the end user provided when
to push settings for in this configuration
authenticating to the Mobile Security Manager during
profile. You can even define multiple
enrollment (Use Saved).
configurations for the same service type,
for example if you wanted to push To specify a different username, select Fixed and then enter a
settings for joining multiple Wi-Fi username in the text box. For Exchange Active Sync and Email
networks. For specific instructions, see configuration profiles you can also specify a user-configured
Define a GlobalProtect VPN domain suffix, by entering $USERNAME@<domain> in the text
Configuration. box, for example $USERNAME@example.com. When the Mobile
Security Manager pushes the configuration settings, it replaces
$USERNAME with the actual username of the device user, and
uses the specified domain name.
For Exchange Active Sync and Email configuration profiles,
you can also use the email address as the username (Use Email
Address). When the Mobile Security Manager pushes the
configuration settings, it replaces the username with the address
specified in the Email Address field.
5. For configurations that require a Password, the configuration
will use a password that the user sets on the mobile device (Set
On Device) by default. To use the password the end user
provided when authenticating to the Mobile Security Manager
during enrollment (Use Saved). Or, to specify a different
password, select Fixed and then enter the password in the text
fields.
On Wi-Fi configurations there is an additional password
setting—Set Per Connection—which requires the device
user to enter the password upon re-joining the network.
Step 8 Set restrictions on what the user can do 1. Select + to expand the list of available iOS configuration
with the device. profiles, and then select and enable Restrictions to begin
configuring settings to control what the user can do with the
mobile device.
2. Select or clear check boxes on the Device Functionality,
Applications, Backup, Security and Privacy, and/or
Supervised Only tabs to define the desired device restrictions.
For example, if you don’t want users to be able to use the
camera, clear the Allow use of camera check box.

Step 9 Add certificates to push to the mobile 1. Select + to expand the list of available iOS configuration
devices. These can either be certificates profiles, select Certificates, and then click Add.
that you generated on the Mobile Security 2. Select an existing certificate from the list, or Import a certificate
Manager, or certificates that you import generated by a different CA.
from a different CA. You can push any
3. If the certificate contains a private key, you must also enter the
certificate the device will need to connect
Password to be used to decrypt the key.
to your internal applications and services.
Step 10 Define configuration settings to redirect 1. Select + to expand the list of available iOS configuration
Internet traffic through a proxy on profiles, select Global HTTP Proxy, and then click Add.
supervised iOS devices. 2. Enable Global HTTP Proxy (supervised only).
3. Select the Proxy Setup type to choose whether mobile devices
should use a specific proxy server (Manual) or automatically
choose the proxy server (Automatic). If you select a manual
proxy, additional fields display to allow you to provide the
settings required to connect.
• Manual—Specify the proxy Port number and Address,
specify what Username and Password to use, and set
whether to Allow bypassing proxy access to captive
networks. A captive network is a public Wi-FI network, also
known as a Wi-Fi Hotspot, that the user subscribes to or pays
to use.
For both the username and password, specify Use Saved to
use the username/password that the device user entered to
authenticate during enrollment, Set on Device to indicate
that the device user will have to manually enter the
username/password, or Fixed to enter a
username/password to push to the devices.
• Automatic—Specify the URL of the PAC file. Optionally, if
the PAC file is unreachable, you can allow the mobile device
to send traffic direct to the Internet. You can also allow the
mobile device to bypass the proxy to access captive networks.
4. Complete the fields as necessary to allow the mobile devices to
redirect Internet traffic through a manual or automatic proxy.
Refer to the online help for information on what to enter in a
specific field.
Step 11 Restrict the content that users can access 1. Select + to expand the list of available iOS configuration
from their supervised mobile devices. profiles. Then select and enable Content Filter to begin
configuring content restrictions.
2. Select the Filter Type to automatically filter out or allow specific
URLs (Limit Adult Content) or block all content except for a
list of URLs that the Mobile Security Manager pushes to the
device as Safari bookmarks (Specific Websites Only).
3. Complete the fields as necessary to restrict content from the
mobile devices. Refer to the online help for information on
what to enter in a specific field.

Step 12 Create shortcuts to web sites or 1. Select + to expand the list of available iOS configuration
web-based applications—called web profiles, select Web Clips, and then click Add.
clips—to display on the Home screen of 2. Enter a Name for the web clip to be used within the Mobile
the device. Security Manager.
Web clips are useful for providing quick 3. Enter a Label for the web clip to display on the Home screen.
access to sites your mobile users will need 4. Enter the URL that will load when the user taps the web clip.
access to, such as your Intranet or internal
5. Select an Icon that you previously imported or click Icon from
bug tracking system. Before creating a
the drop-down menu to import one now.
configuration that includes a web clip,
you must import the associated icon to 6. To restrict users from removing the web clip from the Home
display on the device screen. See Import screen, clear the Removable check box.
Web Clip Icons for instructions. 7. If you want to prevent iOS from adding its standard effects to
the icon (rounded corners, drop shadow, and reflective shine),
Due to a known iOS bug,
select the Precomposed check box.
modifying or removing a web clip
from a configuration will leave an 8. If you want the web page to display in full-screen mode rather
artifact on the device Home screen than launching Safari to display the content, select Full Screen.
until the next device reboot. 9. Click OK to save the web clip.
Step 13 Add printers to push to a user’s AirPrint 1. Select + to expand the list of available iOS configuration
printer list. profiles, select AirPrint, and then click Add.
2. Enter the name of the AirPrint-enabled Printer.
3. Enter the IP Address of the AirPrint destination.
4. Enter the Resource path associated with the printer, for
example printers/CanonMG3000.
Step 14 Restrict the destinations to which an iOS 1. Select + to expand the list of available iOS configuration
device running iOS 7 or later can stream profiles, select AirPlay, and then click Add.
using AirPlay. 2. To Add Passwords, specify the settings that the device will use
to authenticate with an AirPlay device including a Name to
identify the authentication account and the Device Name and
Password of the AirPlay destination.
3. To Add devices to the Whitelist, specify the list of device IDs,
in the format xx:xx:xx:xx:xx:xx, that are available to the
device. The whitelist applies to supervised iOS devices only and
will be ignored for all other devices.
Step 15 Add TruType or OpenType fonts to push 1. Select + to expand the list of available iOS configuration
to iOS devices. Custom fonts are stored profiles, select Fonts, and then click Add.
locally on the device and can be used in 2. Enter a Name to identify the font.
apps such as Pages or Keynote that allow
3. Select a Font that you previously imported.
the selection of new typefaces. Before
creating a configuration that includes a
font, import the associated font file (see
Import Fonts).

Step 16 Set up an access point name (APN) for 1. Select + to expand the list of available iOS configuration
the mobile device to use to present to the profiles, select APN, and then click Add.
carrier to identify the type of network 2. Enable the APN service on managed devices.
connection to supply.
3. Enter the Access Point Name for the packet data network
(PDN) or other service, such as a wireless application protocol
(WAP) server or multimedia messaging service (MMS) to allow
the mobile devices to communicate with.
Step 17 Push single sign-on settings to mobile 1. Select + to expand the list of available iOS configuration
devices to streamline authentication to profiles, and then select Single Sign-On.
networked apps and services using your 2. Enable Single Sign-On to begin configuring single sign-on
Kerberos infrastructure and restrict single settings.
sign-on to apps by app identifier, service
3. Enter the Account Name used to identify the account in the
URL, or both.
4. Enter the Kerberos Principal Name. For example,
jane/user@example.local.
5. Select an Identity Certificate to use to authenticate messages
sent from this account, if required. Use client certificates issued
by your enterprise SCEP server, or to use a previously imported
certificate, import a new certificate, or generate a new
certificate, select Certificate. The Mobile Security Manager
pushes the certificate to all devices receiving this configuration.
6. Enter the Kerberos Realm name. For example,
example.local.
The realm is case-sensitive.
7. Add one or more URL Prefix Matches beginning with either

HTTP or HTTPS that must be matched in order to use this
account for Kerberos authentication over HTTP. For example,
HTTP://www.mycompany.com/.
8. Add one or more App Identifier Matches that are permitted to
use the specified authentication credentials. Enter the exact
match, for example com.mycompany.myapp, or use the *
wildcard to match any app with a bundle ID that begins with a
specific prefix. Use the wildcard after a period and at the end of
a prefix, for example com.mycompany.*.
Step 18 Save the configuration profile. 1. Click OK to save the configuration settings you defined and
close the iOS Configuration dialog.

Create an Android Configuration Profile
The Android configuration profile contains the configuration settings, certificates, web clips, and restrictions to
push down to a specific group of Android devices. If you have groups of Android device users that need access
to varying services or that require different levels of restrictions, you must create a separate Android
configuration profile for each.
Create an Android Configuration Profile
Step 1 Add a configuration profile. 1. Select Policies > Configuration > Android and then click Add.
Step 2 Enter identifying information for the 1. On the General tab, enter a Name to display for the
configuration. configuration in the Mobile Security Manager web interface.
2. Enter a Display Name to show on the Detail/Profiles screen on
the mobile device as well as on the device HIP report.
3. Enter an Identifier for the configuration in reverse-DNS style
format. For example, if this profile will be used to push a base
configuration to devices, you might name the configuration
something like com.acme.androidprofile.
4. (Optional) Enter a Description to display on the Detail screen
of the mobile device.
Step 3 Specify passcode requirements for the 1. If you want to force device users receiving this configuration to
devices. use a passcode on the device, select the + to expand the list of
available Android configuration profiles, select Passcode, and
If you specify passcode requirements, the
then enable the Passcode restriction. Simply enabling this field
device users will be forced to adhere to
will force use of a passcode with a minimum of four characters,
the passcode settings you define.
without imposing any additional requirements.
2. (Optional) Specify any additional passcode requirements to
enforce, such as length requirements or whether to force the
device to automatically lock after a specified number of
minutes.
Step 4 Provide configuration settings that enable Select + to expand the list of available Android configuration
the device to access your VPN. profiles, select VPN, and then enable VPN to begin defining
GlobalProtect VPN connection settings.
For specific instructions on how to create a GlobalProtect VPN
configuration, see Define a GlobalProtect VPN Configuration

Create an Android Configuration Profile (Continued)
Step 5 Provide configuration settings that enable 1. Select + to expand the list of available Android configuration
device access to one or more Wi-Fi profiles, select Wi-Fi, and then click Add.
networks. 2. On the Settings tab, enter a Name to identify this Wi-Fi
For detailed information about each field, configuration on the Mobile Security Manager.
refer to the online help. 3. Enter the Service Set Identifier (SSID) for the wireless
network. The SSID is the broadcast name of the Wi-Fi network;
it is usually a friendly name that allows users to identify what
network they are connecting to. If you do not broadcast your
SSID, select the Hidden Network check box.
4. By default, devices that get this configuration automatically join
the network when the device is in range; to change this behavior
clear the Auto Join check box.
5. On the Security tab, select the Security Type in use on the
wireless network. Depending on what security type you select,
additional fields display to allow you to provide the settings
required to connect, such the password, protocol, and/or
certificate to use.
6. For security types that require end user credentials (Enterprise
security types), select from the following:
• Username—The configuration will by default use the
username the end user provided when authenticating to the
Mobile Security Manager during enrollment (Use Saved). To
specify a different username, select Fixed and then enter a
username in the text box.
• Password—The configuration will use a password that the
user sets on the mobile device (Set On Device) by default. To
use the password the end user provided when authenticating
to the Mobile Security Manager during enrollment (Use
Saved). Or, to specify a different password, select Fixed and
then enter the password in the text boxes.
7. Click OK to save the configuration.
Step 6 Set restrictions on what the user can do 1. Select + to expand the list of available Android configuration
with the device. profiles, select Restrictions, and then enable Restrictions to
control what the user can do with the mobile device.
2. Modify the default restriction settings as desired:
• If you don’t want users with this configuration to be able to
use the camera, clear the Allow use of camera check box.
• If you want to ensure that data on the mobile devices is
encrypted, select the Require encryption of stored data
check box.

Create an Android Configuration Profile (Continued)
Step 7 Add certificates to push to the mobile 1. Select + to expand the list of available Android configuration
devices. These can either be certificates profiles, select Certificates, and then click Add.
that you generated on the Mobile Security 2. Select an existing certificate from the list, Import a certificate
Manager, or certificates that you import generated by a different CA, or generate a new certificate.
from a different CA. You can push any
3. If the certificate contains a private key, you must also enter the
certificate the device will need to connect
Password to be used to decrypt the key.
to your internal applications and services.
Step 8 Create shortcuts to web sites or 1. Select + to expand the list of available Android configuration
web-based applications—called web profiles, select Web Clips, and then click Add.
clips—to display on the Home screen of 2. Enter a Name for the web clip to be used within the Mobile
the device. Security Manager.
Web clips are useful for providing quick 3. Enter a Label for the web clip to display on the Home screen.
access to sites your mobile users will need 4. Enter the URL that will load when the user taps the web clip.
access to, such as your Intranet or internal
5. Select an Icon that you previously imported or click Icon from
bug tracking system. Before creating a
the drop-down menu to import one now.
configuration that includes a web clip,
you must import the associated icon to 6. Click OK to save the web clip.
display on the device screen. See Import
Web Clip Icons for instructions.
Step 9 Save the configuration profile. 1. Click OK to save the configuration settings you defined and
close the Android Configuration dialog.
Define a GlobalProtect VPN Configuration
While the GlobalProtect Mobile Security Manager allows you to push configuration settings that allow access
to your corporate resources and provides a mechanism for enforcing device restrictions, it does not secure the
connection between the mobile device and services it connects to. To enable the client to establish secure tunnel
connections, you must enable VPN support on the device. For simplified GlobalProtect VPN setup on iOS and
Android devices, you can push the GlobalProtect VPN configuration settings to the device in the configuration
profile as described in the following sections:
 Create a GlobalProtect VPN Configuration for iOS devices
 Create a GlobalProtect VPN Configuration for Android Devices
Create a GlobalProtect VPN Configuration for iOS devices
Use the following task to Define a GlobalProtect VPN Configuration for iOS devices. VPN settings can be
added in the configuration profile for the iOS device. For general configuration profile information, see Create
an iOS Configuration Profile.

Create a GlobalProtect VPN Configuration for iOS devices
Step 1 Select or add an iOS configuration profile Select Policies > Configuration > iOS and then click Add. Or, select
to which to add the GlobalProtect VPN an existing configuration to which to add the VPN settings.
configuration settings. If this is a new configuration profile, enter identifying information
for the profile and define other configuration settings and
restrictions as appropriate. See Create an iOS Configuration Profile
for details.
Step 2 Define the GlobalProtect VPN 1. Select + to expand the list of available iOS configuration
connection settings. profiles, and then select VPN.
2. Click Add to open the VPN dialog.
3. Enter a Name to identify this configuration on the Mobile
Security Manager.
4. Enter a Connection Name to display on the device.
5. Enter the FQDN or IP address of the GlobalProtect portal in
the Server field. The value you enter must match the CN field
in the portal server certificate.
6. Make sure Connection Type is set to Palo Alto Networks
GlobalProtect.
Step 3 Specify how to populate the VPN 1. Specify where to get the VPN username by selecting a value
account username and password settings. from the Account drop-down. By default, the GlobalProtect
VPN configuration is set to Use Saved, allowing it to use the
user name the device user provided during enrollment. You can
also specify a Fixed user name to use for all devices using this
configuration, or allow the device user to define the account
user name by selecting Set on Device.
2. By default, the VPN Password will be Set On Device by the
device user. However, if you want to use the password that the
device user supplied when authenticating during enrollment,
select Use Saved, or set a Fixed password to be used by all
devices using this configuration.
3. (Optional) By default, when an Mobile Security Manager policy
gets pushed to a mobile device, all profiles that were previously
pushed by Mobile Security Manager that are not attached to the
matching policy rule are automatically removed from the device.
However, the Mobile Security Manager does not remove VPN
profiles pushed to the device by the GlobalProtect portal,
allowing the user to manually switch profiles. To enable Mobile
Security Manager to remove any existing GlobalProtect VPN
profiles, clear the Allow Portal Profile check box.

Create a GlobalProtect VPN Configuration for iOS devices (Continued)
Step 4 (Optional) Specify a client certificate for To use the identity certificate issued to the mobile device during
the mobile devices to use to authenticate enrollment:
to the GlobalProtect gateway(s) during a. Select None in the Credential field.
establishment of the VPN tunnel. If you
want to push a client certificate to the To use client certificates issued by your enterprise SCEP server:
devices from the portal client a. Select SCEP from the Credential field.
configuration instead or if you are not b. Set Up an SCEP Configuration.
using certificate authentication on your
gateways, you can skip this step. To use a client certificate issued by the Mobile Security Manager:
This feature is useful for preventing a. Import a client certificate to push to the mobile devices onto
devices that are not managed by the the Mobile Security Manager or generate a self-signed
Mobile Security Manager from certificate on the Mobile Security Manager. This option is
connecting to the GlobalProtect VPN. similar to the option to deploy client certificates from the
However, by rejecting connections from GlobalProtect portal. In this configuration, you specify a
non-managed devices you lose visibility single client certificate to use for all mobile devices using this
into that traffic. As a best practice for iOS configuration profile.
controlling traffic from non-managed b. Select Certificate and then select the client certificate to use
mobile devices, create a HIP profile that from the drop-down.
matches based on whether or not the
device is managed and attach it to your If you specify a Credential in this configuration, make
security policies. See Use Host sure that the client configuration that the portal will
Information in Policy Enforcement for deploy to the corresponding mobile devices does not also
more details on creating HIP-enabled contain a client certificate or the certificate in the portal
security policies. configuration will override the certificate specified here.
Step 5 (Optional) Specify what device traffic to 1. To override the settings defined in the portal configuration,
tunnel through the VPN. By default, the select VPN Type and then select Device Level VPN.
GlobalProtect app will tunnel all traffic as 2. Select the Enable VPN On Demand check box and then click
specified in its corresponding portal client Add to define exceptions as follows:
configuration. However, you can override
• Enter an IP address, hostname, domain name or subnet in
the portal tunnel configuration by
the Matching Domain field to specify a tunnel destination.
defining the VPN on Demand setting in
the Mobile Security Manager • Select a corresponding Action to specify when to tunnel
configuration. traffic to the specified Domain (always, never, or ondemand
to allow the end user to manually invoke the VPN).
Device Level VPN is useful in an
environment where you are • Repeat this step for each tunnel destination for which you
managing corporate-owned want to create an override.
devices (rather than personal
devices) in order to ensure that all
device traffic uses the VPN.

Create a GlobalProtect VPN Configuration for iOS devices (Continued)
Step 6 (Optional) Specify for traffic from Select VPN Type and choose from the following settings to Isolate
managed apps to only tunnel through the Business Traffic on a mobile device:
VPN. • Select Per-App VPN to allow managed apps on the device to route
Per App VPN is useful in an all traffic through the VPN.
environment where you are • Enable Per-App VPN On Demand to automatically trigger a VPN
managing personal devices (rather connection for managed apps when they are launched.
than corporate-owned devices) to
ensure that traffic from managed • Add
Matching Domains for Safari to allow a VPN connection to
be triggered for a domain.
business apps travels through the
VPN, while traffic from personal
apps does not. To learn more and
for detailed instructions for
setting up Per App VPN, see
Isolate Business Traffic.
Step 7 Save the configuration profile. 1. Click OK to save the VPN configuration settings.
2. Click OK to save the iOS configuration profile.
Step 8 Configure the gateways to use the Complete the following steps on each gateway:
specified client certificate to enable the 1. Import the root CA certificate that was used to issue the mobile
mobile devices using this configuration to device certificates (either the identity certificate issuer, the
establish HTTPS connections. SCEP server CA, or the self-signed CA certificate from the
Mobile Security Manager depending on which type of client
certificate you are using) onto gateway(s).
2. Add the CA certificate to the certificate profile used in the
gateway configuration.
Create a GlobalProtect VPN Configuration for Android Devices
Use the following task to Define a GlobalProtect VPN Configuration for Android devices. VPN settings can
be added in the configuration profile for the Android device. For general configuration profile information, see
Create an Android Configuration Profile.
Create a GlobalProtect VPN Configuration for Android Devices
Step 1 Add the GlobalProtect VPN Select Policies > Configuration > Android and then click Add or
configuration settings to a new or select an existing configuration to modify.
existing Android configuration profile. If this is a new configuration profile, enter identifying information
for the profile and define other configuration settings and
restrictions. See Create an Android Configuration Profile for details.

Create a GlobalProtect VPN Configuration for Android Devices (Continued)
Step 2 Enable and define the GlobalProtect 1. Select + to expand the list of available Android configuration
VPN connection settings. profiles, and then select VPN.
2. Enable VPN to continue to define the VPN connection settings.
3. Enter a Connection Name to display on the Android device.
4. Enter the FQDN or IP address of the GlobalProtect Portal.
The value you enter must match the CN field in the portal server
certificate.
5. Specify where to get the VPN username by selecting a value
from the Account drop-down. By default, the GlobalProtect
VPN configuration is set to Use Saved, allowing it to use the
user name the device user provided during enrollment. You can
also specify a Fixed username to use for all devices using this
configuration, or allow the device user to define the account
user name by selecting Set on Device.
6. Specify the Connect Method for the VPN:
• User Logon—The GlobalProtect app will initiate network
discoveries and establish connections automatically.
• On Demand—Allow users to establish a connection on
demand. In this case, a user could initiate a connection
manually when attempting to connect to the VPN remotely.
If selected, the On Demand connect method takes
precedence over the connect method defined in the
GlobalProtect portal client configuration.
The VPN connect method defined in the Android
configuration profile takes precedence over the
connect method defined in the GlobalProtect portal
client configuration.
7. By default, the Password for users to authenticate to the VPN
is Set On Device by the device user, meaning that users will have
to manually enter their passwords to authenticate. However, to
allow the password that users supplied when authenticating
during enrollment to be used automatically, select Use Saved, or
set a Fixed password to be used by all devices using this
configuration.

Create a GlobalProtect VPN Configuration for Android Devices (Continued)
Step 3 (Optional) Specify a client certificate for To use the identity certificate issued to the mobile device during
the mobile devices to use to authenticate enrollment:
to the GlobalProtect gateway(s) during Select None in the Credential field.
establishment of the VPN tunnel. If you
want to push a client certificate to the To use a client certificate issued by the Mobile Security Manager:
devices from the portal client 1. Import a client certificate to push to the mobile devices onto the
configuration instead or if you are not Mobile Security Manager or generate a self-signed certificate on
using certificate authentication on your the Mobile Security Manager. This option is similar to the
gateways, you can skip this step. option to deploy client certificates from the GlobalProtect
portal. In this configuration, you specify a single client
This feature is useful for preventing certificate to use for all mobile devices using this Android
devices that are not managed by the configuration profile.
Mobile Security Manager from
connecting to the GlobalProtect 2. Select Certificate and then select the client certificate to use
VPN. However, by rejecting from the drop-down.
connections from non-managed If you specify a Credential in this configuration, make
devices you lose visibility into that sure that the client configuration that the portal will
traffic. As a best practice for deploy to the corresponding mobile devices does not also
controlling traffic from contain a client certificate or the certificate in the portal
non-managed mobile devices, configuration will override the certificate specified here.
create a HIP profile that matches
based on whether or not the device
is managed and attach it to your
security policies. See Use Host
Information in Policy Enforcement
for more details on creating
HIP-enabled security policies.
Step 4 Save the configuration profile. 1. Click OK to save the VPN configuration settings.
Step 5 Configure the gateways to use the Complete the following steps on each gateway:
specified client certificate to enable the 1. Import the root CA certificate that was used to issue the mobile
mobile devices using this configuration to device certificates (either the identity certificate issuer, the
establish HTTPS connections. SCEP server CA, or the self-signed CA certificate from the
Mobile Security Manager depending on which type of client
certificate you are using) onto gateway(s).
2. Add the CA certificate to the certificate profile used in the
gateway configuration.
Import Web Clip Icons
Web clips provide shortcuts to web sites or web-based applications. When the user taps a web clip icon, it
automatically opens the associated URL. The Mobile Security Manager can automatically deploy web clips to
managed devices to provide shortcuts that provide users with quick access to internal systems, such as internal
bug tracking databases, the Intranet, or HR systems. If you plan to include web clips in the configurations you
deploy, you may want to create associated icons to display on the home screen.

You must import the web clip icons onto the Mobile Security Manager as follows before creating configuration
profiles that include web clips. If you do not associate an icon with a web clip, a white square will display instead.
Create Web Clip Icons
Step 1 Create the image files you want to use as Android Icon Guidelines
your web clip icons. Use 32-bit PNG files with an alpha channel for transparency. Use
The icons you create for use with different dimensions for different screen densities as follows:
your web clips must meet specific • Low density 36x36 px
image and naming criteria in order for the • Medium density 48x48 px
OS to display them properly. For best
practices on creating icons for Android • High density 72x72 px
devices, refer to the following document • Extra-high density 96x96 px
on the Android Developers site: Icon
Design Guidelines. For best practices on If the image is larger than 96 px, it will automatically scale to
creating web clip icons for iOS devices, 96x96 px on the device.
refer to the following document in the iOS Icon Guidelines
iOS Developer Library: Custom Icon and
Image Creation Guidelines. Use non-interlaced PNG files. If you want iOS to add its standard
effects (rounded corners, drop shadow, and reflective shine), make
sure the image has 90 degree corners and does not have any shine or
gloss. Create different images with different dimensions for different
iOS platforms as follows:
• For iPhone and iPod touch: 57x57 px (114x114 px for high
resolution)
• For iPad: 72x72 px (144x144 px for high resolution)
Step 2 Import each web clip icon onto the 1. Select Policies > Configuration > Web Clip Icons and click Add.
Mobile Security Manager. 2. Enter a Name and a Description for the icon.
3. Browse to the location of the web clip icon and then click Open.
The path and file name display in the File field.
4. Click OK.
Step 3 Save your changes. Click Commit.
Import an iOS Provisioning Profile
To prevent the propagation of potentially malicious apps, iOS only allows users to install apps from approved
sources via the App Store. To enable users to install internally-developed apps on their iOS devices, you must
obtain a provisioning profile from the iOS Developer Enterprise Program (iDEP). You can then deploy the
provisioning profile to the authorized end devices to allow them to install the app. To simplify the process of
distributing deployment profiles, import the profiles onto the Mobile Security Manager and then deploy them
to managed devices through policy.
Although the Mobile Security Manager simplifies the deployment of provisioning profiles to a large
number of mobile devices, there are some security factors to consider. When revoking access to
an app that has been enabled via a provisioning profile, the app will continue to run on the device
until the next power cycle even if the Mobile Security Manager policy removes the profile. In
addition, because provisioning profiles are synchronized with iTunes, the profile may get
re-installed the next time the end user syncs the device with iTunes.

Use the following procedure to import an iOS provisioning profile onto the Mobile Security Manager:
Import an iOS Provisioning Profile
Step 1 Obtain the provisioning files you need to For more information about how to create provisioning profiles and
enable device users to install your deploy internally-developed apps, go to the following URL:
internally-developed iOS apps. http://www.apple.com/business/accelerator/deploy/
Step 2 After you have your signed provisioning 1. Select Policies > Configuration > iOS Provisioning Profiles and
profile, import it onto the Mobile Security click Add.
Manager. 2. Enter a Name for the profile.
3. Browse to the location of the provisioning profile and then click
Open. The path and file name display in the File field.
4. Click OK.
Import Fonts
Use custom fonts to enhance the creation of content and the presentation of text on mobile devices. Users can
install custom fonts and use them in apps that allow the selection of new typefaces such as in Pages or Keynote.
The Mobile Security Manager can automatically deploy the custom TruType or OpenType fonts to the mobile
device.
You must import the fonts onto the Mobile Security Manager as follows before creating configuration profiles
that include fonts.
Create Web Clip Icons
Step 1 Import each web clip icon onto the 1. Select Policies > Configuration > Fonts and click Add.
Mobile Security Manager. 2. Enter a descriptive name for the font.
3. Browse to the location of the font file, then select the TruType
or OpenType font and click Open. The Mobile Security
Manager displays the font in the list of available fonts.

Create Deployment Policies
After a device successfully enrolls and checks in, the Mobile Security Manager uses the username of the device
user and/or the reported HIP data to match a deployment policy.
Create Deployment Policies
Step 1 Create a new policy rule. 1. Select Policies > Policies and click Add.
2. Enter a descriptive Name to identify the policy rule.
Step 2 Specify which mobile device users to Select the Users/HIP Profiles tab and then specify how to determine
deploy this configuration to. There are a configuration match for this policy rule:
two ways to specify which managed • To deploy this configuration to a specific user or group, click Add
devices will get the configuration: by in the User section of the window and then select the user or
user/group name and/or by HIP match. group you want to receive this configuration from the drop-down.
The Mobile Security Manager uses the Repeat this step for each user/group you want to add.
Users/HIP Profiles settings you specify • To deploy this configuration to devices that match a specific HIP
to determine which configuration to profile, click Add in the HIP Profiles section of the window and
deploy to a device upon check-in. then select a HIP profile.
Therefore, if you have multiple
It is a good idea to test you deployment policies before
configurations, you must make sure to
pushing them out to your entire mobile user base. Consider
order them properly. As soon as the
initially creating a configuration that applies to users in your
Mobile Security Manager finds a match, it
IT group only to allow them enroll with Mobile Security
will deliver the configuration. Therefore,
Manager and test the deployment policies. Then, after you
more specific configurations must
have thoroughly tested the configuration, you could modify
precede more general ones. See Step 4 for
the deployment policy to push the deployments out to
instructions on ordering the list of rules.
mobile users.
Before you can create policy rules to
deploy configurations to specific
users or groups, you configure the
Mobile Security Manager to access
your user directory as described in
Integrate the Mobile Security
Manager with your LDAP
Directory.
Step 3 Specify which configuration profiles to 1. Attach configuration profiles to the policy rule. If your rule is
deploy to devices that match the designed to match both iOS and Android devices, you must
user/HIP profile criteria you defined. attach separate configuration profiles as follows:
• To add an iOS configuration profile or an iOS provisioning
profile, click Add in the iOS section and then select the
profile to add. Repeat this step for each iOS profile to deploy
to devices matching this rule.
• To add an Android configuration profile, click Add in the
Android section and then select the profile to add to the rule.
Repeat this step for each configuration profile to deploy to
devices matching this rule.
2. Click OK to save the policy rule.
3. Repeat Step 1 through Step 3 for each policy rule you need.

Create Deployment Policies (Continued)
Step 4 Arrange the deployment policy rules so • To move a deployment policy rule up on the list of rules, select the
that the proper configuration is deployed rule and click Move Up.
to each device upon check-in. • To move a deployment policy rule down on the list of rules, select
When an device checks in, the Mobile the rule and click Move Down.
Security Manager will compare the
username and the HIP data the device
provided against the policies you have
defined. As with security rule evaluation
on the firewall, the Mobile Security
Manager looks for a match starting from
the top of the list. When it finds a match,
it pushes the corresponding
configuration(s) to the device.
Step 5 Save the deployment policy rules. Commit the changes.

Verify the Mobile Security Manager Configuration Set Up the GlobalProtect Mobile Security Manager
Verify the Mobile Security Manager Configuration

After you finish setting up the Mobile Security Manager (configuring the device check-in interface, enabling
enrollment, and defining configuration and deployment profiles) and setting up the GlobalProtect portal with
the URL for device check-in interface, you should verify that you can successfully enroll a device and that the
Mobile Security Manager profile is successfully installed and enforced.
Verify the Mobile Security Manager Configuration
Step 1 Set up the deployment policies to be As a best practice, begin by deploying policies to a small group of
pushed to the test users. users, such as administrators in the IT department responsible for
administering the Mobile Security Manager:
1. Select Policies > Policies and select the deployment policy to
edit.
2. On the Users/HIP Profiles tab, click Add in the User/User
Group section and then select the user or group who will be
testing the policy.
3. (Optional) Select the deployment policy rule you just
more generic rules you have created.
Step 2 Download and install the GlobalProtect 1. Download the app:

app and navigate to the GlobalProtect • From Android devices, download the app from Google Play.
portal.
• From iOS devices, download the app from the App Store.
2. Tap the GlobalProtect icon on the Home screen to launch the
app.
3. Tap OK to enable VPN functionality on the device.
4. On the GlobalProtect Settings screen, enter the Portal name or
address, Username, and Password and then tap Connect. The
portal name you enter must be a fully qualified domain name
(FQDN) and it should not include the https:// at the
beginning.
If Mobile Security Manager has been configured on the portal,
the device will automatically be redirected to the enrollment
screen after successfully authenticating to the portal.
In order to complete the enrollment process the mobile
device must have Internet connectivity.

Set Up the GlobalProtect Mobile Security Manager Verify the Mobile Security Manager Configuration
Verify the Mobile Security Manager Configuration (Continued)
Step 3 Enroll the mobile device with the 1. When prompted to enroll with the GlobalProtect Mobile
GlobalProtect Mobile Security Manager. Device Management, tap Enroll.
2. When prompted to receive push notifications from
GlobalProtect, tap OK.
3. If the certificate on the device check-in interface was not issued
by a trusted CA, you must Install the CA certificate before you
can proceed with enrollment. If you have a passcode on the
device, you must enter it before you can install the certificate.
4. On the Install Profile screen, tap Install to install the profile and
then tap Install Now to acknowledge that enrollment will
change settings on the iPad. If you have a passcode on the
device, you must enter it before you can install the profile. On
the Warning screen tap Install to continue.
5. When the profile is successfully installed, tap Done. If you are
collecting GPS location information, the app will prompt you to
let GlobalProtect use your current location.
Step 4 Verify that the expected configuration For example:

profiles were pushed to your device. • If you pushed a passcode requirement to the device, you should
be prompted to set a new password within 60 minutes. Tap
Continue to change/set the passcode. Enter your current
passcode and then enter/re-enter the New passcode when
prompted and then tap Save. The dialog box should display any
requirements that your new passcode must meet.
• If you pushed an Exchange Active Sync configuration to the
device, verify that you can connect to the Exchange server and
send and receive mail.
• If you pushed a GlobalProtect VPN configuration, verify that the
device can establish a VPN connection.
• Test any web clips you pushed to the device and verify that you
can connect to the associated URLs.
• If you pushed restrictions to the device, verify that you cannot
perform the restricted actions.

Verify the Mobile Security Manager Configuration Set Up the GlobalProtect Mobile Security Manager
Verify the Mobile Security Manager Configuration (Continued)
Step 5 From the Mobile Security Manager, test 1. Select Devices and locate and select your device on the list.
that push notifications are working. 2. Click Message and enter text to send to the device in the
Message Body text box and then click OK.
3. Verify that you receive the message on your device.
Step 6 Push policies to the rest of your user base. After you verify that your Mobile Security Manager configuration
and policies are working as expected, update your policies for
deployment to the rest of your user base.

Set Up the GlobalProtect Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager
Set Up Administrative Access to the Mobile Security

Manager
By default, the GlobalProtect Mobile Security Manager comes preconfigured with a default administrative
account (admin), which provides full read-write access (also known as superuser access) to the appliance. As a
best practice, you should create a separate administrative account for each person who needs access to the
administrative or reporting functions of the appliance. This prevents unauthorized configuration (or
modification) and enables logging of the actions of each individual administrator.
There are two steps to setting up administrative access:
 Set Up Administrative Authentication
 Create an Administrative Account
Set Up Administrative Authentication
There are three ways to authenticate administrative users:
 Local administrator account with local authentication—Both the administrator account credentials and
the authentication mechanisms are local to the appliance. You can further secure the local administrator
account by creating a password profile that defines a validity period for passwords and by setting device-wide
password complexity settings. With this type of account you do not need to perform any configuration tasks
before creating the administrative account. Continue to Create an Administrative Account.
 Local administrator account with external authentication—The administrator accounts are managed
on the local firewall, but the authentication functions are offloaded to an existing LDAP, Kerberos, or
RADIUS service. To configure this type of account, you must first create an authentication profile that
defines how to access the external authentication service and then create an account for each administrator
that references the profile. See Create an Authentication Profile for instructions on setting up access to
external authentication services.
 Local administrator account with certificate-based authentication—With this option, you create the
administrator accounts on the appliance, but authentication is based on SSH certificates (for CLI access) or
client certificates/common access cards (for the web interface). See Enable Certificate-Based Authentication
for the Web Interface and/or Enable SSH Certificate-Based Authentication for the Command Line
Interface for instructions.

Set Up Administrative Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager
Create an Authentication Profile
An authentication profile specifies the authentication service that validates the administrator’s credentials and
defines how to access that authentication service. You must create a server profile first so that the Mobile
Security Manager can access to a RADIUS, Kerberos, or an LDAP authentication server.
Create an Authentication Profile
Step 1 Create a server profile that defines how 1. Select Setup > Server Profiles and then select the type of
to connect to the authentication server. authentication service to connect to (LDAP, RADIUS, or
Kerberos).
2. Click Add and then enter a Name for the profile.
3. Select the Administrator Use Only check box, if appropriate.
4. Click Add to add a new server entry and enter the information
required to connect to the service. For details on required field
values for each type of service, refer to the online help.
Step 2 Create an authentication profile. 1. Select Setup > Authentication Profile and then click Add.
2. Enter a user Name to identify the authentication profile.
3. In the Authentication drop-down, select the type of
authentication to use.
4. Select the Server Profile you created in Step 1.
Step 3 Commit the changes. Click Commit.

Enable Certificate-Based Authentication for the Web Interface
As a more secure alternative to using a password to authenticate an administrative user, enable certificate-based
authentication for securing access to the Mobile Security Manager. With certificate-based authentication a digital
signature is exchanged and verified, in lieu of a password.
Use the following instructions to enable certificate-based authentication.
Enable Certificate-Based Authentication
Step 1 Generate a CA certificate on the Mobile To generate a CA certificate on the Mobile Security Manager:
Security Manager. 1. Log in to the Mobile Security Manager web interface.
If you want to use certificates from 2. Select Setup > Certificate Management > Certificates and click
a trusted third-party or enterprise Generate.
CA, you must import that CA 3. Enter a Certificate Name, and add the IP address or FQDN
certificate into the Mobile Security that needs to be listed on the certificate in the Common Name
Manager so that it can trust the field. Optionally, you can change the cryptographic settings, and
client certificates that you generate. define certificate options such as country, organization, or state
etc.
4. Make sure to leave the Signed By option blank and select the
Certificate Authority option.
5. Click Generate to create the certificate using the details you
specified above.
Step 2 Create the Client Certificate Profile that 1. Select Setup > Certificate Management > Certificate Profile
will be used for securing access to the web and click Add.
interface. 2. Enter a name for the certificate profile and in the Username
Field select Subject.
3. Select Add in the CA Certificates section and from the CA
Certificate drop-down, select the CA certificate you created in
Step 1.
Step 3 Configure the Mobile Security Manager 1. On the Setup > Settings tab, click the Edit icon in the
to use the client certificate profile for Authentication Settings section of the screen.
admin authentication. 2. In the Certificate Profile field, select the client certificate
profile you created in Step 2.
3. Click OK to save your changes.

Enable Certificate-Based Authentication (Continued)
Step 4 Create or modify an administrator 1. Select Setup > Administrators and then click Add.
account to enable client certificate 2. Enter a login name for the administrator; the name is
authentication on the account. case-sensitive.
3. Select Use only client certificate authentication (Web) to
enable the use of the certificate for authentication.
4. Select the Role to assign to this administrator. You can either
select one of the predefined dynamic roles or select a custom
role and attach an authentication profile that specifies the access
privileges for this administrator.
5. (Optional) For custom roles, select the device groups, templates
and the device context that the administrative user can modify.
6. Click OK to save the account settings.
Step 5 Create and export the client certificate 1. Use the CA certificate to generate a client certificate for the each
that will be used to authenticate an administrative user.
administrator. a. Select Setup > Certificate Management > Certificates and
click Generate.
b. In the Common Name field, enter the name of the
administrator for whom you are generating the certificate.
The name syntax should match the format used by the local
or external authentication mechanism.
c. In the Signed by field, select the same CA certificate that you
created in Step 1.
d. Click Generate to create the certificate using the details you
specified above.
2. Export the client certificate you just generated.
a. Select the certificate that you just created and click Export.
b. To encrypt the private key, select PKCS12 as the File Format.
c. Enter a passphrase to encrypt the private key and confirm
your entry.
d. Click OK to export the certificate.
Step 6 Save your configuration changes. Click Commit.

You will be logged out of the web interface.
Step 7 Import the administrator's client For example, in Firefox:

certificate into the web browser of the 1. Select the Tools > Options > Advanced menu.
client that the administrator will use to 2. Click the View Certificates button
access the Mobile Security Manager web
3. Select the Your Certificates tab and click Import. Browse to the
interface.
location where you saved the client certificate.
4. When prompted, enter the passphrase to decrypt the private
key.

Enable Certificate-Based Authentication (Continued)
Step 8 Log in to the Mobile Security Manager 1. Access the IP address or hostname of the Mobile Security
web interface. Manager.
2. When prompted, select the client certificate you imported in
Step 7. A certificate warning will display.
3. Add the certificate to the exception list and log in to the Mobile
Security Manager web interface.
Enable SSH Certificate-Based Authentication for the Command Line Interface
To enable SSH certificate-based authentication, complete the following workflow for every administrative user:
Enable SSH (Public-Key Based) Authentication
Step 1 Use an SSH key generation tool to create For the commands required to generate the keypair, refer to the
an asymmetric keypair on the client product documentation for your SSH client.
machine. The public key and private key are two separate files; save both the
The supported key formats are: IETF public key and the private key to a location that can be accessed by
SECSH and Open SSH; the supported the Mobile Security Manager. For added security, enter a passphrase
algorithms are: DSA (1024 bits) and RSA to encrypt the private key. You will be prompted for this passphrase
(768-4096 bits). when you log in to the Mobile Security Manager.
Step 2 Create an account for the administrator 1. Select Setup > Administrators and then click Add.
and enable certificate-based 2. Enter a user Name and Password for the administrator.
authentication. You will need to configure a password. Make sure to enter a
strong/complex password and record it in safe location; you will
only be prompted for this password in the event that the
certificates are corrupted or a system failure occurs.
3. (Optional) Select an Authentication Profile.
4. Enable Use Public Key Authentication (SSH).
5. Click Import Key and browse to import the public key you saved
in Step 1.
select one of the predefined Dynamic roles or a custom
Role-Based profile.
7. Click OK to save the account.
Step 4 Verify that the SSH client uses its private 1. Configure the SSH client to use the private key to authenticate
key to authenticate to the public key, to the Mobile Security Manager.
which is presented by the Mobile Security 2. Log in to the CLI on the Mobile Security Manager.
Manager.

Create an Administrative Account
After defining the authentication mechanisms for authenticating administrative users, you must create an
account for each administrator. When creating an account, you must define how to authenticate the user. In
addition, you must specify a role for the administrator. A role defines the type of access the associated
administrator has to the system. There are two types of roles you can assign:
 Dynamic Roles—Built-in roles that provide Superuser, Superuser (read-only), or Device administrator,
Device administrator access to the Mobile Security Manager. With dynamic roles, you don’t have to worry
about updating the role definitions as new features are added because the roles automatically update.
 Admin Role Profiles—Allow you to create your own role definitions in order to provide more granular
access control to the various functional areas of the web interface, CLI and/or XML API. For example, you
could create an Admin Role Profile for your operations staff that provides access to the network
configuration areas of the web interface and a separate profile for your IT administrators that provides access
to policy definition, mobile security management functions, logs, and reports. Keep in mind that with Admin
Role Profiles you must update the profiles to explicitly assign privileges for new features/components that
are added to the product.
The following example shows how to create a local administrator account with local authentication:
Create an Administrator Account
Step 1 If you plan to use Admin Role Profiles Complete the following steps for each role you want to create:
rather than Dynamic Roles, create the 1. Select Setup > Admin Roles and then click Add.
profiles that define what type of access, if 2. On the Web UI and/or XML API tabs, set the access levels for
any, to give to the different sections of each functional area of the interface by clicking the icon to
the web interface, CLI, and XML API for toggle it to the desired setting:
each administrator assigned to the role.
• Enable
• Read Only
• Disable
As a best practice, be sure to restrict the device wipe
action to just one or two administrators who are very
familiar with Mobile Security Manager to ensure that end
user devices do not get wiped accidentally.
3. On the Command Line tab, specify the type of access to allow
to the CLI: superuser, superreader, deviceadmin,
devicereader or None to disable CLI access entirely.
4. Enter a Name for the profile and then click OK to save it.

Create an Administrator Account (Continued)
Step 2 (Optional) Set requirements for local • Create Password Profiles—Define how often administrators
user-defined passwords. must change their passwords. You can create multiple password
profiles and apply them to administrator accounts as needed to
enforce the desired security. To create a password profile, select
Setup > Password Profiles and then click the Add.
• Configure minimum password complexity settings—Define
rules that govern password complexity, allowing you to force
administrators to create passwords that are harder to guess, crack,
or compromise. Unlike password profiles, which can be applied to
individual accounts, these rules are device wide and apply to all
passwords. To configure the settings, select Setup > Settings >
Management and then edit the Minimum Password Complexity
section.
Step 3 Create an account for each administrator. 1. Select Setup > Administrators and then click Add.
2. Enter a user Name for the administrator.
3. Specify how to authenticate the administrator:
• To use local authentication, enter a Password and then
Confirm Password.
• To use external authentication, select an Authentication
Profile.
• To use certificate/key based authentication, select the Use
only client certificate authentication (Web) check box (for
access to the web interface and select Use Public Key
Authentication (SSH) for access to the CLI. You must also
enter a Password, which will only be required in the event
that the certificates are corrupted or a system failure occurs.
select one of the predefined Dynamic roles or a custom Role
Based profile if you created one in Step 1.
5. (Optional) Select a Password Profile.
6. Click OK to save the account.


Manage Mobile Devices
After your mobile device users enroll with the GlobalProtect Mobile Security Manager, you can monitor the
devices and ensure that they are maintained to your standards for protecting your corporate resources and data
integrity standards. Although GlobalProtect Mobile Security Manager simplifies the administration of mobile
devices, enabling you to automatically deploy your corporate account configuration settings to compliant
devices, you can also use Mobile Security Manager for remediation of security breaches by interacting with a
device that has been compromised. This protects both corporate data as well as personal end user data. For
example, if an end user loses a device, you can send an over-the-air (OTA) request to the device to sound an
alarm to help the user locate it. Or, if an end user reports a lost or stolen device, you can remotely lock the device
from the Mobile Security Manager or even wipe the device (either completely or selectively).
In addition to the account provisioning and remote device management functions that the Mobile Security
Manager provides, when integrated with your existing GlobalProtect VPN infrastructure, you can use host
information that the device reports to the Mobile Security Manager to enforce security policies for access to
applications through the GlobalProtect gateway and use the monitoring tools that are built into the Palo Alto
next-generation firewall to monitor mobile device traffic and application usage.
The following topics describe how to manage mobile devices from the Mobile Security Manager and how to
integrate information learned by the Mobile Security Manager into your network security infrastructure:
 Group Devices by Tag for Simplified Device Administration
 Monitor Mobile Devices
 Administer Remote Devices
 Create Security Policies for Mobile Device Traffic Enforcement

Group Devices by Tag for Simplified Device Administration Manage Mobile Devices
Group Devices by Tag for Simplified Device Administration

A tag is a text label that you can assign to a managed mobile device to simplify device administration by enabling
grouping of devices. The tags you define can be used to identify a group of devices to which to apply similar
policies, to interact with OTA—for example to push a new policy or send a message. After assigning a tag to a
device, the tag is included in the host information profile (HIP) for the device. Because the HIP profile is also
shared with the GlobalProtect gateway, you can then create HIP profiles on the gateway to enable you to enforce
security policy based on tag value.
Because you can manually create the tags, they provide a flexible mechanism for achieving any type of device
provisioning or security enforcement that you require. For example, you could create tags to distinguish personal
devices from company provisioned devices. You could then create HIP objects that match specific tags,
providing endless possibilities as to how you can group managed devices for configuration deployment.
Or, if you want to be able to approve devices before you deploy policy to them, you could assign a tag to
approved devices and then create a HIP profile to only push policy to devices with the approved tag.
There are a couple of different ways to assign tags to mobile devices:
 Manually Tag Devices
 Pre-Tag Devices
Manually Tag Devices
To manually tag devices, you would create the tags you need on the Mobile Security Manager and then assign
them to the devices after enrollment as described in the following workflow:
Create Tags and Assign them to Managed Devices
Step 1 Define the tags you need for monitoring 1. Select Setup > Tags and then click Add.
devices, pushing deployment policies, or 2. Enter a descriptive tag Name for the tag. This will be the name
enforcing security policy on the that you will match on when creating HIP objects/profiles for
GlobalProtect gateway. deployment and/or security policy.
3. (Optional) Enter a comment (up to 63 alpha-numeric
characters, including special characters) that describes how you
plan to use the tag.
4. Click OK to save the tag.

Manage Mobile Devices Group Devices by Tag for Simplified Device Administration
Create Tags and Assign them to Managed Devices (Continued)
Step 2 Assign tags to managed mobile devices. 1. Go to the Devices tab.

You can also use this procedure to 2. Select the devices you want to assign the tag to by clicking in the
remove tags from devices, selecting row that corresponds to the device entry. To simplify this
the tags you want to remove and process, you can sort the devices by any of the column headers
then clicking Untag. or use one of the pre-defined Filters in the left pane.
3. Click Tag.
4. Associate tags with the selected device(s) in one of the following
ways:
• Click Add to display the list of tags you have created so that
you can click one, or click New Tags to define a new tag on
the fly.
• To browse through the list of tags you have created, click
Browse and then locate the tags you want to associate with
the selected devices, clicking the to add each tag to the list
of tags associated with the selected device(s). Repeat this step
for each tag to associate with the selected device(s).
5. Click Tag to save the tag associations.
Pre-Tag Devices
To simplify administration of policies for corporate-provisioned devices, you can automatically pre-tag
corporate devices by compiling a list of serial numbers for the devices to be provisioned in a comma-separated
values (CSV) file and then importing them into the Mobile Security Manager. By default, imported devices are
assigned the tag “Imported.” Optionally you can add a second column to your CSV/XLS file for the tag name
if you want to specify any additional tags to assign to imported devices, for example if you have different levels
of access for different groups of users receiving corporately provisioned devices. You do not have to assign the
same tag to all imported devices.
Import a Batch of Devices
Step 1 Create a comma-separated values (CSV) Create the CSV file in two columns without adding column headers
file or Microsoft Excel spreadsheet that as follows and then save it to your local computer or network share:
contains the list of device serial numbers
in the first column and, optionally, a list
of tags to assign to devices in the second
column.

Group Devices by Tag for Simplified Device Administration Manage Mobile Devices
Import a Batch of Devices (Continued)
Step 2 Import the device list. 1. Go to the Devices tab and click Import.
2. Enter the path and name of the CSV or XLS File you created or
Browse to it.
3. Click OK to import the device list and associate the Imported
tag with the devices, along with any other tags you defined
per-device within the file.
Step 3 Verify that device import was successful. On the Devices tab, click View Imported. Verify that the devices you
just imported appear on the list. Notice that device serial numbers
As soon as a device on the imported list
for which you did not specify a tag value get the tag imported only,
enrolls, the tags you associated with the
whereas device serial numbers that you specified one or more tag
serial number will automatically be
values for contain those tags in addition to the imported tag:
assigned to the device.

Manage Mobile Devices Monitor Mobile Devices
Monitor Mobile Devices

One of the problems with allowing mobile device access to your corporate resources is the lack of visibility into
the state of the devices and the identifying information that is required in order to track down devices that pose
a threat to your network and your applications.
Monitor Mobile Devices
• Use the Dashboard for at-a-glance information The Dashboard tab provides a collection of widgets that display
about managed devices. information about the Mobile Security Manager status as well as
information about the mobile devices it is managing. You can
customize the which widgets display and where each one appears on
the screen. The dashboard allows you to monitor mobile device
information in the following categories:
• Device Trends—Display quick device counts over the past week
for newly enrolled and unenrolled devices, devices that did and
did not check in, and the total number of devices under
management each day. You can click into each graph to view
up-to-the minute statistics.
• Device Summary—Display pie charts that allow you to view the
device mix by device model, Android model, iOS model, and
operating system. Click into a widget to view detailed information
about the devices by model or operating system.
• Device Compliance—Allow you to quickly view counts of
devices that may pose a threat, such as devices infected with
malware, devices that don’t have a passcode set, or that are
rooted/jailbroken. Click into a widget to view detailed statistics
about the non-compliant devices.
• Device Apps—Display bar graphics that allow you to view the top
five managed and unmanaged apps by operating system and the
top five VPP apps. Click into a widget to view the full app report
and view additional information about the apps.

Monitor Mobile Devices Manage Mobile Devices
Monitor Mobile Devices (Continued)
• Use the Devices tab to view detailed device The Devices tab displays information about the devices that the
statistics about managed (or previously managed) Mobile Security Manager currently manages and the mobile devices
devices. it has previously managed.
Tips:
• Select a pre-defined filter from the
Filters list.
• Manually enter a filter in the filter text
box. For example, to view all Nexus
devices, you would enter (model
contains 'Nexus') and then click the
Apply Filter button.
• Modify which columns are displayed by
hovering over a column name and clicking
the down-arrow icon.
• To perform an action on a device or
group of devices, select the device(s) and
then click an action button at the bottom of
the page. For details, see Administer
Remote Devices.

• Monitor the MDM logs for a information on From the Mobile Security Manager web interface, select Monitor >
device activities, such as check-ins, cloud Logs > MDM.
messages, and broadcast of HIP reports to
gateways. The MDM log will also alert you to
high severity events such as a device reporting a
rooted/jailbroken status. Additionally, the MDM
log provides insight as to which device users are
manually disconnecting from the GlobalProtect
VPN.
Click the log details icon to view the complete HIP report for
the device associated with the log entry. The HIP report collected by
the Mobile Security Manager is an extended version of the HIP
report, and includes detailed information including identifying
information about the device such as the serial number, phone
number (if applicable), and IMEI, device status information, and a
list of all apps installed on the device, including a list of apps that are
known to contain malware.

Monitor Mobile Devices Manage Mobile Devices
• Monitor the HIP Match logs on the Mobile From the Mobile Security Manager web interface, select Monitor >
Security Manager Logs > HIP Match. Click a column header to choose which columns
to display.
• Monitor HIP Match logs on the GlobalProtect From the web interface on the firewall hosting the GlobalProtect
gateway. On the gateway, a HIP match log is gateway, select Monitor > Logs > HIP Match.
generated each time the gateway receives a HIP
report from a GlobalProtect client that matches
the criteria in a HIP object and/or HIP profile
defined on the gateway. On the gateway, the HIP
profiles are used in security policy enforcement
for traffic initiated by the client. Or, monitor the
HIP Match logs on Panorama™ for an
aggregated view of HIP match data across all
managed GlobalProtect gateways.

• View the built-in reports or build custom reports. Select Monitor > Reports. To view the reports, click the report
The Mobile Security Manager provides various names on the right side of the page (Custom Reports, if defined, App
Reports, Device Reports, and PDF Summary Reports).
“top 50” reports of the device statistics for the
previous day or a selected day in the previous
week.
By default, all reports are displayed for the
previous calendar day. To view reports for any of
the previous days, select a report generation date
from the calendar at the bottom of the page.
The reports are listed in sections. You can view
the information in each report for the selected
time period. To export the log in CSV format,
click Export to CSV. To open the log information
in PDF format, click Export to PDF. The PDF
file opens in a new window. Click the icons at the
top of the window to print or save the file. To
export the log information in XML format, click
Export to XML.
• Monitor the ACC on the firewall hosting the From the web interface on the firewall hosting the GlobalProtect
GlobalProtect gateway. Or, monitor the ACC on gateway, select ACC and view the HIP Matches section.
Panorama for an aggregated view of HIP match
data across all managed GlobalProtect gateways.

Administer Remote Devices Manage Mobile Devices
Administer Remote Devices

One of the most powerful features of GlobalProtect Mobile Security Manager is the ability to administer
managed devices—wherever they are in the world—by sending push notifications over-the-air (OTA). For iOS
devices, the Mobile Security Manager sends messages over the Apple Push Notification service (APNs). For
Android devices, the Mobile Security Manager sends messages over Google Cloud Messaging (GCM). This
enables you to take action quickly if you suspect that a device is compromised or if an employee leaves your
organization and you want to ensure that access to your corporate systems is disabled, or if you want to send a
message to a specific group of mobile device users.
 Interact With Devices
 Take Action on a Lost or Stolen Device
 Remove Devices
Interact With Devices
Any time you want to interact with a mobile device, you select the mobile device or group of devices from the
Devices tab and then click one of the buttons at the bottom of the page as follows:
Perform an Action on a Remote Device
Step 1 Select the devices you want to interact 1. Select the Devices tab.
with. 2. Select the devices to interact with in one of the following ways:
• Select a pre-defined filter from the Filters list. You can select
multiple filters to display a customized view of the mobile
devices that have enrolled with the Mobile Security Manager.
• Manually enter a filter in the filter text box. For example, to
view all Nexus devices running Android 4.1.2, you would
enter (model contains 'Nexus') and (os-version eq
'4.1.2') and then click the Apply Filter button. You can
also add filters to the text box by clicking a field in one of the
device entries. For example, clicking on and entry Android in
the OS column automatically adds the filter (os eq 'android').
• To build a filter using the user interface, click the Add Filter
button, build the filter by adding attribute-value pairs,
separated by operators, and then click to apply the filter.

Manage Mobile Devices Administer Remote Devices
Perform an Action on a Remote Device (Continued)
Step 2 Select an action. Click one of the buttons at the bottom of the screen to perform the
corresponding action on the selected device(s). For example:
• To send a message to the end users who own the selected
device(s), click Message, enter the Message Body, and then click
OK.
• To request a device check-in, for example on filtered list of devices
that have not checked in within the last day (last-checkin-time
leq '2013/09/09'), select the devices and then click Check in
to send a push notification to the devices requesting that they
check in with the Mobile Security Manager.
• To remotely unlock a mobile device (for example, if the end user
has forgotten the passcode), select the device and then click
Unlock. The device will unlock and the user will be prompted to
set a new passcode.
Take Action on a Lost or Stolen Device
If an end user reports that a managed device has been lost or stolen, you should take immediate action to ensure
that the data on the device is not compromised. Select the device on the Devices tab and then take one or more
of the following actions as appropriate to the situation:
Secure a Lost or Stolen Device
• Lock the device. As soon as a user reports that a device is lost or stolen, you should
lock it to ensure that the data on the device cannot be accessed if it
is in the wrong hands. Select the device and then click Lock to
immediately lock the device. To access the apps and the data on the
device, the device user must re-enter the passcode.
• Try to locate the device. Select the device and then click Alarm to sound an alarm.
• Remove access to corporate systems and erase If you believe that a device may be in the wrong hands, but the user
corporate data. does not want you to wipe the personal data, you can click Selective
Wipe.
All profiles that enabled access to your corporate systems and apps
pushed to the device from the Mobile Security Manager will be
removed, including any data that was associated with those
applications. The Selective Wipe action preserves settings and apps
on the device that were not pushed from the Mobile Security
Manager.
• Erase all device data. This is known as a wipe To protect both the corporate data on the device and the end user’s
because it removes all device data, not just access personal data, the end user may request that you wipe all data on the
to corporate systems. device. To do this, select the device and then click Wipe.

Administer Remote Devices Manage Mobile Devices
Remove Devices
Although end users can manually unenroll from GlobalProtect Mobile Security Manager directly from the
GlobalProtect app, as administrator you can also unenroll devices OTA. This is useful in cases where an
employee has left the company without unenrolling from the Mobile Security Manager on a personal device. To
unenroll devices, select the devices you want to remove on the Devices tab and then use one of the following
two options:
Remove Devices from Management
• Unenroll devices. To remove a device from the GlobalProtect Mobile Security

Manager, but leave its device entry in the Mobile Security Manager,
select the device and then click Unenroll. This is a good option if the
end user is still employed by your company, but the device will either
permanently or temporarily be unmanaged. By leaving the device
entry on the Mobile Security Manager you can still view information
about the device, including historical HIP match logs, reports, and
device statistics.
• Delete devices. To remove a mobile device from management and remove its device
entry from the Mobile Security Manager, select the device and then
click Delete. This is a good option if you want to clean up the
database to remove entries for users who are no longer with the
company or to remove devices that have been replaced. Note,
however, that this action will permanently remove the device record
from the database. Additionally, if the device is enrolled at the time
that you perform the Delete action, the device will be unenrolled and
then the record will be deleted from the Mobile Security Manager
database.

Manage Mobile Devices Create Security Policies for Mobile Device Traffic Enforcement
Create Security Policies for Mobile Device Traffic

Enforcement
The deployment policies you create on the GlobalProtect Mobile Security Manager provide simplified account
provisioning for access to your corporate applications for mobile device users. Although you have granular
control over which users get polices that enable access to which applications—based on user/group and or
device compliance—the Mobile Security Manager does not provide traffic enforcement of mobile device traffic.
While the GlobalProtect gateway already has the ability to enforce security policy for GlobalProtect app users,
the offering of HIP match information for mobile devices is somewhat limited. However, because the Mobile
Security Manager collects comprehensive HIP data from the devices it manages, by leveraging the HIP data that
the Mobile Security Manager collects, you can create very granular security policies on your GlobalProtect
gateways that enable you to take into account device compliance and tags from the Mobile Security Manager.
For example, you could create one security policy on the gateway allowing mobile devices with the tag
“company-provisioned” full access to your network, and provide a second security policy for allowing mobile
devices with the tag “personal-device” access to the Internet only.
Create Security Policy for Managed Devices on the GlobalProtect Gateway
Step 1 Configure the GlobalProtect gateways to See Enable Gateway Access to the Mobile Security Manager for
retrieve HIP reports from the Mobile detailed instructions.
Security Manager.
Although the Connection Port
value is configurable on the
gateway, the Mobile Security
Manager requires that you leave the
value set to 5008. The option to
configure this value is provided to
enable integration with third-party
MDM solutions.

Create Security Policies for Mobile Device Traffic Enforcement Manage Mobile Devices
Create Security Policy for Managed Devices on the GlobalProtect Gateway (Continued)
Step 2 (Optional) On the Mobile Security See Group Devices by Tag for Simplified Device Administration for
Manager, define the tags you want to use detailed instructions.
for security policy enforcement on the
gateway and assign them to managed
mobile devices.
Step 3 On the GlobalProtect gateways, create See Configure HIP-Based Policy Enforcement for detailed
the HIP objects and HIP profiles you will instructions.
need for enforcement of mobile device
traffic policies.
Step 4 Attach the HIP profile to the security

policy and then Commit the changes on
the gateway.

Manage Business Apps and Data with
an Enterprise App Store
You can extend your management of mobile devices enrolled with GlobalProtect to manage business apps,
accounts, and data. Use the GlobalProtect Mobile Security Manager to approve apps for your users to use for
business, make business apps available for users to browse and install from an enterprise app store, and isolate
business data on mobile devices to business apps and accounts.
The following topics describe how to set up an enterprise app store, in order to enable secure access to and use
of business resources on mobile devices, and how to use the Mobile Security Manager to centrally manage
business apps and data:
 Enterprise App Store Overview
 Enterprise App Store Concepts
 Add Managed Apps
 Set Up the App Store
 Manage and Monitor Apps
 Isolate Business Traffic
 Isolate Business Data
 Enable Single App Mode

Enterprise App Store Overview Manage Business Apps and Data with an Enterprise App Store
Enterprise App Store Overview

Use an enterprise app store to distribute business apps to your users, safely enabling them to access business
resources on their mobile devices while protecting business data. Add enterprise apps, Apple App Store apps,
Google Play apps, or apps purchased in bulk through the Apple Volume Purchase Program (VPP) as apps you
approve to be used as a managed business resource on mobile devices. Before distributing apps to your users,
enable settings that will be enforced for the app and app data on mobile devices to ensure that business apps
are used in compliance with your security standards. You can secure business data by isolating it to business apps
and accounts on mobile devices, while users personal data remains separate and private. Push Managed Apps
to users, assigning the apps to targeted users or wide audiences, through policy deployment. Users will receive
the Required and Optional Apps assigned to them at device check-in.
Users can browse and install the apps assigned to them from the GlobalProtect app. The GlobalProtect app for
both iOs and Android has a new icon on the menu bar that users can click to access the enterprise app store.
The following images shows the enterprise app store as it is displayed in the GlobalProtect app for an iOS user
(left) and an Android user (right).
The Mobile Security Manager allows you continued visibility into and control of business apps, accounts, and
data when installed on mobile devices, while preserving the users’ privacy and native mobile experience.
Creating an enterprise app store on the Mobile Security Manager includes the following steps and options:
 Add an Enterprise App. This can include customizing the internally-developed app.
 Add Google Play or Apple Apps and require them to be managed in order to be used for business on a
mobile device.
 Add VPP Apps as Managed Apps to sync your VPP account with the Mobile Security Manager, allowing
you to purchase and then distribute apps to your users in volume.
 Isolate Business Traffic and Isolate Business Data to secure and contain business data to business apps
and accounts. Personal data and network traffic can remain separate and private.

Manage Business Apps and Data with an Enterprise App Store Enterprise App Store Overview
 Set Up the App Store to distribute managed apps to assigned users.
 Manage and Monitor Apps installed on mobile devices. This can include enabling automatic updates for
apps, viewing the status of managed apps on mobile devices and whether they are included in policies,
viewing managed apps installed on devices, as well as unmanaged apps that are installed. You can also
Manage VPP Resources from the Mobile Security Manager in order to administer app licenses.

Enterprise App Store Concepts Manage Business Apps and Data with an Enterprise App Store
Enterprise App Store Concepts

See the following topics to learn about GlobalProtect app store concepts:
 Managed Apps
 Required and Optional Apps
 Apple Volume Purchase Program (VPP)
Managed Apps
A managed app is an app that you require or recommend to be managed by the Mobile Security Manager in
order for your users to safely use the app for business on their mobile devices. You can assign managed apps to
specific users, groups, or devices or easily distribute them to wide audiences. Managed apps are explicitly
communicated to your users as managed by their network administrator; the first time that you push a required
app to a device, the user is prompted to acknowledge and confirm the app’s installation as a managed app.
You can add enterprise apps, public apps (from the Apple App Store or Google Play), or purchased apps (from
the Apple Volume Purchase Program (VPP)) as managed apps. Add managed apps to the Mobile Security
Manager that you want to be used as a business tool or that you think are likely to be used for occupational or
educational productivity and collaboration. Managing the apps you add to the Mobile Security Manager then
allows you to secure the corporate data contained in or shared amongst apps used for business.
After you add a managed app to the Mobile Security Manager, you can:
 Assign the app to users
 Update the app to the latest version
 Group the app with other apps to easily push apps to users with the same security settings
 Configure the app to route all traffic through your corporate VPN
 Prevent the app from backing up data to iCloud or iTunes
 Allow the app to only share data with other managed apps or accounts
 Allow the app to only open data from other managed apps or accounts
 Revoke the app from a user or device

Additionally, designating apps as managed allows you to effectively distinguish and apply appropriately different
treatment to apps that are not managed on a user’s device. Apps installed on enrolled devices that are not
managed are reported as not managed apps. You can choose to exclude data collection from apps that are not
managed or to selectively wipe a device so that corporate settings and apps are removed, while any personal apps
and settings are preserved. The distinction between managed apps (business apps) and not managed apps
(personal apps) allows you to secure managed apps and isolate managed apps’ data, without interfering with
personal data.
Add Managed Apps to get started.

Manage Business Apps and Data with an Enterprise App Store Enterprise App Store Concepts
Required and Optional Apps
You can designate a managed app as required or optional. Apps that are defined as required are installed
automatically on the device at device check-in. The first time that a required app is pushed to a device, the user
is prompted to acknowledge and confirm the app’s installation as an app managed by the network administrator.
Users can open the GlobalProtect app and select Required to display required apps that are assigned to them
and installed on their mobile device. The following images show the Required menu as selected in the
GlobalProtect app for iOS (left) and Android (right):
Define an app required to specify that it must be managed on a mobile device to access corporate resources and
to be used to collaborate for work. If an unmanaged version of a required app is installed on a managed device,
you can alert the user to remove the unmanaged version of the app to successfully install the managed business
app (select Setup > Settings > Server > Managed App/Account Notification Settings). The managed version of the
app will not install until the unmanaged version of the app is deleted. When the user deletes the unmanaged
version of the app, the managed app will install automatically at the next device check-in.
You can also select a managed app to be optional for your users. Optional apps are not automatically installed
on enrolled devices. Users can open the GlobalProtect app and select Optional to browse the optional apps
recommended to them and choose to install the apps on their mobile device. The following images show the
Optional menu as selected in the GlobalProtect app for iOS (left) and Android (right):
Define an app as optional for your users to recommend it to them as a business resource.
Apple Volume Purchase Program (VPP)
The Apple Volume Purchase Program (VPP) is a service provided by Apple that allows you to purchase apps
in volume. You can sync your VPP account with the Mobile Security Manager in order to quickly and easily
distribute resources that you have purchased using the VPP. VPP apps can be assigned to users and pushed to
devices as managed apps, similar to any other Apple, Google Play, or enterprise managed apps. A user can view
and install VPP resources, along with other approved apps, in the GlobalProtect app store on the managed
device. To sync your VPP account with the Mobile Security Manager in order to add VPP purchases as managed
apps, see Add VPP Apps as Managed Apps.

Add Managed Apps Manage Business Apps and Data with an Enterprise App Store
Add Managed Apps

In order to distribute apps to your users, first add the apps you want to approve for your users as Managed Apps.
See the following topics to add enterprise, public (Apple App Store or Google Play), or purchased Apple
Volume Purchase Program (VPP) apps:
 Add an Enterprise App
 Add Google Play or Apple Apps
 Add VPP Apps as Managed Apps
Add an Enterprise App
Add and customize an enterprise app, so that it can be distributed to your users in the GlobalProtect app store.
Creating an enterprise app includes importing the app binary file onto the Mobile Security Manager and
customizing the description of the app for the app store.
Create an iOS or Android Enterprise App
Step 1 Locate the app binary file. Ensure that the binary file for the enterprise app you want to add is
accessible for import onto the Mobile Security Manager or that you
know the app binary URL:
• Save the app binary file to your local system so that it can be easily
imported on the Mobile Security Manager.
• If the app binary file is stored on an external server, you can
reference the app binary URL. The mobile device you push the
app to will download the app directly from the app binary URL.

Manage Business Apps and Data with an Enterprise App Store Add Managed Apps
Create an iOS or Android Enterprise App (Continued)
Step 2 Add the enterprise app to the Mobile 1. On your Mobile Security Manager, select Apps > Store and click
Security Manager. Add.
2. Enter a descriptive app Name. This name is for administrator
use, in order to easily recognize the app when adding it to
configuration profiles and policies. This is not the name of the
app as it will be displayed in the GlobalProtect app store (for
iOS apps, the app name displayed in the app store is extracted
from the app’s binary file. For Android apps, you must manually
add the app’s name, as described in the next step).
3. Select the Enterprise App tab, and enter the App Details:
a. Select the app’s OS (either iOS or Android).
b. Upload the enterprise app binary file:
– If the app is saved on your local system, browse for and
select the App Binary.
– If the app binary file is saved externally, select External
Server and enter the App Binary URL. When you push this
app to a device, it will install directly from the URL you
reference here.
c. (Android apps only) Enter the Display Name that you want
to be shown for the app in the enterprise app store, the app’s
Package Name, and the app Version.
Importing the app binary file automatically populates
these fields for iOS apps.
d. (Optional) Enter the app’s Developer Name and Category.
You can categorize the app to make its intended use more
identifiable to users (for example, “Reference” or
“Communication”).

Create an iOS or Android Enterprise App (Continued)
Step 3 (Optional) Customize the app’s Continue on the Enterprise App tab and select the App Metadata
appearance and details for the app store. subtab.
You can modify the appearance • (Android only) Browse for and select an App Icon to be displayed
and details for an existing for the app in the enterprise app store.
enterprise app at any time. by • Enter a Description for the app to help your users understand
completing this step and how they can use the app or the features it offers. This description
committing the changes. is displayed under the App Details.
• If you are modifying an existing enterprise app, you can enter
updates on What’s New for the app since the previous version.
• Add Screenshots of the app to highlight the app’s features or
show users what the app looks like. You can add screenshots
according to the type of display they are designed for:
• (iOS apps) Add screenshots for a 3.5-Inch Retina Display, a
4-Inch Retina Display, and an iPad (applies to both iPads and
iPad Minis).
• (Android) Add screenshots designed for an Android Phone,
a 7-inch tablet, or a 10-inch tablet.
Step 4 Save the enterprise app. Click Add and Commit the configuration.
The newly created enterprise app is displayed on the Store >
Applications page as managed app.
Step 5 Distribute your enterprise app to users on Set Up the App Store.
their devices.

Add Google Play or Apple Apps
You can add publicly available apps from the Apple App Store or Google Play to the Mobile Security Manager
as Managed Apps. Adding public apps as managed apps allows you to distribute apps that are frequently used
for business (the Box or Salesforce apps, for example) to your users, while securing the apps and the corporate
data that the apps access. Use the following procedure to add a public app to the Mobile Security Manager as a
managed app.
Add an Apple App Store or Google Play app
Step 1 Select public apps to add as managed 1. Select Store > Applications and click Add.
apps. 2. Enter a descriptive Name for the app.
Refer to this name when adding the app to configuration
profiles or policies. The name of the app in the Apple
App Store or Google Play is the name that will continue
to be displayed to users.
3. Select the Apple App Store/ Google Play tab.
4. Enter an App URL from Apple App Store or Google Play.
You can also select the Apple App Store and Google Play links
to browse for the app’s URL.
5. Click Add.
Step 2 Save the Apple App Store or Google Play Commit the configuration.
managed app. Select Store > Applications and view the list of managed public and
enterprise apps.
Step 3 Apply security settings to the public app Set Up the App Store.
and assign it to users in the app store on
their devices.
Add VPP Apps as Managed Apps
You can use the Apple Volume Purchase Program (VPP) to purchase apps in bulk and then use the Mobile
Security Manager to distribute them to your users as Managed Apps. When you push a VPP app to a device for
the first time, Apple prompts the user to register and enroll with Apple using an Apple ID. Users’ Apple-IDs
are registered with the Apple VPP service and are not visible to Mobile Security Manager administrators. When
the user has successfully signed in and registered with the VPP service using an Apple-ID, the enrolled device
can receive assigned VPP resources during device check-in. VPP apps are pushed to the device directly from
the Apple App Store.
The following topics describe how to sync your VPP purchases to the Mobile Security Manager and then
continue to administer VPP apps:
 Sync Apple VPP Resources with the Mobile Security Manager
 Manage VPP Resources from the Mobile Security Manager

Sync Apple VPP Resources with the Mobile Security Manager
Use the following procedure to allow purchases made with your VPP account to sync to the Mobile Security
Manager. You can then easily distribute purchases made in volume to your users.
Sync Apple VPP resources with the Mobile Security Manager
Step 1 Enroll your organization with VPP. Start at Apple’s Deployment Program page
(https://deploy.apple.com/qforms/web/index/avs) and Enroll
Enrolling with VPP requires an Apple ID
with the Volume Purchase Program.
and includes providing organization
details to Apple, including your
organization’s D-U-N-S Number.
Step 2 Retrieve a VPP token. The VPP store provides a web interface for integration with MDMs.
When you are logged in to the VPP store, go to the Account
Summary and download a token to link the Mobile Security Manager
with your VPP account.
Step 3 Sync your VPP account with the Mobile 1. Select Setup > Settings > Server and the Apple Volume
Security Manager. Purchase Program section.
2. Select Volume Purchase Program.
3. Import the VPP Token you downloaded from Apple in Step 2.
Apple’s policy requires a new token once a year.
Step 4 Invite users to enroll with VPP. 1. On the Devices tab, select the upper-most check box to invite
all managed devices to enroll with VPP, or filter for and select
This step is recommended to
specific devices to enroll with VPP.
enroll many users at once.
However, users that are not 2. Select Actions and click Invite to VPP.
enrolled with VPP will be 3. Click OK.
prompted to enroll the first time A push notification is sent to the GlobalProtect app on the
that a VPP app is pushed to them, selected devices, inviting the users to enroll with VPP.
and can enroll at that time to
continue to receive VPP resources.
Step 5 Apply security settings to VPP apps and Set Up the App Store.
distribute them to users in the app store.
Step 6 Monitor and manage VPP apps. Manage VPP Resources from the Mobile Security Manager.

Manage VPP Resources from the Mobile Security Manager
After you Add VPP Apps as Managed Apps, you can monitor and manage the VPP apps you have assigned to
users directly from the Mobile Security Manager. Revoke an app from a user or device, request that new users
enroll with VPP, or unenroll users or devices that you no longer want to receive VPP resources (for example, if
they leave your company or are inactive).
Manage VPP Resources from the Mobile Security Manager
• View your VPP resources and license details. Select Store > Apple Volume Purchase Program to view your VPP
app purchases. This page displays the Number of Licenses
purchased, the amount of Available Licenses to assign to users or
devices, and how many licenses are in use for each VPP app
(Redeemed Licenses).
• Revoke an app license from a user or specific 1. Select Store > Apple Volume Purchase Program and select the
device. app you want to revoke from a user or device.
2. Click Return License to display a pop-up listing all users and
devices the app is assigned to.
3. Select the user or device that you want to revoke the app from
and click Return License.
4. When an app license is returned, Apple sends a notification to
the device that there is a 30-day grace period for the user to
continue to use the app, save any data, or buy a personal copy of
the app.
5. Ensure that the app is not reassigned to the same user at the next
device check-in by removing the app from the policy deployed
to the user:
a. Select Policies > Configuration > iOS and select the
configuration profile associated with the user in the deployed
policy.
b. On the Apps tab, Delete the app you want to revoke from the
user and click OK.
6. Commit the configuration.
• Invite selected users to enroll with VPP 1. On the Devices tab, select the device or devices you want to be
separately from policy deployment. able to receive VPP resources.
2. Select Actions and click Invite to VPP to send a push
notification to the user, inviting them to enroll with Apple VPP.
3. Click OK.
• Revoke a user’s access to and use of all VPP 1. On the Devices tab, select the device or devices you want to
resources. revoke from access to VPP resources.
2. Select Actions and click Revoke VPP.
3. Click OK.

Set Up the App Store Manage Business Apps and Data with an Enterprise App Store
Set Up the App Store

Use the Mobile Security Manager to set up the enterprise app store. Setting up the app store includes adding
managed apps to configuration profiles and configuring settings to secure managed business apps and app data
on managed devices. After adding managed apps to a configuration profile, you can assign and push managed
apps to targeted users or wide audiences using GlobalProtect policy deployment. Managed apps are displayed
for users in the enterprise app store in the GlobalProtect app.
Use the following procedure to set up your app store as a centralized location for you to distribute managed
business apps to users and for users to browse and install apps assigned to them.
Set Up Your App Store
Step 1 Ensure that the apps you want to Select the Store tab to view your managed apps or Add Managed
distribute to users in the app store are Apps.
added to the Mobile Security Manager as
managed apps.
Step 2 Create an application group. 1. Select Store > Application Groups and click Add.
You can group applications in order to 2. Give the Application Group a descriptive Name.
easily add them to a configuration profile. 3. Select from your managed apps to include any available
enterprise apps, Apple App Store apps, Google Play apps, or
This is useful if you want to push several
VPP purchases in an application group.
apps to users at once, and the apps require
the same settings. 4. Click OK.
If an application group contains

both iOS and Android apps, the
apps are pushed depending on the
OS of the device: Android apps
are pushed to Android devices and
iOS apps are pushed to iOS
devices.

Manage Business Apps and Data with an Enterprise App Store Set Up the App Store
Set Up Your App Store (Continued)
Step 3 Add the managed app to a configuration Use an Android Configuration profile for Android apps:
profile. 1. Select Policies > Configuration > Android and Add a new
Android Configuration profile or select an existing profile to
Use the configuration profile to configure
modify
security settings for the app, including
enabling Per App VPN for the app or 2. Select the Apps tab. If the tab is hidden, select + to expand the
disabling the app from backing up data. list of Android configuration profiles, and then select Apps.
3. Click Add and select an Application from the list of managed
apps.
4. Select an Install Option for the app, either Required or
Optional. Required apps are automatically installed on managed
devices. Users can browse and choose to install optional apps
assigned to them on the Apps screen in the GlobalProtect app.
5. (Optional) Select to Remove App When Unenrolled to
automatically delete the app and app data if the device is no
longer managed by GlobalProtect.
6. Click OK.
Use an iOS Configuration profile for iOS apps:

1. Select Policies > Configuration > iOS and Add a new iOS
Configuration profile or select an existing profile to modify.
2. Select the Apps tab. If the tab is hidden, select + to expand the
list of iOS configuration profiles, and then select Apps.
3. On the Apps tab, Add a new app to the configuration profile:
a. Select the Name of the app from the drop-down of managed
apps.
b. Select an Install Option for the app: either Required or
Optional. Required apps are automatically installed on
managed devices. Users can browse and choose to install
optional apps assigned to them on the Apps screen in the
GlobalProtect app.
c. (Optional) Enable additional options to secure the app and
app traffic when it is installed on a device:
– Select a Per App VPN configuration for the app to use to
route all app traffic. See Isolate Business Traffic to set up
this feature.
– Select Remove App When Unenrolled to automatically
delete the app if the device is no longer managed by
GlobalProtect.
– Select Prevent Backup to iCloud or iTunes to block the
app from transferring data to iCloud or iTunes.
– Add values to App Configurations, allowing you to
remotely configure settings and defaults for an app. See the
Online Help for more detail.
4. (Optional) Select the App Data Restrictions or Domains tab to
enable settings to control data movement to and from apps,
accounts, and web domains (See Isolate Business Data).
5. Click OK to save the configuration profile.

Set Up the App Store Manage Business Apps and Data with an Enterprise App Store
Set Up Your App Store (Continued)
Step 4 Attach the configuration profile to a 1. Select Policies > Polices and select a policy to modify (or Add a
deployment policy. new policy).
For detailed steps to create a deployment 2. Leave the default Any selected for Users and HIP Profiles to
policy, see Create Deployment Policies. push the managed apps to all users and all managed devices.
3. Select Configurations and Add the iOS or Android
configuration profile.
If the rule is designed to match both iOS and Android
devices, attach separate configuration profiles.
4. Click OK to save the policy.
Step 5 Save the changes. Click Commit.

Manage Business Apps and Data with an Enterprise App Store Manage and Monitor Apps
Manage and Monitor Apps

You can use the Mobile Security Manager to continue to manage apps that have been distributed to your users
and to gain visibility apps installed on enrolled devices. Use the settings described in the table below to manage
apps that have been distributed to users.
See Manage VPP Resources from the Mobile Security Manager for details on managing VPP
apps and licenses.
Manage the App Store
• View managed apps on a device. Select Devices:

• The Managed Apps column displays installed apps that are
managed for each entry.
• Select the entry details for any device. The HIP Report displays a
list of installed apps on the selected device that are managed:
Installed Apps - Managed.
• (iOS only) Enable automatic app updates. Set a schedule to automatically update managed apps versions. This
will update all managed apps to the latest versions available in the
Apple App Store.
1. Select Setup > Settings > Server > Apps Auto Update Schedule
and edit the Apps Auto Update Schedule.
2. Set how often you would like managed apps to be udpated:
Daily or Weekly.
Automatic app updates are disabled by default, with the
default settings as None.
3. Click OK.

Manage and Monitor Apps Manage Business Apps and Data with an Enterprise App Store
Manage the App Store (Continued)
• Collect (or exclude) a list of apps that are not 1. Set up data collection for apps that are not managed (or exclude
managed on a device. data collection for apps that are not managed):
a. Select Policies > Host Information > Data Collection and
edit the Data Collection Excludes.
b. Exclude or collect data from unmanaged apps:
– Do not report apps that are not managed—Do not collect
a list of apps that are not managed on a device. No data is
collected from unmanaged apps; it is not reported at all if
unmanaged apps are installed on a managed device or what
the unmanaged apps are.
– Report apps that are not managed—Collect a list of apps
that are not managed on a device. In this case, data from the
apps is not collected and only the app name and status as
unmanaged is reported.
c. Click OK.
2. If you chose to report apps that are not managed, you can view
a list of apps that are not managed on a single device:
Select Devices and select the entry details for any device. The
HIP Report shows a list of apps on the selected device that are
not managed: Installed Apps - Not Managed.
• Enable and customize an alert to users to remove Select Enable Managed App/Account Notification to alert users to
an unmanaged version of an app or Exchange remove an unmanaged version of an app or Exchange account that
account from their devices. is installed on their devices. This notification is displayed to the user
when you have pushed a managed app or account settings to a device
and an unmanaged version of the app or account is already installed.
Managed apps and Exchange account settings can only be pushed to
the device when the user removes the unmanaged version of the
same app or deletes the current Exchange account settings.
Use these notifications to automatically instruct users to delete an
unmanaged app or account settings from their device.
You can use the default message or customize it for your
organization:
1. On the Setup > Settings > Server tab, edit Managed
Apps/Account Notification Settings.
2. Select Enable Managed App Notification and optionally modify
the default Message.
3. Click OK.
After the user removes the unmanaged app or account settings from
the device, the Mobile Security Manager pushes the managed app or
account settings automatically at the next device check-in.

Manage Business Apps and Data with an Enterprise App Store Isolate Business Traffic
Isolate Business Traffic

Traffic from business apps on a mobile devices can be enabled to travel through your corporate VPN, separating
business traffic from personal traffic on a mobile device.
Isolate business traffic on a managed mobile device using the Per App VPN settings on the Mobile Security
Manager. This feature works by allowing you specify that traffic from business apps can only travel through your
corporate VPN. Per App VPN is particularly useful in an environment where users are using personal devices
to access your organization’s network; in this case, you could enable Per App VPN to ensure that corporate data
from the managed app travels through the VPN while personal data, from apps that are not managed, does not.
For business apps with Per App VPN enabled, if the app is unable to connect to the configured VPN, the app
will be unavailable to the user and will not send traffic until the secure connection is established.
Use the Mobile Security Manager to set up Per App VPN for managed apps. Setting up Per App VPN includes
enabling a VPN configuration to be used for Per App VPN and enabling Per App VPN for a managed app or
application group.
.
Isolate Business Traffic for iOS Apps
Step 1 Ensure that the apps you want to use Select the Store tab to view your managed apps or Add Managed
VPN are added to the Mobile Security Apps.
Manager as managed apps.
Step 2 (Optional) Create an application group Create an application group.

that includes the apps for which you want
to route traffic through the corporate
VPN.
Group apps to enable Per App
VPN for several applications at the
same time, rather than enabling it
for each app individually.
Step 3 Enable a VPN configuration to use for 1. Select Policies > Configuration > iOS and Add a new iOS
Per App VPN. Configuration Profile or select an existing profile to modify.
If this is a new configuration profile, enter identifying
information for the profile and define other configuration
settings and restrictions as appropriate. See Create an iOS
Configuration Profile for details.
2. Select a VPN configuration to enable for Per-App VPN.
To create a new GlobalProtect VPN configuration, see
Define a GlobalProtect VPN Configuration.

Isolate Business Traffic Manage Business Apps and Data with an Enterprise App Store
Isolate Business Traffic for iOS Apps (Continued)
Step 4 Define VPN settings for managed apps. 1. Select VPN Type and enable Per-App VPN (Configured apps
will send traffic over VPN).
With this setting enabled, all traffic from managed apps on a
mobile device will be routed through the VPN.
2. Enable Per-App VPN On Demand, similar to VPN On
Demand, to automatically trigger a VPN connection for apps
with Per-App VPN enabled when the apps are launched
(Per-App VPN enabled alone does not prompt a VPN
connection when the app is launched; it only ensures that the
app’s data travels through the VPN).
3. Allow a VPN connection to be triggered for a Safari web
domain when accessed from a mobile device. Add an IP address,
hostname, domain name or subnet to the Matching Domains
for Safari Browser. When the VPN connection is established,
all traffic for that Safari session will travel through the VPN.
For example, you could add an internal company site as a
matching domain so that if a user who is not located at the
corporate office is attempting to access the internal site
remotely, a VPN connection is triggered and the user will be
able to successfully access the site.
If you want to control documents or attachments
opened from a corporate site on a mobile device, you
can specify that documents opened from a web domain
in Safari can only be opened in managed business apps
or accounts. See Isolate Business Data.
4. Click OK to save the VPN settings for managed apps.
Step 5 Enable Per-App VPN for an application 1. Continue in the same configuration profile and select Apps and
or application group. Add the application group (or individual app) to the
configuration profile, or select an existing app or application
group to modify.
2. In the Per App VPN dropdown, select the same VPN
configuration you enabled for Per-App VPN.
Step 6 Save the iOS Configuration Profile. 1. Click OK to save the iOS configuration profile.
Next Steps... • If you modified an existing configuration profile that is already

attached to a deployment policy, the updated settings to isolate
business traffic will be pushed to users during the next device
check-in.
• If you created a new configuration profile, continue by attaching
the configuration profile to a deployment policy. See Create
Deployment Policies.

Manage Business Apps and Data with an Enterprise App Store Isolate Business Data
Isolate Business Data

Users can open business documents on their mobile devices or transfer documents from their original location
by using the native Open In option. This option allows users to open documents from an app, an email account,
or a web domain in a different app or account on their mobile device. Control what apps and accounts open
and share business documents on a mobile device, and alert users when sending an email to a contact that is not
a part of your corporate domain, in order to isolate and secure business data on a mobile device. You can do
this by enabling settings to control the Open In option for managed business accounts, managed apps, and
managed web domains (in the Safari browser app) to secure business data from those apps, accounts, and
domains so that it is not shared outside of your corporate network. With this feature, the Open In option cannot
be used to move, for example, a sensitive document available on your corporate intranet to a personal app, where
it is no longer subject to your control and can be easily redistributed or lost.
The options to isolate business data also include enabling the Mail app to highlight email contacts that are out
of your network. This can inform your users that they are composing, forwarding, or replying to an email
recipient that is outside of your company.
To isolate business data to managed apps and accounts, enable App Data Restrictions and Managed Domains
settings, which can be applied selectively or comprehensively to isolate business data.
Isolate Business Data for iOS Apps
Step 1 Add or modify an iOS configuration 1. Select Policies > Configuration > iOS and Add a new iOS
profile. Configuration Profile or select an existing profile to modify.
If this is a new configuration profile, enter identifying
information for the profile and define other configuration
settings and restrictions as appropriate. See Create an iOS
Configuration Profile for details.
2. If you are creating a new configuration profile, select + to
expand the list of iOS configuration profiles, select the Apps tab,
and then Add the apps or application group to which you want
to apply the App Data Restrictions.
Step 2 Control what apps and accounts can open Select the App Data Restrictions tab and enable App Data
business documents on a mobile device. Restrictions. Select one or both of the following options:
• Block Open In from managed apps and accounts to unmanaged
apps
Disables managed apps and accounts from opening files in
personal apps or accounts (apps or accounts that are not
managed).
• Block Open In from unmanaged apps and accounts to managed
apps
Blocks personal apps and accounts from opening files in managed
apps.

Isolate Business Data Manage Business Apps and Data with an Enterprise App Store
Isolate Business Data for iOS Apps (Continued)
Step 3 Control what apps and accounts can open 1. Select the Domains tab and enable Managed Domains.
business documents from a Safari web 2. Add a Domain for Safari browser.
domain.
Documents or attachments from the domain you add (for
example, your corporate site) can only be opened on mobile
devices in other managed business apps or accounts.
Because this setting allows you to control the Open In option
for users in the Safari app, the setting is enforced according to
the App Data Restrictions that you enabled in Step 2.
Step 4 Highlight email contacts that are out of Continue on the Domains tab and Add, for example, your corporate
your network in the Mail app. domain to the Highlighted domains in Mail app table.
Any email contacts that are not a part of the domains you add show
as highlighted in the Mail app.
In this example, if you add your corporate domain, any email
contacts that are not a part of your corporate domain will be
highlighted in the Mail app when users are composing, forwarding,
or replying to an email with that contact as the recipient. This alerts
users before they choose to send what could be sensitive or
business-related data outside of your network.
Step 5 Save the iOS Configuration Profile. 1. Click OK to save the iOS configuration profile.
Next steps... • If you modified an existing configuration profile that is already

attached to a deployment policy, the updated App Data
Restrictions and Managed Domains settings will be pushed to
users during the next device check-in.
• If you created a new configuration profile, continue by attaching
the configuration profile to a deployment policy. See Create
Deployment Policies.

Manage Business Apps and Data with an Enterprise App Store Enable Single App Mode
Enable Single App Mode

Single app mode allows you to restrict the use of a device to a single iOS app in order to guide users to perform
only the tasks or functions available within that app. Single app mode can be enabled with an
internally-developed app or any public or purchased apps and is a powerful tool in commercial and educational
settings, such as stores, restaurants, museums, universities, and transit hubs. For example, you could implement
single app mode at a casual restaurant, where kiosks are provided to customers to browse the menu and place
an order, or at a university, where devices are provided to students to securely take exams or complete projects
without distraction. An organization can implement single app mode to ensure company-owned devices are
being used consistently, efficiently, and effectively for their designated purpose, and to facilitate a guided and
simplistic experience for users to perform the selective tasks.
The new App Lock settings on the Mobile Security Manager support single app mode and provide options to
adjust, override, or enforce device functionalities while the locked app is in use.
Enable App Lock settings to:
 Dedicate a device to use a particular app.
 Disable hardware buttons, such as Volume, Ringer Switch, or Sleep Wake buttons.
 Enable features such as Voice Over, Zoom, Speak Selections, or Assistive Touch to facilitate use of the app
(this can be helpful if hardware features are disabled and you want to continue to provide limited
functionalities to users).
 Disable default features, such as Screen Rotation and Auto Lock.

You can selectively enable or disable any of the app lock settings to ensure that a device and the specific app is
used for a selective purpose in a controlled environment. Use the following procedure to enable Single App
Mode for a device or multiple devices at once.
Enable Single App Mode
Step 1 Ensure that the iOS app you want to lock Select the Store tab to view your managed apps or Add Managed
is managed by the Mobile Security Apps.
Manager.

Enable Single App Mode Manage Business Apps and Data with an Enterprise App Store
Enable Single App Mode (Continued)
Step 2 Create a dedicated configuration profile 1. Select Policies > Configuration > iOS and click Add.
specifically to push the locked app to 2. Give the iOS Configuration profile a descriptive Name for your
managed devices. reference (for example, Locked Menu App), a Display Name
For more detail on other options available visible to the user (for example, Menu), and an Identifier.
when setting up a configuration profile, 3. Select + to expand the list of available iOS configuration
see Create Configuration Profiles. profiles, and then select App Lock.
4. Enable App Lock and then select the App Name of the app you
want to lock.
5. Select optional settings to apply to the locked app. The
following settings can be used to override or enforce device
functionalities in order to facilitate access to or use of the app:
• Disable Touch—Disables the device’s basic touch controls,
such as pinching and tapping.
• Disable Volume Button—Disables the volume buttons so
that the volume cannot be adjusted.
• Disable Sleep Wake Button—Disables the device’s Sleep
Wake button so that it cannot be used to put the device to
sleep or restart the device.
• Enable Voice Over—Ensure Voice Over controls can be
used to navigate, input text, or perform other tasks on the
device using voice. Voice Over allows for the device to read
aloud items that a user taps on the screen.
• Enable Invert Colors—Ensures invert colors remain
enabled. A display with inverted colors shows high contrast
between colors and can be helpful for users with various
visual impairments.
• Enable Speak Selection—Ensures speak selection remains
enabled.
• Disable Device Rotation—Turns device rotation off.
• Disable Ringer Switch—Disables the ringer switch’s
functionality so that it cannot be used to mute the device’s
sound.
• Disable Auto Lock—Overrides the device’s auto lock
functions that put the screen to sleep after a set period of
time.
• Enable Zoom—Enables zoom capabilities where the device’s
screen can be magnified using three fingers to tap and drag.
• Enable Assistive Touch—Enables Assistive Touch as a
modified way for users to interact with the screen and to
allow use of a compatible adaptive accessory.
• Enable Mono Audio—Enables Mono Audio so that all audio
can be played through a single mono channel.
6. Click OK to save the configuration profile.

Manage Business Apps and Data with an Enterprise App Store Enable Single App Mode
Enable Single App Mode (Continued)
Step 3 Create a new policy to push the locked 1. Select Policies > Policies and click Add.
app to devices. 2. Give the policy rule a descriptive Name.
See how to Create Configuration Profiles. 3. Select the Users/HIP Profiles tab and specify how to determine
a configuration match for this policy rule:
• To deploy this configuration to a specific user or group, click
Add in the User section and then select the user or group you
want to receive this configuration from the drop-down.
Repeat this step for each user or group you want to add.
• To deploy this configuration to devices that match a specific
HIP profile, click Add in the HIP Profiles section and then
select a HIP profile.
4. Select Configurations and Add the iOS configuration profile
you created in Step 2 for the locked app.
5. Click OK.
Step 4 Save your changes. Commit the configuration.

Enable Single App Mode Manage Business Apps and Data with an Enterprise App Store

Use Host Information in Policy
Enforcement
Although you may have stringent security at your corporate network border, your network is really only as secure
as the end devices that are accessing it. With today’s workforce becoming more and more mobile, often requiring
access to corporate resources from a variety of locations—airports, coffee shops, hotels—and from a variety of
devices—both company-provisioned and personal—you must logically extend your network’s security out to
your endpoints to ensure comprehensive and consistent security enforcement. The GlobalProtect Host
Information Profile (HIP) feature enables you to collect information about the security status of your end
hosts—such as whether they have the latest security patches and antivirus definitions installed, whether they
have disk encryption enabled, whether the device is jailbroken or rooted (mobile devices only), or whether it is
running specific software you require within your organization, including custom applications—and base the
decision as to whether to allow or deny access to a specific host based on adherence to the host policies you
define.
The following topics provide information about the use of host information in policy enforcement. It includes
the following sections:
 About Host Information
 Configure HIP-Based Policy Enforcement
 Collect Application and Process Data From Clients

About Host Information Use Host Information in Policy Enforcement
About Host Information

One of the jobs of the GlobalProtect agent is to collect information about the host it is running on. The agent
then submits this host information to the GlobalProtect gateway upon successfully connecting. The gateway
matches this raw host information submitted by the agent against any HIP objects and HIP profiles you have
defined. If it finds a match, it generates an entry in the HIP Match log. Additionally, if it finds a HIP profile
match in a policy rule, it enforces the corresponding security policy.
Using host information profiles for policy enforcement enables granular security that ensures that the remote
hosts accessing your critical resources are adequately maintained and in adherence with your security standards
before they are allowed access to your network resources. For example, before allowing access to your most
sensitive data systems, you might want to ensure that the hosts accessing the data have encryption enabled on
their hard drives. You can enforce this policy by creating a security rule that only allows access to the application
if the client system has encryption enabled. In addition, for clients that are not in compliance with this rule, you
could create a notification message that alerts users as to why they have been denied access and links them to
the file share where they can access the installation program for the missing encryption software (of course, to
allow the user to access that file share you would have to create a corresponding security rule allowing access to
the particular share for hosts with that specific HIP profile match).
 What Data Does the GlobalProtect Agent Collect?
 How Does the Gateway Use the Host Information to Enforce Policy?
 How Do Users Know if Their Systems are Compliant?
 How Do I Get Visibility into the State of the End Clients?
What Data Does the GlobalProtect Agent Collect?
By default, the GlobalProtect agent collects vendor-specific data about the end user security packages that are
running on the computer (as compiled by the OPSWAT global partnership program) and reports this data to
the GlobalProtect gateway for use in policy enforcement.
Because security software must continually evolve to ensure end user protection, your GlobalProtect portal and
gateway licenses also enable you to get dynamic updates for the GlobalProtect data file with the latest patch and
software versions available for each package.
While the agent collects a comprehensive amount of data about the host it is running on, you may have
additional software that you require your end-users to run in order to connect to your network or to access
certain resources. In this case, you can define custom checks that instruct the agent to collect specific registry
information (on Windows clients), preference list (plist) information (on Mac OS clients), or to collect
information about whether or not specific services are running on the host.
The agent collects data about the following categories of information by default, to help to identify the security
state of the host:

Use Host Information in Policy Enforcement About Host Information
Table: Data Collection Categories

Category Data Collected
General Information about the host itself, including the hostname, logon domain, operating
system, client version, and, for Windows systems, the domain to which the machine
belongs.
For Windows clients’ domain, the GlobalProtect agent collects the domain
defined for ComputerNameDnsDomain, which is the DNS domain assigned
to the local computer or the cluster associated with the local computer. This
data is what is displayed for the Windows clients’ Domain in the HIP Match
log details (Monitor > HIP Match).
Patch Management Information about any patch management software that is enabled and/or installed
on the host and whether there are any missing patches.
Firewall Information about any client firewalls that are installed and/or enabled on the host.
Antivirus Information about any antivirus software that is enabled and/or installed on the
host, whether or not real-time protection is enabled, the virus definition version,
last scan time, the vendor and product name.
Anti-Spyware Information about any anti-spyware software that is enabled and/or installed on the
host, whether or not real-time protection is enabled, the virus definition version,
last scan time, the vendor and product name.
Disk Backup Information about whether disk backup software is installed, the last backup time,
and the vendor and product name of the software.
Disk Encryption Information about whether disk encryption software is installed, which drives
and/or paths are configured for encryption, and the vendor and product name of
the software.
Data Loss Prevention Information about whether data loss prevention (DLP) software is installed and/or
enabled for the prevention sensitive corporate information from leaving the
corporate network or from being stored on a potentially insecure device. This
information is only collected from Windows clients.
Mobile Devices Identifying information about the mobile device, such as the model number, phone
number, serial number and International Mobile Equipment Identity (IMEI)
number. In addition, the agent collects information about specific settings on the
device, such as whether or not a passcode is set, whether the device is jailbroken, a
list of apps installed on the device that are managed by the Mobile Security
Manager, if the device contains apps that are known to have malware (Android
devices only), and, optionally, the GPS location of the device and a list of apps that
are not managed by the Mobile Security Manager. Note that for iOS devices, some
information is collected by the GlobalProtect app and some information is
reported directly by the operating system. If you are using the GlobalProtect Mobile
Security Manager, it collects extended HIP information from enrolled mobile
devices and shares it with the gateways for use in policy enforcement. See Enable
Gateway Access to the Mobile Security Manager for details.

About Host Information Use Host Information in Policy Enforcement
You can exclude certain categories of information from being collected on certain hosts (to save CPU cycles
and improve client response time). To do this, you create a client configuration on the portal excluding the
categories you are not interested in. For example, if you do not plan to create policy based on whether or not
client systems run disk backup software, you can exclude that category and the agent will not collect any
information about disk backup.
You can also choose to exclude collecting information from personal devices in order to allow for user privacy.
This can include excluding device location and a list of apps installed on the device that are not managed by the
mobile security manager (personal apps). Use the Mobile Security Manager to exclude both of these types of
information from being collected from mobile devices (Policies > Host Information > Data Collection).
How Does the Gateway Use the Host Information to Enforce Policy?
While the agent gets the information about what information to collect from the client configuration
downloaded from the portal, you define which host attributes you are interested in monitoring and/or using for
policy enforcement by creating HIP objects and HIP profiles on the gateway(s):
 HIP Objects—Provide the matching criteria to filter out the host information you are interested in using
to enforce policy from the raw data reported by the agent. For example, while the raw host data may include
information about several antivirus packages that are installed on the client you may only be interested in
one particular application that you require within your organization. In this case, you would create a HIP
object to match the specific application you are interested in enforcing.
The best way to determine what HIP objects you need is to determine how you will use the host information
you collect to enforce policy. Keep in mind that the HIP objects themselves are merely building blocks that
allow you to create the HIP profiles that are used in your security policies. Therefore, you may want to keep
your objects simple, matching on one thing, such as the presence of a particular type of required software,
membership in a specific domain, or the presence of a specific client OS. By doing this, you will have the
flexibility to create a very granular (and very powerful) HIP-augmented policy.
 HIP Profiles—A collection of HIP objects that are to be evaluated together, either for monitoring or for
security policy enforcement. When you create your HIP profiles, you can combine the HIP objects you
previously created (as well as other HIP profiles) using Boolean logic such that when a traffic flow is
evaluated against the resulting HIP profile it will either match or not match. If there is a match, the
corresponding policy rule will be enforced; if there is not a match, the flow will be evaluated against the next
rule, as with any other policy matching criteria.
Unlike a traffic log—which only creates a log entry if there is a policy match—the HIP Match log generates an
entry whenever the raw data submitted by an agent matches a HIP object and/or a HIP profile you have defined.
This makes the HIP Match log a good resource for monitoring the state of the hosts on your network over
time—before attaching your HIP profiles to security policies—in order to help you determine exactly what
policies you believe need enforcement. See Configure HIP-Based Policy Enforcement for details on how to
create HIP objects and HIP profiles and use them as policy match criteria.

Use Host Information in Policy Enforcement About Host Information
How Do Users Know if Their Systems are Compliant?
By default, end users are not given any information about policy decisions that were made as a result of
enforcement of a HIP-enabled security rule. However, you can enable this functionality by defining HIP
notification messages to display when a particular HIP profile is matched and/or not matched.
The decision as to when to display a message (that is, whether to display it when the user’s configuration matches
a HIP profile in the policy or when it doesn’t match it), depends largely on your policy and what a HIP match
(or non-match) means for the user. That is, does a match mean they are granted full access to your network
resources? Or does it mean they have limited access due to a non-compliance issue?
For example, consider the following scenarios:
 You create a HIP profile that matches if the required corporate antivirus and anti-spyware software packages
are not installed. In this case, you might want to create a HIP notification message for users who match the
HIP profile telling them that they need to install the software (and, optionally, providing a link to the file
share where they can access the installer for the corresponding software).
 You create a HIP profile that matches if those same applications are installed, you might want to create the
message for users who do not match the profile, and direct them to the location of the install package.
See Configure HIP-Based Policy Enforcement for details on how to create HIP objects and HIP profiles and
use in defining HIP notification messages.
How Do I Get Visibility into the State of the End Clients?
Whenever an end host connects to GlobalProtect, the agent presents its HIP data to the gateway. The gateway
then uses this data to determine which HIP objects and/or HIP profiles the host matches. For each match, it
generates a HIP Match log entry. Unlike a traffic log—which only creates a log entry if there is a policy match—
the HIP Match log generates an entry whenever the raw data submitted by an agent matches a HIP object
and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state
of the hosts on your network over time—before attaching your HIP profiles to security policies—in order to
help you determine exactly what policies you believe need enforcement.
Because a HIP Match log is only generated when the host state matches a HIP object you have created, for full
visibility in to host state you may need to create multiple HIP objects to log HIP matches for hosts that are in
compliance with a particular state (for security policy enforcement purposes) as well as hosts that are
non-compliant (for visibility). For example, suppose you want to prevent a host that does not have Antivirus
software installed from connecting to the network. In this case you would create a HIP object that matches hosts
that have a particular Antivirus software installed. By including this object in a HIP profile and attaching it to
the security policy rule that allows access from your VPN zone, you can ensure that only hosts that are protected
with antivirus software can connect.
However, in this case you would not be able to see in the HIP Match log which particular hosts are not in
compliance with this requirement. If you wanted to also see a log for hosts that do not have Antivirus software
installed so that you can follow up with the users, you can also create a HIP object that matches the condition
where the Antivirus software is not installed. Because this object is only needed for logging purposes, you do
not need to add it to a HIP profile or attach it to a security policy rule.

Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement
Configure HIP-Based Policy Enforcement

To enable the use of host information in policy enforcement you must complete the following steps. For more
information on the HIP feature, see About Host Information.
Enable HIP Checking
Step 1 Verify proper licensing for HIP checks. To use the HIP feature, you must have purchased and installed a
GlobalProtect Portal license on the firewall where your portal is
configured and a GlobalProtect Gateway subscription license on
each gateway that will perform HIP checks. To verify the status of
your licenses on each portal and gateway, select Device > Licenses.
Contact your Palo Alto Networks Sales Engineer or Reseller if you

do not have the required licenses. For more information on licensing,
see About GlobalProtect Licenses.
Step 2 (Optional) Define any custom host 1. On the firewall that is hosting your GlobalProtect portal, select
information that you want the agent to Network > GlobalProtect > Portals.
collect. For example, if you have any 2. Select your portal configuration to open the GlobalProtect
required applications that are not Portal dialog.
included in the Vendor and/or Product
3. On the Client Configuration tab, select the Client
lists for creating HIP objects, you could
Configuration to which you want to add a custom HIP check, or
create a custom check that will allow you
click Add to create a new client configuration.
to determine whether that application is
installed (has a corresponding registry or 4. Select Data Collection > Custom Checks and then define the
plist key) or is running (has a data you want to collect from hosts running this client
corresponding running process). configuration as follows:
• To collect information about running processes: Select
Step 2 and Step 3 assume that you
the appropriate tab (Windows or Mac) and then click Add in
have already created a Portal
the Process List section. Enter the name of the process that
Configuration. If you have not yet
you want the agent to collect information about.
configured your portal, see
Configure the GlobalProtect Portal • To collect information about specific registry keys: On
for instructions. the Windows tab, click Add in the Registry Key section. Enter
the Registry Key for which to collect data. Optionally, click
Add to restrict the data collection to a specific Registry Value
or values. Click OK to save the settings.
• To collect information about specific property lists: On
the Mac tab, click Add in the Plist section. Enter the Plist for
which to collect data. Optionally, click Add to restrict the data
collection to specific Key values. Click OK to save the settings.
5. If this is a new client configuration, complete the rest of the
configuration as desired. For instructions, see Define the
GlobalProtect Client Configurations.
6. Click OK to save the client configuration.

Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement
Enable HIP Checking (Continued)
Step 3 (Optional) Exclude categories from 1. On the firewall that is hosting your GlobalProtect portal, select
collection. Network > GlobalProtect > Portals.
2. Select your portal configuration to open the GlobalProtect
Portal dialog.
3. On the Client Configuration tab, select the Client
Configuration from which to exclude categories, or click Add to
create a new client configuration.
4. Select Data Collection > Exclude Categories and then click
Add. The Edit Exclude Category dialog displays.
5. Select the Category you want to exclude from the drop-down
list.
6. (Optional) If you want to exclude specific vendors and/or
products from collection within the selected category rather
than excluding the entire category, click Add. You can then
select the Vendor to exclude from the drop-down on the Edit
Vendor dialog and, optionally, click Add to exclude specific
products from that vendor. When you are done defining that
vendor, click OK. You can add multiple vendors and products to
the exclude list.
7. Repeat Step 5 and Step 6 for each category you want to exclude.
8. If this is a new client configuration, complete the rest of the
configuration as desired. For more information on defining
client configurations, see Define the GlobalProtect Client
Configurations.
9. Click OK to save the client configuration.

Step 4 Create the HIP objects to filter the raw 1. On the gateway (or on Panorama if you plan to share the HIP
host data collected by the agents. objects among multiple gateways), select Objects >
GlobalProtect > HIP Objects and click Add.
The best way to determine what HIP
objects you need is to determine how you 2. On the General tab, enter a Name for the object.
will use the host information you collect 3. Select the tab that corresponds to the category of host
to enforce policy. Keep in mind that the information you are interested in matching against and select
HIP objects themselves are merely the check box to enable the object to match against the category.
building blocks that allow you to create For example, to create an object that looks for information
the HIP profiles that are used in your about Antivirus software, select the Antivirus tab and then
security policies. Therefore, you may want select the Antivirus check box to enable the corresponding
to keep your objects simple, matching on fields. Complete the fields to define the desired matching
one thing, such as the presence of a criteria. For example, the following screenshot shows how to
particular type of required software, create an object that will match if the Symantec Norton
membership in a specific domain, or the AntiVirus 2004 Professional application is installed, has Real
presence of a specific client OS. By doing Time Protection enabled, and has virus definitions that have
this, you will have the flexibility to create been updated within the last 5 days.
a very granular (and very powerful)
HIP-augmented policy.
For details on a specific HIP
category or field, refer to the online
help.
Repeat this step for each category you want to match against in
this object. For more information, see Table: Data Collection
Categories.
4. Click OK to save the HIP object.
5. Repeat these steps to create each additional HIP object you
require.

Step 5 Create the HIP profiles that you plan to 1. On the gateway (or on Panorama if you plan to share the HIP
use in your policies. profiles among multiple gateways), select Objects >
GlobalProtect > HIP Profiles and click Add.
When you create your HIP profiles, you
can combine the HIP objects you 2. Enter a descriptive Name for the profile and optionally a
previously created (as well as other HIP Description.
profiles) using Boolean logic such that 3. Click Add Match Criteria to open the HIP Objects/Profiles
when a traffic flow is evaluated against the Builder.
resulting HIP profile it will either match 4. Select the first HIP object or profile you want to use as match
or not match. If there is a match, the criteria and then click add to move it over to the Match text
corresponding policy rule will be box on the HIP Profile dialog. Keep in mind that if you want the
enforced; if there is not a match, the flow HIP profile to evaluate the object as a match only when the
will be evaluated against the next rule, as criteria in the object is not true for a flow, select the NOT check
with any other policy matching criteria. box before adding the object.
5. Continue adding match criteria as appropriate for the profile

you are building, making sure to select the appropriate Boolean
operator radio button (AND or OR) between each addition (and,
again, using the NOT check box when appropriate).
6. If you are creating a complex Boolean expression, you must
manually add the parenthesis in the proper places in the Match
text box to ensure that the HIP profile is evaluated using the
logic you intend. For example, the following HIP profile will
match traffic from a host that has either FileVault disk
encryption (for Mac OS systems) or TrueCrypt disk encryption
(for Windows systems) and also belongs to the required
Domain, and has a Symantec antivirus client installed:
7. When you are done adding match criteria, click OK to save the
profile.
8. Repeat these steps to create each additional HIP profile you
require.

Step 6 Verify that the HIP objects and HIP On the gateway(s) that your GlobalProtect users are connecting to,
profiles you created are matching your select Monitor > Logs > HIP Match. This log shows all of the matches
GlobalProtect client traffic as expected. the gateway identified when evaluating the raw HIP data reported by
the agents against the defined HIP objects and HIP profiles. Unlike
Consider monitoring HIP objects
other logs, a HIP match does not require a security policy match in
and profiles as a means to monitor
order to be logged.
the security state and activity of
your host endpoints. By monitoring
the host information over time you
will be better able to understand
where your security and compliance
issues are and you can use this
information to guide you in creating
useful policy. For more details, see
How Do I Get Visibility into the
State of the End Clients?
Step 7 Enable User-ID on the source zones that 1. Select Network > Zones.
contain the GlobalProtect users that will 2. Click on the Name of the zone in which you want to enable
be sending requests that require User-ID to open the Zone dialog.
HIP-based access controls. You must
3. Select the Enable User Identification check box and then click
enable User-ID even if you don’t plan on
OK.
using the user identification feature or the
firewall will not generate any HIP Match
logs entries.
Step 8 (Optional) Configure the gateways to See Enable Gateway Access to the Mobile Security Manager for
collect HIP reports from the Mobile instructions.
Security Manager.
This step only applies if you are using the
GlobalProtect Mobile Security Manager
to manage mobile devices and you want
to use the extended HIP data that the
Mobile Security Manager collects in
security policy enforcement on the
gateway.

Step 9 Create the HIP-enabled security rules on Add the HIP profiles to your security rules:
your gateway(s). 1. Select Policies > Security and select the rule to which you want
to add a HIP profile.
As a best practice, you should create your
security rules and test that they match the 2. On the Source tab, make sure the Source Zone is a zone for
expected flows based on the source and which you enabled User-ID in Step 7.
destination criteria as expected before 3. On the User tab, click Add in the HIP Profiles section and select
adding your HIP profiles. By doing this the HIP profile(s) you want to add to the rule (you can add up
you will also be better able to determine to 63 HIP profiles to a rule).
the proper placement of the HIP-enabled 4. Click OK to save the rule.
rules within the policy.

Step 10 Define the notification messages end 1. On the firewall that is hosting your GlobalProtect gateway(s),
users will see when a security rule with a select Network > GlobalProtect > Gateways.
HIP profile is enforced. 2. Select a previously-defined gateway configuration to open the
The decision as to when to display a GlobalProtect Gateway dialog.
message (that is, whether to display it 3. Select Client Configuration > HIP Notification and then click
when the user’s configuration matches a Add.
HIP profile in the policy or when it 4. Select the HIP Profile this message applies to from the
doesn’t match it), depends largely on your drop-down.
policy and what a HIP match (or
5. Select Match Message or Not Match Message, depending on
non-match) means for the user. That is,
whether you want to display the message when the
does a match mean they are granted full
corresponding HIP profile is matched in policy or when it is not
access to your network resources? Or
matched. In some cases you might want to create messages for
does it mean they have limited access due
both a match and a non-match, depending on what objects you
to a non-compliance issue?
are matching on and what your objectives are for the policy. For
For example, suppose you create a HIP the Match Message, you can also enable the option to Include
profile that matches if the required matched application list in message to indicate what
corporate antivirus and anti-spyware applications triggered the HIP match.
software packages are not installed. In this 6. Select the Enable check box and select whether you want to
case, you might want to create a HIP display the message as a Pop Up Message or as a System Tray
notification message for users who match Balloon.
the HIP profile telling them that they
7. Enter the text of your message in the Template text box and
need to install the software. Alternatively,
then click OK. The text box provides both a WYSIWYG view of
if your HIP profile matched if those same
the text and an HTML source view, which you can toggle
applications are installed, you might want
between using the Source Edit icon. The toolbar also
to create the message for users who do
provides many options for formatting your text and for creating
not match the profile.
hyperlinks to external documents, for example to link users
directly to the download URL for a required software program.
8. Repeat this procedure for each message you want to define.


Step 11 Verify that your HIP profiles are working You can monitor what traffic is hitting your HIP-enabled policies
as expected. using the Traffic log as follows:
1. From the gateway, select Monitor > Logs > Traffic.
2. Filter the log to display only traffic that matches the rule that has
the HIP profile you are interested in monitoring attached. For
example, to search for traffic that matches a security rule named
“iOS Apps” you would enter ( rule eq 'iOS Apps' ) in the
filter text box as follows:

Collect Application and Process Data From Clients Use Host Information in Policy Enforcement
Collect Application and Process Data From Clients

The Windows Registry and Mac Plist can be used to configure and store settings and options for Windows and
Mac operating systems, respectively. You can create a custom check that will allow you to determine whether an
application is installed (has a corresponding registry or plist key) or is running (has a corresponding running
process) on a Windows or Mac client. Enabling custom checks instructs the GlobalProtect agent to collect
specific registry information (Registry Keys and Registry Key Values from Windows clients), preference list
(plist) information (plist and plist keys from Mac OS clients). The data that you define to be collected in a
custom check is included in the raw host information data collected by the GlobalProtect agent and then
submitted to the GlobalProtect gateway when the agent connects.
To monitor the data collected with custom checks you can create a HIP object. You can then add the HIP object
to a HIP profile to use the collected data to match to device traffic and enforce security rules. The gateway can
use the HIP object (which matches to the data defined in the custom check) to filter the raw host information
submitted by the agent. When the gateway matches the client data to a HIP object, a HIP Match log entry is
generated for the data. A HIP profile allows the gateway to also match the collected data to a security rule. If
the HIP profile is used as criteria for a security policy rule, the gateway will enforce that security rule on the
matching traffic.
Use the following task to enable custom checks to collect data from Windows and Mac clients. This task
includes the optional steps to create a HIP object and HIP profile for a custom check, if you would like to use
client data as matching criteria for a security policy to monitor, identify, and act on traffic.
For more information on defining agent settings directly from the Windows registry or the global
Mac plist, see Deploy Agent Settings Transparently.

Use Host Information in Policy Enforcement Collect Application and Process Data From Clients
Enable and Verify Custom Checks for Windows or Mac Clients
Step 1 Enable the GlobalProtect agent to collect Collect data from a Windows client:
Windows Registry information from 1. Select Network > GlobalProtect > Portals > Client
Windows clients or Plist information Configuration > Data Collection > Custom Checks > Windows.
from Mac clients. The type of 2. Add the Registry Key that you want to collect information
information collected can include about. If you want to restrict data collection to a value contained
whether or not an application is installed within that Registry Key, add the corresponding Registry Value.
on the client, or specific attributes or
properties of that application.
This step enables the agent to report data
on the applications and client settings.
(Step 5 and Step 6 will show you how to
monitor and use the reported data to
identify or take action on certain device
traffic).
Collect data from a Mac client:
1. Select Network > GlobalProtect > Portals > Client
Configuration > Data Collection > Custom Checks > Mac.
2. Add the Plist that you want to collect information about and the
corresponding Plist Key to determine if the application is
installed:
.
For example, Add the Plist com.apple.screensaver and the

Key askForPassword to collect information on whether a
password is required to wake the Mac client after the screen
saver begins:
Confirm that the Plist and Key are added to the Mac custom
checks:

Step 2 (Optional) Check if a specific process is 1. Continue from Step 1 on the Custom Checks tab (Network >
running on the client. GlobalProtect > Portals > Client Configuration > Data
Collection) and select the Windows tab or Mac tab.
2. Add the name of the process that you want to collect
information about to the Process List.
Step 3 Save the custom check. Click OK and Commit the changes.
Step 4 Verify that the GlobalProtect agent is For Windows clients:

collecting the data defined in the custom On the Windows client, double-click the GlobalProtect icon on the
check from the client. task bar and click the Host State tab to view the information that the
GlobalProtect agent is collecting from the Mac client. Under the
custom-checks dropdown, verify that the data that you defined for
collection in Step 7 is displayed:
For Mac clients:

On the Mac client, click the GlobalProtect icon on the Menu bar,
click Advanced View, and click Host State to view the information
that the GlobalProtect agent is collecting for the Mac client. Under
the custom-checks dropdown, verify that the data you defined for
collection in Step 7 is displayed:

Use Host Information in Policy Enforcement Collect Application and Process Data From Clients
Step 5 (Optional) Create a HIP Object to match 1. Select Objects > GlobalProtect > HIP Objects and Add a HIP
to a Registry Key (Windows) or Plist Object.
(Mac). This can allow you to filter the raw 2. Select and enable Custom Checks.
host information collected from the
GlobalProtect agent in order to monitor For Windows clients:
the data for the custom check. 3. To check Windows clients for a specific registry key, select
Registry Key and Add the registry to match on. To only identify
With a HIP object defined for the custom
clients that do not have the specified registry key, select Key
check data, the gateway will match the raw
does not exist or match the specified value data.
data submitted from the agent to the HIP
object and a HIP Match log entry is 4. To match on specific values within the Registry key, click Add
generated for the data (Monitor > HIP and then enter the registry value and value data. To identify
Match). clients that explicitly do not have the specified value or value
data, select the Negate check box.
5. Click OK to save the HIP object. You can Commit to view the
data in the HIP Match logs at the next device check-in or
continue to Step 6.
For Mac clients:

3. Select the Plist tab and Add and enter the name of the Plist for
which you want to check Mac clients. (If instead, you want to
match Mac clients that do not have the specified Plist, continue
by selecting Plist does not exist).
4. (Optional) You can match traffic to a specific key-value pair
within the Plist by entering the Key and the corresponding
Value to match. (Alternatively, if you want to identify clients that
do not have a specific Key and Value, you can continue by
selecting Negate after adding populating the Key and Value
fields).
5. Click OK to save the HIP object. You can Commit to view the
data in the HIP Match logs at the next device check-in or
continue to Step 6.

Step 6 (Optional) Create a HIP profile to allow 1. Select Objects > GlobalProtect > HIP Profile.
the HIP object you created in Step 5 to be 2. Click Add Match Criteria to open the HIP Objects/Profiles
evaluated against traffic. Builder.
The HIP profile can be added to a 3. Select the HIP object you want to use as match criteria and then
security policy as an additional check for move it over to the Match box on the HIP Profile dialog.
traffic matching that policy. When the 4. When you have finished adding the objects to the new HIP
traffic is matched to the HIP profile, the profile, click OK and Commit.
security policy rule will be enforced on
the traffic.
For more details on creating a HIP
profiles, see Configure HIP-Based Policy
Enforcement.
Step 7 Add the HIP profile to a security policy so Select Policies > Security, and Add or modify a security policy. Go
that the data collected with the custom to the User tab to add a HIP profile to the policy. For more details
check can be used to match to and act on on security policies components and using security policies to match
traffic. to and act on traffic, see Security Policy.

GlobalProtect Quick Configs
The following sections provide step-by-step instructions for configuring some common GlobalProtect
deployments:
 Remote Access VPN (Authentication Profile)
 Remote Access VPN (Certificate Profile)
 Remote Access VPN with Two-Factor Authentication
 Always On VPN Configuration
 Remote Access VPN with Pre-Logon
 GlobalProtect Multiple Gateway Configuration
 GlobalProtect for Internal HIP Checking and User-Based Access
 Mixed Internal and External Gateway Configuration

Remote Access VPN (Authentication Profile) GlobalProtect Quick Configs
Remote Access VPN (Authentication Profile)

In the Figure: GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are both
configured on ethernet1/2 and this is the physical interface where GlobalProtect clients connect. After the
clients connect and successfully authenticate to the portal and gateway, the agent establishes a VPN tunnel from
its virtual adapter, which has been assigned an address in the IP address pool associated with the gateway
tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels
terminate in a separate corp-vpn zone you have visibility into the VPN traffic as well as the ability to tailor
security policy for remote users.
Watch the video.
Figure: GlobalProtect VPN for Remote Access
The following procedure provides the configuration steps for this example. You can also watch the video.
Quick Config: VPN Remote Access
Step 1 Create Interfaces and Zones for • Select Network > Interfaces > Ethernet and configure
GlobalProtect. ethernet1/2 as a Layer 3 Ethernet interface with IP address
203.0.113.1 and assign it to the l3-untrust zone and the default
Use the default virtual router for all
virtual router.
interface configurations to avoid
having to create inter-zone routing. • Create a DNS “A” record that maps IP address 203.0.113.1 to
gp.acme.com.
• Select Network > Interfaces > Tunnel and add the tunnel.2
interface and add it to a new zone called corp-vpn. Assign it to the
default virtual router.
• Enable User Identification on the corp-vpn zone.

GlobalProtect Quick Configs Remote Access VPN (Authentication Profile)
Quick Config: VPN Remote Access (Continued)
Step 2 Create security policy to enable traffic 1. Select Policies > Security and then click Add to add a new rule.
flow between the corp-vpn zone and the 2. For this example, you would define the rule with the following
l3-trust zone to enable access to your settings:
internal resources.
• Name—VPN Access
• Source Zone—corp-vpn
• Destination Zone—l3-trust
Step 3 Obtain a server certificate for the Select Device > Certificate Management > Certificates to manage
interface hosting the GlobalProtect portal certificates as follows:
and gateway using one of the following • Obtain a server certificate. Because the portal and gateway are on
methods: the same interface, the same server certificate can be used for both
• (Recommended) Import a server components.
certificate from a well-known,
• The CN of the certificate must match the FQDN, gp.acme.com.
third-party CA.
• Generate a self-signed server • To enable clients to connect to the portal without receiving
certificate. certificate errors, use a server certificate from a public CA.
Step 4 Create a server profile. Create the server profile for connecting to the LDAP server:
Device > Server Profiles > LDAP
how to connect to the authentication
service. Local, RADIUS, Kerberos, and
LDAP authentication methods are
supported. This example shows an LDAP
authentication profile for authenticating
users against the Active Directory.

Remote Access VPN (Authentication Profile) GlobalProtect Quick Configs
Quick Config: VPN Remote Access (Continued)
Step 5 Create an authentication profile. Attach the server profile to an authentication profile:
Device > Authentication Profile.
Step 6 Configure a GlobalProtect Gateway. Select Network > GlobalProtect > Portals and add the following
configuration:
Interface—ethernet1/2
IP Address—203.0.113.1
Server Certificate—GP-server-cert.pem issued by Go Daddy
Authentication Profile—Corp-LDAP
Tunnel Interface—tunnel.2
IP Pool—10.31.32.3 - 10.31.32.118
Step 7 Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and add the following
configuration:
1. Set Up Access to the GlobalProtect Portal. This example uses
the following settings:
2. Define the GlobalProtect Client Configurations using the
following settings:
Connect Method—on-demand
External Gateway Address—gp.acme.com
Step 8 Deploy the GlobalProtect Agent Select Device > GlobalProtect Client.
Software. In this example, use the procedure to Host Agent Updates on the
Portal.
Step 9 (Optional) Enable use of the Purchase and install a GlobalProtect Gateway subscription
GlobalProtect mobile app. (Device > Licenses) to enable use of the app.

GlobalProtect Quick Configs Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile)

When authenticating users with certificate authentication, the client must present a unique client certificate that
identifies the end user in order to connect to GlobalProtect. When used as the only means of authentication,
the certificate the client presents must contain the username in one of the certificate fields; typically the
username corresponds to the common name (CN) in the Subject field of the certificate. Upon successful
authentication, the GlobalProtect agent establishes a VPN tunnel with the gateway and is assigned an IP address
from the IP pool in the gateway’s tunnel configuration. To enable user-based policy enforcement on sessions
from the corp-vpn zone, the username from the certificate is mapped to the IP address assigned by the gateway.
If a domain name is required for policy enforcement, the domain value specified in the certificate profile is
appended to the username.
Figure: GlobalProtect Client Certificate Authentication Configuration
This quick configuration uses the same topology as Figure: GlobalProtect VPN for Remote Access. The only
configuration difference is that instead of authenticating users against an external authentication server, this
configuration uses client certificate authentication only.
Quick Config: VPN Remote Access with Client Certificate Authentication
203.0.113.1 and assign it to the l3-untrust security zone and the
gp.acme.com.

Remote Access VPN (Certificate Profile) GlobalProtect Quick Configs
Quick Config: VPN Remote Access with Client Certificate Authentication (Continued)
internal resources.
third-party CA.
Step 4 Issue client certificates to GlobalProtect 1. Use your enterprise PKI or a public CA to issue a unique client
users/machines. certificate to each GlobalProtect user.
systems.
Step 5 Create a client certificate profile. 1. Select Device > Certificate Management > Certificate Profile,
click Add and enter a profile Name such as GP-client-cert.
2. Select Subject from the Username Field drop-down.
3. Click Add in the CA Certificates section, select the CA
Certificate that issued the client certificates, and click OK twice.
Step 6 Configure a GlobalProtect Gateway. Select Network > GlobalProtect > Gateways and add the following
configuration:
See the topology diagram shown in
Figure: GlobalProtect VPN for Remote Interface—ethernet1/2
Access. IP Address—203.0.113.1
Certificate Profile—GP-client-cert
IP Pool—10.31.32.3 - 10.31.32.118

GlobalProtect Quick Configs Remote Access VPN (Certificate Profile)
Quick Config: VPN Remote Access with Client Certificate Authentication (Continued)
configuration:
1. Set Up Access to the GlobalProtect Portal:
2. Define the GlobalProtect Client Configurations:
Portal.

Remote Access VPN with Two-Factor Authentication GlobalProtect Quick Configs
Remote Access VPN with Two-Factor Authentication

When you configure a GlobalProtect portal and/or gateway with both an authentication profile and a certificate
profile (called two-factor authentication), the end user will be required to successfully authenticate to both
before being allowed access. For portal authentication, this means that certificates must be pre-deployed to the
end clients before their initial portal connection. Additionally, the certificates presented by the clients must
match what is defined in the certificate profile
 If the certificate profile does not specify a username field (that is, the Username Field it is set to None), the
client certificate does not need to have a username. In this case, the client must provide the username when
authenticating against the authentication profile.
 If the certificate profile specifies a username field, the certificate that the client presents must contain a
username in the corresponding field. For example, if the certificate profile specifies that the username field
is subject, the certificate presented by the client must contain a value in the common-name field or
authentication will fail. In addition, when the username field is required, the value from the username field
of the certificate will automatically be populated as the username when the user attempts to enter credentials
for authenticating to the authentication profile. If you do not want force users to authenticate with a
username from the certificate, do not specify a username field in the certificate profile.
This quick configuration uses the same topology as Figure: GlobalProtect VPN for Remote Access. However,
in this configuration the clients must authenticate against a certificate profile and an authentication profile. For
more details on a specific type of two-factor authentication, see the following topics:
 Enable Two-Factor Authentication
 Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
 Enable Two-Factor Authentication Using Smart Cards

GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication
Quick Config: VPN Remote Access with Two-Factor Authentication
gp.acme.com.
internal resources.
third-party CA.
Step 4 Issue client certificates to GlobalProtect 1. Use your enterprise PKI or a public CA to issue a unique client
users/machines. certificate to each GlobalProtect user.
systems.

Remote Access VPN with Two-Factor Authentication GlobalProtect Quick Configs
Quick Config: VPN Remote Access with Two-Factor Authentication (Continued)
Step 5 Create a client certificate profile. 1. Select Device > Certificate Management > Certificate Profile,
click Add and enter a profile Name such as GP-client-cert.
2. Specify where to get the username that will be used to
authenticate the end user:
• From user—If you want the end user to supply a username
when authenticating to the service specified in the
authentication profile, select None as the Username Field.
• From certificate—If you want to extract the username from
the certificate, select Subject as the Username Field. If you
use this option, the CN contained in the certificate will
automatically populated the username field when the user is
prompted to login to the portal/gateway and the user will be
required to log in using that username.
3. Click Add in the CA Certificates section, select the CA
Certificate that issued the client certificates, and click OK twice.
Step 6 Create a server profile. Create the server profile for connecting to the LDAP server: Device
> Server Profiles > LDAP
how to connect to the authentication
service. Local, RADIUS, Kerberos, and
LDAP authentication methods are
supported. This example shows an LDAP
authentication profile for authenticating
users against the Active Directory.
Step 7 Create an authentication profile. Attach the server profile to an authentication profile: Device >
Authentication Profile.

GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication
Quick Config: VPN Remote Access with Two-Factor Authentication (Continued)
configuration:
IP Pool—10.31.32.3 - 10.31.32.118
configuration:
Portal.
Step 11 (Optional) Deploy Agent Settings As an alternative to deploying agent settings from the portal
Transparently. configuration, you can define settings directly from the
Windows registry or global MAC plist. For example, you can
specify the portal IP address. On Windows clients only, you
can also configure settings using the MSIEXEC installer. For
additional information, see Customizable Agent Settings.

Always On VPN Configuration GlobalProtect Quick Configs
Always On VPN Configuration

In an “always on” GlobalProtect configuration, the agent connects to the GlobalProtect portal upon user logon
to submit user and host information and receive the client configuration. It then automatically establishes the
VPN tunnel to the gateway specified in the client configuration delivered by the portal without end user
intervention as shown in the following illustration.
To switch any of the previous remote access VPN configurations to an always-on configuration, you simply
change the connect method:
 Remote Access VPN (Authentication Profile)
 Remote Access VPN (Certificate Profile)
 Remote Access VPN with Two-Factor Authentication
Switch to an “Always On” Configuration
1. Select Network > GlobalProtect > Portals and select the portal configuration to open it.
2. Select the Client Configuration tab and then select the client configuration you want to modify.
3. Select user-logon as the Connect Method. Repeat this for each client configuration.
4. Click OK twice to save the client configuration and the portal configuration and then Commit the change.

GlobalProtect Quick Configs Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon

The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent
and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the
user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs
in instead of using cached credentials.
Prior to user login there is no username associated with the traffic. Therefore, to enable the client system to
access resources in the trust zone you must create security policies that match the pre-logon user. These policies
should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory
(for example, to change an expired password), antivirus, and/or operating system update services. Then, after
the user logs in to the system and authenticates, the VPN tunnel is renamed to include the username so that
user- and group-based policy can be enforced.
Windows systems and Mac systems behave differently in a pre-logon configuration. Unlike the
Windows behavior described above, on Mac OS systems the tunnel is disconnected when the
user logs in and then a new tunnel is established.
With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either
via an authentication profile or a certificate profile configured to validate a client certificate containing a
username). After authentication succeeds, the portal pushes the client configuration to the agent along with a
cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system
attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon
client configuration. Then, it will connect to the gateway specified in the configuration and authenticate using
its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN
tunnel.
When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the client
configuration, the username and password will be captured as the user logs in and used to authenticate to the
gateway and so that the tunnel can be renamed (Windows). If SSO is not enabled in the client configuration or
of SSO is not supported on the client system (for example, it is a Mac OS system) the users’ credentials must
be stored in the agent (that is, the Remember Me check box must be selected within the agent). After successful
authentication to the gateway the tunnel will be renamed (Windows) or rebuilt (Mac) and user- and group-based
policy can be enforced.

Remote Access VPN with Pre-Logon GlobalProtect Quick Configs
This example uses the GlobalProtect topology shown in Figure: GlobalProtect VPN for Remote Access.
Quick Config: Remote Access VPN with Pre-Logon
gp.acme.com.
Step 2 Create the security policy rules. This configuration requires the following policies (Policies >
Security):
• First create a rule that enables the pre-logon user access to basic
services that are required for the computer to come up, such as
authentication services, DNS, DHCP, and Microsoft Updates.
• Second create a rule to enable access between the corp-vpn zone
and the l3-trust zone for any known user after the user
successfully logs in.

Quick Config: Remote Access VPN with Pre-Logon (Continued)
third-party CA.
Step 4 Generate a machine certificate for each 1. Issue client certificates to GlobalProtect users/machines.
client system that will connect to 2. Install certificates in the personal certificate store on the client
GlobalProtect and import them into the systems. (Local Computer store on Windows or System
personal certificate store on each Keychain on Mac OS)
machine.
Although you could generate self-signed
certificates for each client system, as a
best practice use your own public-key
infrastructure (PKI) to issue and
distribute certificates to your clients.
Step 5 Import the trusted root CA certificate 1. Download the CA certificate in Base64 format.
from the CA that issued the machine 2. Import the certificate onto each firewall hosting a portal or
certificates onto the portal and gateway as follows:
gateway(s).
a. Select Device > Certificate Management > Certificates >
You do not have to import the Device Certificates and click Import.
private key.
b. Enter a Certificate Name that identifies the certificate as
your client CA certificate.
c. Browse to the Certificate File you downloaded from the
CA.
d. Select Base64 Encoded Certificate (PEM) as the File Format
and then click OK.
e. Select the certificate you just imported on the Device
Certificates tab to open it.
f. Select Trusted Root CA and then click OK.

Remote Access VPN with Pre-Logon GlobalProtect Quick Configs
Step 6 On each firewall hosting a GlobalProtect 1. Select Device > Certificates > Certificate Management >
gateway, create a certificate profile to Certificate Profile and click Add and enter a Name to uniquely
identify which CA certificate to use to identify the profile, such as PreLogonCert.
validate the client machine certificates. 2. Set Username Field to None.
Optionally, if you plan to use client 3. (Optional) If you will also use client certificate authentication to
certificate authentication to authenticate authenticate users upon login, add the CA certificate that issued
users when they log in to the system, the client certificates if it is different from the one that issued the
make sure that the CA certificate that machine certificates.
issues the client certificates is referenced 4. In the CA Certificates field, click Add, select the Trusted Root
in the certificate profile in addition to the CA certificate you imported in Step 5 and then click OK.
CA certificate that issued the machine
certificates if they are different.
configuration:
Although you must create a certificate Server Certificate—GP-server-cert.pem issued by Go Daddy
profile for pre-logon access to the Certificate Profile—PreLogonCert
gateway, you can use either client
certificate authentication or Authentication Profile—Corp-LDAP
authentication profile-based Tunnel Interface—tunnel.2
authentication for logged in users. In this IP Pool—10.31.32.3 - 10.31.32.118
example, the same LDAP profile is used
that is used to authenticate users to the Commit the gateway configuration.
portal.

configuration:
For this configuration, create two client
configurations: one that will be pushed to
the agent when the user is not logged in Interface—ethernet1/2
(User/User Group is pre-logon) and one IP Address—203.0.113.1
that will be pushed when the user is Server Certificate—GP-server-cert.pem issued by Go Daddy
logged in (User/User Group is any). You
Certificate Profile—None
may want to limit gateway access to a
single gateway for pre-logon users, while Authentication Profile—Corp-LDAP
providing access to multiple gateways for 2. Define the GlobalProtect Client Configurations for pre-logon
logged in users. users and for logged in users:
As a best practice, enable SSO in First Client Configuration:
the second client configuration to Connect Method—pre-logon
ensure that the correct username is External Gateway Address—gp.acme.com
reported to the gateway
User/User Group—pre-logon
immediately when the user logs in
to the machine. If SSO is not Authentication Modifier—Cookie authentication for config
enabled the username saved in the refresh
GlobalProtect agent settings panel Second Client Configuration:
will be used. Use single sign-on—enabled
Connect Method—pre-logon
User/User Group—any
Authentication Modifier—Cookie authentication for config
refresh
3. Make sure the pre-logon client configuration is first in the list of
configurations. If it is not, select it and click Move Up.

GlobalProtect Multiple Gateway Configuration GlobalProtect Quick Configs
GlobalProtect Multiple Gateway Configuration

In Figure: GlobalProtect Multiple Gateway Topology, a second external gateway has been added to the
configuration. Multiple gateways are supported in all of the preceding example configurations. Additional steps
include installing a GlobalProtect portal license to enable use of multiple gateways and the configuration of the
second firewall as a GlobalProtect gateway. In addition, when configuring the client configurations to be
deployed by the portal you can decide whether to allow access to all gateways, or specify different gateways for
different configurations.
If a client configuration contains more than one gateway, the agent will attempt to connect to all gateways listed
in its client configuration. The agent will then use priority and response time as to determine which gateway to
connect to.
Figure: GlobalProtect Multiple Gateway Topology

GlobalProtect Quick Configs GlobalProtect Multiple Gateway Configuration
Quick Config: GlobalProtect Multiple Gateway Configuration
Step 1 Create Interfaces and Zones for On the firewall hosting the portal/gateway (gw1):
GlobalProtect. • Select Network > Interfaces > Ethernet and configure
In this configuration, you must set up ethernet1/2 as a Layer 3 Ethernet interface with IP address
interfaces on each firewall hosting a 198.51.100.42 and assign it to the l3-untrust security zone and the
gateway. default virtual router.
Use the default virtual router for all • Create a DNS “A” record that maps IP address 198.51.100.42 to
gp1.acme.com.
having to create inter-zone routing. • Select Network > Interfaces > Tunnel and add the tunnel.2
On the firewall hosting the second gateway (gw2):

• Select Network > Interfaces > Ethernet and configure
ethernet1/5 as a Layer 3 Ethernet interface with IP address
• Create a DNS “A” record that maps IP address 192.0.2.4 to
gp2.acme.com.
Step 2 Purchase and install a GlobalProtect After you purchase the portal license and receive your activation
Portal license on the firewall hosting thecode, install the license on the firewall hosting the portal as follows:
portal. This license is required to enable a
1. Select Device > Licenses.
multiple gateway configuration. 2. Select Activate feature using authorization code.
You will also need a GlobalProtect 3. When prompted, enter the Authorization Code and then click
gateway subscription on each OK.
gateway if you have users who will 4. Verify that the license was successfully activated.
be using the GlobalProtect app on
their mobile devices or if you plan
to use HIP-enabled security policy.
Step 3 On each firewall hosting a GlobalProtect This configuration requires policy rules to enable traffic flow
gateway, create security policy. between the corp-vpn zone and the l3-trust zone to enable access to
your internal resources (Policies > Security).

GlobalProtect Multiple Gateway Configuration GlobalProtect Quick Configs
Quick Config: GlobalProtect Multiple Gateway Configuration (Continued)
Step 4 Obtain server certificates for the On each firewall hosting a portal/gateway or gateway, select Device
interfaces hosting your GlobalProtect > Certificate Management > Certificates to manage certificates as
portal and each of your GlobalProtect follows:
gateways using the following • Obtain a server certificate for the portal/gw1. Because the portal
recommendations: and the gateway are on the same interface you must use the same
• (On the firewall hosting the portal or server certificate. The CN of the certificate must match the
portal/gateway) Import a server FQDN, gp1.acme.com. To enable clients to connect to the portal
certificate from a well-known, without receiving certificate errors, use a server certificate from a
third-party CA. public CA.
• (On a firewall hosting only a gateway) • Obtain a server certificate for the interface hosting gw2. Because
Generate a self-signed server this interface hosts a gateway only you can use a self-signed
certificate. certificate. The CN of the certificate must match the FQDN,
gp2.acme.com.
Step 5 Define how you will authenticate users to You can use any combination of certificate profiles and/or
the portal and the gateways. authentication profiles as necessary to ensure the security for your
portal and gateways. Portals and individual gateways can also use
different authentication schemes. See the following sections for
step-by-step instructions:
• Set Up External Authentication (authentication profile)
• Set Up Client Certificate Authentication (certificate profile)
• Set Up Two-Factor Authentication (token- or OTP-based)
You will then need to reference the certificate profile and/or
authentication profiles you defined in the portal and gateway
configurations you define.
Step 6 Configure the gateways. This example shows the configuration for gp1 and gp2 shown in
Figure: GlobalProtect Multiple Gateway Topology. See Configure a
GlobalProtect Gateway for step-by-step instructions on creating the
gateway configurations.
On the firewall hosting gp1, configure the gateway On the firewall hosting gp2, configure the gateway settings as
settings as follows: follows:
Select Network > GlobalProtect > Gateways and Select Network > GlobalProtect > Gateways and add the following
add the following configuration: configuration:
Interface—ethernet1/2 Interface—ethernet1/2
IP Address—198.51.100.42 IP Address—192.0.2.4
Server Certificate—GP1-server-cert.pem issued Server Certificate—self-signed certificate, GP2-server-cert.pem
by Go Daddy Tunnel Interface—tunnel.1
Tunnel Interface—tunnel.2 IP Pool—10.31.33.3 - 10.31.33.118
IP Pool—10.31.32.3 - 10.31.32.118

GlobalProtect Quick Configs GlobalProtect Multiple Gateway Configuration
Quick Config: GlobalProtect Multiple Gateway Configuration (Continued)
configuration:
IP Address—198.51.100.42
Server Certificate—GP1-server-cert.pem issued by Go Daddy
The number of client configurations you create depends on
your specific access requirements, including whether you require
user/group-based policy and/or HIP-enabled policy
enforcement.
Portal.
Step 9 Save the GlobalProtect configuration. Click Commit on the firewall hosting the portal and the gateway(s).

GlobalProtect for Internal HIP Checking and User-Based Access GlobalProtect Quick Configs
GlobalProtect for Internal HIP Checking and User-Based

Access
When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a
secure, accurate method of identifying and controlling traffic by user and/or device state, replacing other
network access control (NAC) services. Internal gateways are useful in sensitive environments where
authenticated access to critical resources is required.
In a configuration with only internal gateways, all clients must be configured with user-logon; on-demand mode
is not supported. In addition, it is recommended that you configure all client configurations to use single sign-on
(SSO). Additionally, because internal hosts do not need to establish a tunnel connection with the gateway, the
IP address of the physical network adapter on the client system is used.
In this quick config, internal gateways are used to enforce group based policies that allow users in the
Engineering group access to the internal source control and bug databases and users in the Finance group to
the CRM applications. All authenticated users have access to internal web resources. In addition, HIP profiles
configured on the gateway check each host to ensure compliance with internal maintenance requirements, such
as whether the latest security patches and antivirus definitions are installed, whether disk encryption is enabled,
or whether the required software is installed.
Figure: GlobalProtect Internal Gateway Configuration

GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access
Quick Config: GlobalProtect Internal Gateway Configuration
Step 1 Create Interfaces and Zones for On each firewall hosting a portal/gateway:
GlobalProtect. 1. Select an Ethernet port to host the portal/gateway and then
In this configuration, you must set up configure a Layer3 interface with an IP address in the l3-trust
interfaces on each firewall hosting a portal security zone. (Network > Interfaces > Ethernet).
and/or a gateway. Because this 2. Enable User Identification on the l3-trust zone.
configuration uses internal gateways only,
you must configure the portal and
gateways on interfaces on the internal
network.
having to create inter-zone routing.
Step 2 Purchase and install a GlobalProtect

After you purchase the portal license and receive your activation
Portal license on the firewall hosting the
code, install the license on the firewall hosting the portal as follows:
portal and gateway subscriptions for each
firewall hosting an internal gateway. This 1. Select Device > Licenses.
is required to enable an internal gateway 2. Select Activate feature using authorization code.
configuration and enable HIP checks. 3. When prompted, enter the Authorization Code and then click
OK.
4. Verify that the license was successfully activated.
Step 3 Obtain server certificates for the The recommended workflow is as follows:
GlobalProtect portal and each 1. On the firewall hosting the portal:
GlobalProtect gateway. a. Import a server certificate from a well-known, third-party
In order to connect to the portal for the CA.
first time, the end clients must trust the b. Create the root CA certificate for issuing self-signed
root CA certificate used to issue the certificates for the GlobalProtect components.
portal server certificate. You can either
use a self-signed certificate on the portal c. Generate a self-signed server certificate. Repeat this step for
and deploy the root CA certificate to the each gateway.
end clients before the first portal 2. On each firewall hosting an internal gateway:
connection, or obtain a server certificate a. Deploy the self-signed server certificates.
for the portal from a trusted CA.
You can use self-signed certificates on the
gateways.

Quick Config: GlobalProtect Internal Gateway Configuration (Continued)
Step 5 Create the HIP profiles you will need to 1. Create the HIP objects to filter the raw host data collected by
enforce security policy on gateway access. the agents. For example, if you are interested in preventing users
that are not up to date with required patches, you might create a
See Use Host Information in Policy
HIP object to match on whether the patch management
Enforcement for more information on
software is installed and that all patches with a given severity are
HIP matching.
up to date.
2. Create the HIP profiles that you plan to use in your policies.
For example, if you want to ensure that only Windows users
with up-to-date patches can access your internal applications,
you might attach the following HIP profile that will match hosts
that do NOT have a missing patch:

GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access
Step 6 Configure the internal gateways. Select Network > GlobalProtect > Gateways and add the following
settings:
• Interface
• IP Address
• Server Certificate
• Authentication Profile and/or Configuration Profile
Notice that it is not necessary to configure the client configuration
settings in the gateway configurations (unless you want to set up HIP
notifications) because tunnel connections are not required. See
Configure a GlobalProtect Gateway for step-by-step instructions on
creating the gateway configurations.
configuration:
Although all of the previous
configurations could use a Connect
Method of user-logon or Interface—ethernet1/2
on-demand, an internal gateway IP Address—10.31.34.13
configuration must always be on Server Certificate—GP-server-cert.pem issued by Go Daddy
and therefore requires a Connect with CN=gp.acme.com
Method of user-logon.
2. Create a GlobalProtect Client Configuration:
Use single sign-on—enabled
Connect Method—user-logon
Internal Gateway Address—california.acme.com,
newyork.acme.com
3. Commit the portal configuration.
Portal.

Step 9 Create the HIP-enabled and/or Add the following security rules for this example:
user/group-based security rules on your 1. Select Policies > Security and click Add.
gateway(s). 2. On the Source tab, set the Source Zone to l3-trust.
3. On the User tab, add the HIP profile and user/group to match.
• Click Add in the HIP Profiles section and select the HIP
profile MissingPatch.
• Click Add in the Source User section and select the group
(Finance or Engineering depending on which rule you are
creating).
4. Click OK to save the rule.
5. Commit the gateway configuration.

GlobalProtect Quick Configs Mixed Internal and External Gateway Configuration
Mixed Internal and External Gateway Configuration

In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN
access and for access to your sensitive internal resources. With this configuration, agents perform internal host
detection to determine if they are on the internal or external network. If the agent determines it is on the
external network, it will attempt to connect to the external gateways listed in its client configuration and it will
establish a VPN (tunnel) connection with the gateway with the highest priority and the shortest response time.
Because security policies are defined separately on each gateway, you have granular control over which resources
your external and internal users have access to. In addition, you also have granular control over which gateways
users have access to by configuring the portal to deploy different client configurations based on user/group
membership or based on HIP profile matching.
In this example, the portals and all three gateways (one external and two internal) are deployed on separate
firewalls. The external gateway at gpvpn.acme.com provides remote VPN access to the corporate network while
the internal gateways provide granular access to sensitive datacenter resources based on group membership. In
addition, HIP checks are used to ensure that hosts accessing the datacenter are up-to-date on security patches.
Figure: GlobalProtect Deployment with Internal and External Gateways

Mixed Internal and External Gateway Configuration GlobalProtect Quick Configs
Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration
Step 1 Create Interfaces and Zones for On the firewall hosting the portal gateway (gp.acme.com):
GlobalProtect. • Select Network > Interfaces > Ethernet and configure
In this configuration, you must set up ethernet1/2 as a Layer 3 Ethernet interface with IP address
interfaces on the firewall hosting a portal 198.51.100.42 and assign it to the l3-untrust security zone and the
and each firewall hosting a gateway. default virtual router.
Use the default virtual router for all • Create a DNS “A” record that maps IP address 198.51.100.42 to
gp.acme.com.
having to create inter-zone routing. • Select Network > Interfaces > Tunnel and add the tunnel.2
On the firewall hosting the external gateway (gpvpn.acme.com):

• Select Network > Interfaces > Ethernet and configure
ethernet1/5 as a Layer 3 Ethernet interface with IP address
• Create a DNS “A” record that maps IP address 192.0.2.4 to
gpvpn.acme.com.
On the firewall hosting the internal gateways (california.acme.com and

newyork.acme.com):
• Select Network > Interfaces > Ethernet and configure Layer 3
Ethernet interface with IP addresses on the internal network and
assign them to the l3-trust security zone and the default virtual
router.
• Create a DNS “A” record that maps the internal IP addresses
california.acme.com and newyork.acme.com.
• Enable User Identification on the l3-trust zone.

Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration (Continued)
Step 2 Purchase and install a GlobalProtect After you purchase the portal license and gateway subscriptions and
Portal license on the firewall hosting the receive your activation code, install the license on the firewall hosting
portal and gateway subscriptions for each the portal and install the gateway subscriptions on the firewalls
firewall hosting a gateway (internal and hosting your gateways as follows:
external). 1. Select Device > Licenses.
2. Select Activate feature using authorization code.
3. When prompted, enter the Authorization Code and then click
OK.
4. Verify that the license and subscriptions were successfully
activated.
Step 3 Obtain server certificates for the The recommended workflow is as follows:
GlobalProtect portal and each 1. On the firewall hosting the portal:
GlobalProtect gateway. a. Import a server certificate from a well-known, third-party
In order to connect to the portal for the CA.
first time, the end clients must trust the b. Create the root CA certificate for issuing self-signed
root CA certificate used to issue the certificates for the GlobalProtect components.
portal server certificate.
c. Generate a self-signed server certificate. Repeat this step for
You can use self-signed certificates on the each gateway.
gateways and deploy the root CA
2. On each firewall hosting an internal gateway:
certificate to the agents in the client
configuration. The best practice is to • Deploy the self-signed server certificates.
generate all of the certificates on firewall
hosting the portal and deploy them to the
gateways.

Step 5 Create the HIP profiles you will need to 1. Create the HIP objects to filter the raw host data collected by
enforce security policy on gateway access. the agents. For example, if you are interested in preventing users
that are not up to date with required patches, you might create a
See Use Host Information in Policy
HIP object to match on whether the patch management
Enforcement for more information on
software is installed and that all patches with a given severity are
HIP matching.
up to date.
2. Create the HIP profiles that you plan to use in your policies.
For example, if you want to ensure that only Windows users
with up-to-date patches can access your internal applications,
you might attach the following HIP profile that will match hosts
that do NOT have a missing patch:
Step 6 Configure the internal gateways. Select Network > GlobalProtect > Gateways and add the following
settings:
• Interface
• IP Address
• Server Certificate
• Authentication Profile and/or Configuration Profile
Notice that it is not necessary to configure the client configuration
settings in the gateway configurations (unless you want to set up HIP
notifications) because tunnel connections are not required. See
Configure a GlobalProtect Gateway for step-by-step instructions on
creating the gateway configurations.

configuration:
Although this example shows how to
create a single client configuration to be 1. Set Up Access to the GlobalProtect Portal:
deployed to all agents, you could choose Interface—ethernet1/2
to create separate configurations for IP Address—10.31.34.13
different uses and then deploy them based Server Certificate—GP-server-cert.pem issued by Go Daddy
on user/group name and/or the with CN=gp.acme.com
operating system the agent/app is
2. Create a GlobalProtect Client Configuration:
running on (Android, iOS, Mac, or
Windows). Internal Host Detection—enabled
Use single sign-on—enabled
Connect Method—user-logon
External Gateway Address—gpvpn.acme.com
Internal Gateway Address—california.acme.com,
newyork.acme.com
3. Commit the portal configuration.
Portal.
Step 9 Create security policy rules on each • Create security policy (Policies > Security) to enable traffic flow
gateway to safely enable access to between the corp-vpn zone and the l3-trust zone.
applications for your VPN users. • Create HIP-enabled and user/group-based policy rules to enable
granular access to your internal datacenter resources.
• For visibility, create rules that allow all of your users web-browsing
access to the l3-untrust zone, using the default security profiles to
protect you from known threats.
Step 10 Save the GlobalProtect configuration. Click Commit on the portal and all gateways.


Global Protect VPN

Uploaded by

Copyright:

Available Formats

You might also like

Global Protect VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Global Protect VPN

Uploaded by

Copyright:

Available Formats

Palo Alto Networks

GlobalProtect™ Administrator’s Guide

Palo Alto Networks

About this Guide

 For the latest release notes, go to the software downloads page at

Palo Alto Networks, Inc.

Revision Date: January 27, 2016

2 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Set Up the GlobalProtect Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 3

Set Up the GlobalProtect Mobile Security Manager . . . . . . . . . . . . . . . . . . . 85

Manage Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

4 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Manage and Monitor Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Use Host Information in Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . .187

GlobalProtect Quick Configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 5

6 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 7

About the GlobalProtect Components

8 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 9

GlobalProtect Mobile Security Manager

10 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 11

What Client OS Versions are Supported with

Supported Client OS Versions Minimum Agent/App Minimum PAN-OS Version

Apple Mac OS 10.6 1.1 4.1.0 or later

Windows XP (32-bit) 1.0 4.0 or later

Apple iOS 6.0 1.3 app 4.1.0 or later

Third-party X-Auth IPsec Clients: N/A 5.0 or later

12 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

About GlobalProtect Licenses

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 13

14 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 15

Create Interfaces and Zones for GlobalProtect

Set Up Interfaces and Zones for GlobalProtect

16 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Set Up Interfaces and Zones for GlobalProtect (Continued)

Step 4 Save the configuration. Click Commit.

Or, if you configured a DNS record for

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 17

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

 (Recommended) Combination of third-party certificates and self-signed certificates—Because the

18 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

GlobalProtect Certificate Best Practices

Table: GlobalProtect Certificate Requirements

Certificate Usage Issuing Process/Best Practices

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 19

Certificate Usage Issuing Process/Best Practices

20 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks

Certificate Usage Issuing Process/Best Practices

Deploy Server Certificates to the GlobalProtect Components

Deploy SSL Server Certificates to the GlobalProtect Components

Palo Alto Networks GlobalProtect 6.2 Administrator’s Guide • 21

Deploy SSL Server Certificates to the GlobalProtect Components (Continued)

22 • GlobalProtect 6.2 Administrator’s Guide Palo Alto Networks