GlobalProtect
Features Introduced in GlobalProtect App 5.1
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Features Introduced in GlobalProtect App 5.1
Learn about the exciting new features introduced in the
GlobalProtect™ App 5.1 release.
The following table describes the new features introduced
in GlobalProtect app 5.1. For additional information on how to use
the new features in this release, refer to the GlobalProtect App 5.1 New Features
Guide.
New GlobalProtect Feature | Description |
|---|---|
| macOS System Extensions Support | (GlobalProtect app 5.1.4 and later releases) The GlobalProtect
App can now use system extensions on macOS Catalina 10.15.4 and
macOS Big Sur 11 endpoints for enabling capabilities such as split
tunnel on the GlobalProtect gateway and to enforce GlobalProtect connections
for network access without requiring kernel extensions. The GlobalProtect
App 5.1.4 replaces kernel extensions with system extensions on macOS
Catalina 10.15.4 and macOS Big Sur 11. By enabling system extensions
on macOS Catalina 10.15.4 and macOS Big Sur 11 endpoints, you can
use a split tunnel based on the destination domain and application
and to enforce GlobalProtect connections for network access without
requiring kernel extensions. |
| Consolidated Connectivity Messages for the GlobalProtect App for Windows and macOS | (GlobalProtect app 5.1.1 and later releases) To
enable a better user experience, the GlobalProtect App for Windows
and macOS are updated to display any connectivity errors directly
in the app panel.With this change, the messages displayed when users
have connectivity issues are consolidated within the app panel so
that the pop-up messages do not interrupt the user. |
| SAML Authentication for the GlobalProtect App for Linux | The GlobalProtect App for Linux now supports
Security Assertion Markup Language (SAML). You can authenticate
users through SAML authentication in the GUI version and not in
the CLI version. Due to restrictions for Microsoft Azure
support for Ubuntu operating systems, the GlobalProtect App for
Linux does not support SAML when Microsoft Azure is used as the
SAML identity provider. |
| GlobalProtect for Windows 10 UWP for ARM64 Devices | GlobalProtect now extends enterprise security
protection to enable enforcement of the same next-generation firewall-based
policies that are enforced within the physical perimeter to ARM64
devices running Windows Universal Windows Platform (UWP). You can
download the GlobalProtect app directly from the Microsoft Store. |
| GlobalProtect for IoT Devices | GlobalProtect now extends firewall capabilities
such as User-ID, App-ID, and HIP to secure traffic from your IoT
devices. GlobalProtect for IoT is available for devices running
Windows, Ubuntu, Raspbian, and Android. GlobalProtect for IoT operates
in headless mode where no UI is present on the device and seamlessly
connects to your GlobalProtect gateways. IoT support is available
with a GlobalProtect subscription. Host information collection
is available with Content Release version 8196-5685 or later. |
| Graphical User Interface for GlobalProtect App for Linux | GlobalProtect for Linux is now available with a graphical user interface (GUI). Similar to GlobalProtect for Windows and macOS, you can use the GUI to connect to and disconnect from GlobalProtect portal and gateways; receive notifications and errors; enable or disable the app; and view host, connection, and other information about the app. You can also toggle from the CLI to the GUI version as desired. |
| User Sign-Out Restriction (Windows, macOS, iOS, Android, and Chrome) | You can now prevent or allow users to log out of GlobalProtect. By default, GlobalProtect allows users to sign-out. To customize this GlobalProtect behavior, configure the Allow user to Sign Out from GlobalProtect App option in the App configuration of your GlobalProtect portal. The new option is available with Content Release Version 8196-5685 or later. |
| Biometric Sign-In Support (Windows, macOS, iOS, and Android) | For enhanced usability, GlobalProtect now supports
biometric sign-in. When biometric sign-on is enabled on an endpoint,
GlobalProtect can now authenticate using the saved user credentials
when a user supplies a finger-print scan that matches a trusted
finger-print template on the endpoint. To enable biometric sign-on,
configure Save User Credentials as Only
with User Fingerprint in the App configuration
of your GlobalProtect portal. The minimum PAN-OS 9.1 or a later
release. |
| Single Sign-On (SSO) for macOS Endpoints | The GlobalProtect app now supports single sign-on
for macOS endpoints. Single sign-on improves the user experience
by reducing the number of times users must enter credentials when
they log in. When a user logs in to macOS, the GlobalProtect app
acquires and uses the credentials to authenticate with GlobalProtect
portal and gateways. To enable single-sign on, set Use
Single Sign-on (macOS) to Yes in
the App configuration of your GlobalProtect
portal. Available with Content Release Version 8196-5685 or later. |
| GlobalProtect Gateway Latency Reporting | To help you troubleshoot connection and performance issues for a specific user, GlobalProtect now collects and reports telemetry information for latency between the GlobalProtect gateway and the endpoint. Now, you can easily identify the gateway to which the user is connected, the current stage of the connection, and statistics about the pre-tunnel and post-tunnel network latency. To view logs, see the new MonitorLogsGlobalProtect section on PAN-OS 9.1 and later releases. |
| Proxy Handling for macOS Endpoints | The GlobalProtect app can now automatically
detect and inherit proxy settings on macOS endpoints. This enables
you to deploy GlobalProtect on macOS endpoints that do not have
a direct internet connection and that route traffic through a proxy
server. GlobalProtect for macOS supports both the use of PAC files
and manual proxy configuration. GlobalProtect does not
monitor changes to the proxy settings of the physical adapter. As
a result, if an end user changes the proxy settings of the physical
adapter after GlobalProtect is connected, the user must manually
disconnect and reconnect to enable GlobalProtect to detect and inherit
the new settings. |
| Exclusions to Allow Traffic to Specified Hosts or Networks When Enforce GlobalProtect Connection for Network Access is Enabled and GlobalProtect Connection is not established (Windows and macOS) | To improve user experience when a GlobalProtect
connection is not established, you can now provide exclusions to
allow traffic to specified hosts or networks for access to local
resources although you Enforce GlobalProtect for Network Connection for
all users. With this option that is available as a dynamic app configuration,
when GlobalProtect is not connected, you can for example exclude
link-local addresses and allow access to a local network segment
or broadcast domain. You can configure up to ten IP addresses or
network segments for which you want to allow access in the Exceptions
to Enforce GlobalProtect field of the App configuration
of your GlobalProtect portal. Available with Content Version
8196-5685 or later. |
| New Linux OS Support for Ubuntu | GlobalProtect is now available for endpoints
running the following Linux OS versions for Ubuntu:
In
addition, on these OS versions you can now create HIP objects for
use in security policy enforcement. |
| New Linux OS Support for Red Hat Enterprise Linux | GlobalProtect is now available for endpoints
running the following Linux OS versions for Red Hat Enterprise Linux:
In
addition, on these OS versions you can now create HIP objects for
use in security policy enforcement. |
| New Linux OS Support for CentOS | GlobalProtect is now available for endpoints
running the following Linux OS versions for CentOS:
In
addition, on these OS versions you can now create HIP objects for
use in security policy enforcement. |
| Uninstall Option for GlobalProtect(Windows only) | To prevent users from uninstalling the GlobalProtect
app and thereby bypassing the Always On GlobalProtect configuration,
you can now require a password to uninstall GlobalProtect. To get
this password, they must work with your IT administrator or Help
Desk team that manages access to the password. Requires PAN-OS
9.1 and Content Version 8207-5750 or later. |
| Seamless Soft-Token Authentication with RSA SecureID | The GlobalProtect app can now automatically
generate and retrieve the password for PIN and no-PIN based one-time
password for soft-token authentication with RSA SecureID. The user
must specify the PIN on first-use only. |
| SSL Tunnel Enforcement | To ensure reliable connectivity and a better
user experience in networks where an IPSec connection is not permitted
or is unreliable, you can configure the GlobalProtect app to connect
using SSL instead of using IPSec as the default. Available with
Content Version 8207-5750 or later. |
| SAML SSO for the GlobalProtect app for Android on Chromebooks | The GlobalProtect app for Android now supports
SAML single sign-on (SSO) for Chromebooks. End users can authenticate
to GlobalProtect by leveraging the same login they use to access
their Chromebook device or account. This enables users to connect
to GlobalProtect without having to re-enter their credentials in
the GlobalProtect app. Requires PAN-OS 9.1 or later. |