Features Introduced
Focus
Focus
GlobalProtect

Features Introduced

Table of Contents

Features Introduced

The following new features are introduced in the GlobalProtect™ App 6.0 versions.
The following table describes the features introduced in GlobalProtect app 6.0 versions.
New GlobalProtect Feature
Description
Embedded Browser Framework Upgrade
Starting with GlobalProtect 6.0.9, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 and WebKit are also compatible with FIDO2-based authentication methods. For more information, see the Microsoft Edge WebView2 documentation.
By default, tenants using SAML authentication are configured to utilize the embedded WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser. With this enhancement, there's no need for end users to configure a SAML landing page, eliminating the necessity to manually close the browser. This streamlines the authentication process.
In a Microsoft entra-joined environment with SSO enabled, users are not required to enter their credentials in order to authenticate to Prisma Access using GlobalProtect. This seamless experience is true whether the user is logging in to their environment for the first time or whether they have logged in before. If there is an error during the authentication, it is displayed in the embedded browser. This authentication process works across all device states.
In a non entra-joined environment with SSO enabled, users must enter their credentials during the initial login. On subsequent logins, the credentials are auto-filled as long as the SAML identity provider (IdP) session is active and has not timed out.
Redesigned GlobalProtect App User Interface for Windows and macOS
GlobalProtect app 6.0 for Windows and macOS now introduces a more streamlined user interface and a more intuitive connection process. The redesigned app features improved workflows that enable end users to quickly understand connectivity and access issues. With this redesign, end users can enable features that they prefer to use from a central location. Additionally, end users can monitor specific notifications and Host Information Profile (HIP) report submissions sent to multiple internal gateways from a central location to help you to quickly troubleshoot HIP related issues.
Improved Connectivity Experience for the GlobalProtect App for Android and iOS
To enable a better user experience, GlobalProtect app 6.0 for Android and iOS endpoints now provides an improved connection workflow. The GlobalProtect app now displays informative connectivity error messages while the end user is connecting to the gateway. Additionally, when you configure GlobalProtect with the Always On connect method, the home screen now displays CONNECTED state with a disconnect message to prevent end users from disconnecting when they try to tap the Connect icon.
Improved Authentication Experience for the GlobalProtect App for Windows and macOS
To enable a better user experience, you can now configure the GlobalProtect app to continue to display the status panel while the end user is entering their credentials when logging in or cancels the request.
Available with Content Release Version 8450-6909 or later.
SAML Authentication with Cloud Authentication Service (Windows 10, macOS, Linux, iOS, and Android)
If you have set up the GlobalProtect portal to authenticate users through Security Assertion Markup Language (SAML) authentication, you can now leverage the Cloud Authentication Service to enable users to authenticate to GlobalProtect using a cloud identity provider, such as Onelogin or Okta.
Security Policy Enforcement for Inactive GlobalProtect Sessions
You can now enforce a security policy rule to track traffic from endpoints while end users are connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. With this enhancement, you can now enforce a shorter inactivity logout period. If a GlobalProtect session remains inactive during the configured time period, the session is automatically logged out and the VPN tunnel is terminated.
GlobalProtect for ARM64-Based Windows Devices
GlobalProtect now extends native support for ARM64-based Windows devices. This enables Palo Alto Networks customers to secure their remote workforce using ARM64-based Windows devices to access all features that are available on the GlobalProtect app, and allows uniform endpoint security policy and enforcement similar to Intel-based Windows devices.
No Direct Access to Local Network Support for Linux
GlobalProtect now extends support for Linux devices to allow you to enable or disable local network access whenever end users are connected to GlobalProtect similar to Windows and macOS. Excluding local subnets from tunnel and allowing local subnet access enables end users to access proxies and local resources (such as local printers) directly without sending any local subnet traffic through the VPN tunnel. If you do not want end users to access local subnets, you can disable traffic to local subnets.
GlobalProtect Certificate Delegation for Android Devices Using Workspace ONE
(Android 8 and later releases) You can now use a mobile device management (MDM) system such as Workspace ONE to grant permission to the GlobalProtect app for certificate delegation. This enables the GlobalProtect app for Android devices to select a client certificate based on the client certificate alias without first prompting GlobalProtect app users to manually select a certificate.
Single Sign-On (SSO) Using Smart Card Authentication
The GlobalProtect app now supports SSO using smart card authentication to reduce the number of times end users must enter their smart card Personal Identification Number (PIN) when they log in to their Windows 10 endpoint or to authenticate to GlobalProtect. Leveraging the same smart card PIN for GlobalProtect with their Windows 10 endpoint enables end users to connect without having them to re-enter their smart card PIN in the app for a seamless SSO experience. After the end user successfully logs in to the Windows 10 endpoint, the app acquires and remembers their smart card PIN to authenticate with the portal and gateway.
Available with Content Release version 8451-6911 or later.
Endpoint Traffic Policy Enforcement (Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases)
With the Endpoint Traffic Policy Enforcement feature, GlobalProtect now provides added security to protect your remote workforce. You can now use the Endpoint Traffic Policy feature on the GlobalProtect endpoint to block malicious inbound connections and to restrict any applications from bypassing the GlobalProtect tunnel. Additionally, you can prevent end users from tampering with the routing table to bypass the GlobalProtect tunnel.
Available with Content Release Version 8450-6909 or later.
Simplified and Seamless macOS GlobalProtect App Deployment Using Jamf MDM Integration
You can now use Jamf Pro to deploy the GlobalProtect app 6.0.4 and later releases to macOS endpoints to support large-scale GlobalProtect app deployments in on-premises and Prisma Access environments. Administrators can also provide a seamless user experience for macOS end users by deploying Jamf configuration profiles that can load system and network extensions automatically, thus preventing the user from having to respond to notifications on the GlobalProtect app.
FIPS-CC Mode for GlobalProtect on (Windows and macOS, ARM-based devices running on Windows and macOS, iOS, Android, and Linux)
(Requires GlobalProtect app 6.0.7 version. For iOS and Android, GlobalProtect for Governments app 6.0.7 version.)
In preparation for submitting the GlobalProtect 6.0 app for FIPS-CC certification, the GlobalProtect app for Windows and macOS endpoints, ARM-based devices running on Windows and macOS, iOS, Android, and Linux has been updated to meet FIPS-CC requirements. The GlobalProtect app FIPS-CC is supported on x86 and ARM-based platforms.
With this feature, you can deploy the GlobalProtect app in FIPS-CC mode to enforce stronger security checks for your users, including the following:
  • Enhanced certificate validity checks
  • Stricter x509v3 certificate checks, such as OCSP/CRL checks and extended key usage checks
  • Algorithm health checks (such as FIPS self-tests and integrity checks) to verify the system integrity and ensure that GlobalProtect uses the correct cryptography for secure communication
  • Use of FIPS and CC compliant algorithms for enhanced security (for example, to ensure that GlobalProtect does not use weak algorithms or key sizes)
  • Updated logging that provides the results of these security checks
Federal Information Processing Standard (FIPS 140-3) and Common Criteria (CC) are security certifications that ensure a standard set of security assurances and functionalities. These certifications are often required by U.S. government agencies and other domestic and international regulated industries.
Deploy Certificates for Authentication to the Endpoint Without Using Mobile Device Management (MDM)
(Requires FIPS-CC mode on GlobalProtect for Governments app 6.0.8 iOS version.)
If you have set up the GlobalProtect portal or gateway to authenticate through certificate-based authentication, you can now directly download and deploy certificates to iOS endpoints using third-party applications. With this enhancement, you no longer need to configure certificates in the VPN profile and use Mobile Device Management (MDM) software to push the certificates to the devices.
You can enable this feature by adding the following Key-Value pair to the Custom Data within the MDM VPN Profile: mode-persistent-token set to Yes.
You can now deploy GlobalProtect for Governments app 6.0.8 iOS version using Microsoft Intune.
Enhanced GlobalProtect App Log Sharing Functionality
(Requires GlobalProtect for Governments app 6.0.9 version for iOS and Android.)
On iOS and Android devices, users can now choose their preferred method of sharing the GlobalProtect app log files for troubleshooting. Previously, users were allowed to share the app logs only using Apple Mail on the iOS device or gmail client on the Android device. Now, users can share GlobalProtect app log files quickly and easily using their favorite file sharing apps.