What Features Does GlobalProtect Support?

Table of Contents

What Features Does GlobalProtect Support for IoT?

What Features Does GlobalProtect Support?

Review the features that GlobalProtect™ supports based on the platform operating system (OS).

The following table lists the features supported on GlobalProtect™ by operating system (OS). An entry in the table indicates the first supported release of the feature on the OS (however, you should review the End-of-Life Summary to ensure you are using a supported release). A dash (“—”) indicates that the feature is not supported. For recommended minimum GlobalProtect app versions, see Where Can I Install the GlobalProtect App?.

For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version to get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases. (Refer also to the end-of-life (EoL) information for the GlobalProtect app.)

Feature	Android	iOS	Chrome	Windows	Windows 10 UWP	macOS	Linux
`Authentication`
Multi-Factor Authentication Policy	—	—	—	4.0.0	—	4.0.0	—
Improvements for Multi Authentication CIE Experience				6.3.1
SAML Authentication	4.0.0	4.0.0 (On-Demand `connect method only`)	4.1.0	4.0.0	—	4.0.0	5.1 (`GUI-based GlobalProtect app`)
SAML Authentication with Cloud Authentication Service Note: Requires use of Default System Browser	6.0.0	6.0.0 (On Demand `connect method only`)	6.0.0	6.0.0	—	6.0.0	6.0.0
Default System Browser for SAML Authentication	5.2.0	5.2.0	5.2.0	5.2.0	—	5.2.0	5.2.0
Expired Active Directory Password Change for Remote Users	4.1.0	4.1.0 (`notifications only`) 5.0.0 (`full support`)	4.1.0	4.1.0	4.1.0	4.1.0	—
Active Directory Password Change Using the GlobalProtect Credential Provider	—	—	—	4.1.0	—	—	—
Mixed Authentication Method Support or Certificates or User Credentials	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Pre-Logon Followed by Two-Factor Authentication	—	—	—	4.1.0	—	4.1.0	—
Pre-Logon Followed by SAML Authentication	—	—	—	4.1.0	—	4.1.0	—
`Single Sign-On (SSO)`
SSO (Credential Provider)	—	—	—	1.2.0	—	—	—
Kerberos SSO	—	—	—	3.0.0	—	4.1.0	—
SAML SSO	5.1.0	5.2.0	5.1.0	5.2.0	—	5.2.0	5.2.0
SSO (Smart Card Authentication)	—	—	—	6.0.0 Windows 10 or later	—	—	—
`VPN Connections`
IPSec	1.3.0	1.3.0	3.1.1	1.0.0	—	1.0.0	4.1.0
SSL	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
SSL Tunnel Enforcement	5.1.0	5.1.0	—	5.1.0	—	5.1.0	5.0.6 (`CLI`) 5.1.0 (`web interface`)
Clientless VPN	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)	— (no client required)
`Connect Methods`
User-logon (always on)	1.3.0	1.3.0	5.0.0 (`through extended support for the GlobalProtect app for Android`)	1.0.0	3.1.3 (`Always On configured from third-party MDM`)	1.0.0	4.1.0
Pre-logon (always-on)	—	—	—	1.1.0	—	1.1.0	—
Pre-logon (then on-demand)	—	—	—	3.1.0	—	3.1.0	—
On-demand	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1.0
Connect Before Logon	—	—	—	5.2.0	—	—	—
Conditional Connect Method	—	—	—	6.2.0	6.2.0	6.2.0	—
`Connection Priority`
External Gateway Priority by Source Region	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Internal Gateway Selection by Source IP Address	4.0.0 (`Except DHCP options`)	4.0.0 (`Except DHCP options`)	—	4.0.0	—	4.0.0	4.1.0
`Modes`
Internal mode	1.3.0	1.3.0	—	1.0.0	—	1.0.0	4.1
External mode	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
Prisma Access Explicit Proxy Connectivity in GlobalProtect	—	—	—	6.2.0	6.2.0	6.2.0	—
`Networking`
Intelligent Internal Host Detection	—	—	6.3.1	6.3.1	6.3.1	6.3.1	6.3.1
Traffic Enforcement	—	—	6.3.1	6.3.1	6.3.1	6.3.1	6.3.1
IPv4 Addressing	1.3.0	1.3.0	3.1.1	1.0.0	3.1.3	1.0.0	4.1
IPv6 Addressing	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Split Tunnel to Exclude by Access Route	—	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1
Optimized Split Tunneling for GlobalProtect	—	—	—	4.1.0	—	4.1.0	6.1.0 Domain-based split tunneling only; application-based split tunneling not supported
Enhanced Split Tunneling	—	—	—	6.2.0	6.2.0	6.2.0	—
Wildcard Support for Split Tunnel Settings Based on the Application	—	—	—	6.3.1	—	6.3.1	—
Split DNS for iOS	—	6.1.6	—	—	—	—	—
Split DNS	—	—	—	5.2.0	—	5.2.0	6.1.0
Per-App VPN	4.0.0	4.0.0
No Direct Access to Local Network	—	—	—	4.0.0	—	4.0.0	6.0.0
Endpoint Traffic Policy Enforcement	—	—	—	6.0.0 Windows 10 or later	—	6.0.0 macOS 11 and later	—
`Customization`
Autonomous DEM Integration for User Experience Management	—	—	—	5.2.6	—	5.2.6	—
GlobalProtect App Log Collection for Troubleshooting	5.2.5	5.2.5	5.2.5	5.2.5	—	5.2.5	5.2.5
Configurable Maximum Transmission Unit for GlobalProtect Connections	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4	5.2.4
Connect Before Logon	—	—	—	5.2.0	—	—	—
User-Initiated Pre-Logon Connection	-	-	-	5.0.3	-	-	-
Support for Preferred Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	-
GlobalProtect Gateway Location Configuration	5.0.0	5.0.0	-	5.0.0	-	5.0.0	-
Automatic Launching of Web Browser in Captive Portal Environment	-	-	-	4.1.0	-	4.1.0	-
GlobalProtect Tunnel Preservation On User Logout	-	-	-	4.1.0	-	-	-
Endpoint Tunnel Configurations Based on Source Region or IP Address	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
HIP Report Redistribution	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
DNS Configuration Assignment Based on Users or User Groups	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Restoration and Authentication Cookie Usage Restrictions	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Concurrent Support for IPv4 and IPv6 DNS Servers	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Support for IPv6-Only GlobalProtect Deployment	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
FIPS-CC	—	—	—	FIPS Validated on 5.1.4 CC Certified on 5.1.5 x86 platforms FIPS-CC available on 6.0.7	—	FIPS Validated on 5.1.4 CC Certified on 5.1.5 x86 platforms FIPS-CC available on 6.0.7	6.0.7
MDM Integration for HIP-Based Policy Enforcement	5.0.0	5.0.0	—	—	—	—	—
Captive Portal Notification Delay	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Tunnel Connections Over Proxies	—	—	—	4.1.7	—	4.1.7	—
PAC deployment via GlobalProtect app	—	—	—	6.1.0	—	6.1.0	6.1.0
End-user Notification about GlobalProtect Session Logout	—	—	—	6.1.0	—	6.1.0	6.1.0
GlobalProtect Credentials Provier Pre-Logon Connection Status	—	—	—	4.1.0	—	—	—
Static IP Address Assignment	—	—	—	4.1.0	—	—	—
Multiple Portal Support	—	—	—	4.1.0	—	4.1.0	—
Customizable Username and Password Labels	4.1.0	4.1.0	—	4.1.0	4.1.0	4.1.0	4.1.0
Gateway-Level IP Pools	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Resilient VPN	4.0.3	4.0.3	—	4.0.3	—	4.0.3	—
Pre-logon tunnel rename timeout	—	—	—	4.0.2	—	—	—
Restrict Transparent Agent Upgrades to Internal Network Connections	—	—	—	4.0.0	—	4.0.0	—
Enforce GlobalProtect for Network Access	—	—	—	3.1.0	3.1.3 (`VPN Lockdown configured from third-party MDM`)	3.1.0	—
Enforce GlobalProtect Exclusions	—	—	—	5.1.0	—	5.1.0	—
Enforce GlobalProtect Connections with FQDN Exclusions	—	—	—	5.2.0	—	5.2.0	—
Certificate selection by OID	—	—	—	3.0.0	—	3.0.0	—
Deployment of SSL Forward Proxy CA certificates in the trust store	—	—	—	3.0.0	—	3.0.0	—
HIP reports	1.3.0	1.3.0	3.0.0	1.0.0	3.1.3 (`Host information only; Notifications not supported`)	1.0.0	4.1.0 (`Host information only`)
Run scripts before and after sessions	—	—	—	2.3.0	—	2.3.0	—
Allow users to disable GlobalProtect	6.0	—	—	2.2.0	—	2.2.0	4.1.0
Welcome and help pages	1.3.0	1.3.0	3.0.0	1.0.0	—	1.0.0	—
HIP Exceptions for Patch Management	—	—	—	6.2.0	6.2.0	6.2.0	—
HIP Process Remediation	—	—	—	6.2.0	6.2.0	6.2.0	—
Extend User Session for GlobalProtect Users	—	—	—	6.2.0	6.2.0	6.2.0	—
`Other`
Support for 100 Manual Gateways	5.0.3	5.0.7	-	5.0.3	-	5.0.3	5.0.3
GlobalProtect Portal and Gateway Support for TLSv1.3	6.0.8, 6.1.3,6.2.1, or later versions	6.0.8, 6.1.3,6.2.1, or later versions	6.0.8, 6.1.3,6.2.1, or later versions	6.0.8, 6.1.3,6.2.1, or later versions (`Minimum version of Windows 11 required`)	6.0.8, 6.1.3,6.2.1, or later versions	6.0.8, 6.1.3,6.2.1, or later versions	6.0.8, 6.1.3,6.2.1, or later versions (`Ubuntu 20`)
User Location Visibility on GlobalProtect Gateways and Portals	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0	4.1.0
Gateway and Portal Location Visibility for End Users	5.0.0	5.0.0	—	5.0.0	—	5.0.0	—
Primary Username Visiblity on GlobalProtect Gateways	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.0.0	4.1.0
Automatic VPN Reconnect for Chromebooks	—	—	4.1.0	—	—	—	—
Support for Native Certificate Store for Prisma Access and GloabProtect App on Linux Endpoints	—	—	—	—	—	—	6.2.0 or later versions
Enhanced HIP Remediation Process	—	—	—	6.3.0 or later versions	—	6.3.0 or later versions	—
Enhancements for Authentication Using Smart Cards	—	—	—	6.3.0 or later versions	—	6.3.1 or later versions	—
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts	—	—	—	6.3.0 or later versions	—	6.3.0 or later versions	—
Intelligent Portal				6.3 (Pre-logon (Always On) `connect method only`)		6.3
Best Gateway Selection Criteria	—	—	—	6.3.1	—	6.3.1	—
CLI Support for SAML Authentication with Default Browser for GlobalProtect App on Linux Endpoints	—	—	—	—	—	—	6.2.1 or later versions
Identification and Quarantine of Compromised Devices (Deprecates Device Block List)	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0	5.1.0

Third-Party VPN Client Support

What Features Does GlobalProtect Support for IoT?

Compatability Matrix

What Features Does GlobalProtect Support?

Compatability Matrix

What Features Does GlobalProtect Support?

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Best Practices

Experts Corner