GlobalProtect 6.3.1 and later releases include the Intelligent Internal Host Detection parameter. This feature applies when users use the GlobalProtect app in internal host detection mode for User-ID while using 3rd party VPN for accessing private party applications. When internal host detection takes place before the 3rd party VPN establishes a tunnel, it fails to establish the User-ID. With the Enable Intelligent Internal Host Detection parameter, the GlobalProtect app can now detect Internal Host Detection in presence of 3rd party VPN agent by re-triggering network discovery until Internal Host Detection is successful.

GlobalProtect uses a network discovery method to select the best available gateway from the available multiple gateway options. GlobalProtect attempts to communicate with all the gateways and uses criteria such as gateway priority, load, and response time from the gateway to determine the best available gateway to connect. Suboptimal endpoint conditions such as load and high CPU can impact the response time leading to incorrect gateway selection.

GlobalProtect Best Gateway Selection Criteria feature prevents suboptimal endpoint conditions effects on GlobalProtect network discovery resulting in the reliable best available GlobalProtect gateway selection in a suboptimal endpoint environment.

You can now configure the best gateway selection criteria in the app settings of the GlobalProtect portal configuration for the endpoints to select the best available gateway when the end users are connecting from an external network.

When the end user is connecting from an external network, the GlobalProtect app first attempts to connect to the external gateways listed in its client configuration, and then it establishes a connection to the gateway with the highest priority and shortest response time.

Previously, the time taken for a successful TLS handshake was used by the app to measure the time taken to establish an external gateway connection.

With this feature enabled, you can configure the app to use the time taken for a successful TCP connection as the external gateway measurement criteria. When you select the Best Gateway Selection Criteria option as Response Time in the app settings of the portal configuration, the duration of the TCP handshake is used by the app to measure the time taken to establish an external gateway connection.

You can configure the path for the endpoint application using wildcard character (*) while configuring split-tunnel based on application, both for exclude as well as include traffic. You can add up to 200 entries to the list to exclude or include the traffic through the VPN tunnel.

When you use the wildcard character in the application path and add it in the exclude or include list for split-tunnel, GlobalProtect bypasses the application check for that particular application path even when the application path changes after a software or patch update.

For example, when you apply wildcard character to the path for third-party applications such as Symantec Web Security Service (WSS) or MicrosoftTeams, you don't need to manually update the exclude list for the application in the split-tunnel configuration each time the third-party application path changes after a software update.

The enhancements for authentication using smart card is now extended to endpoints running on macOS.

The smart card authentication method is enhanced to include an authentication fallback mechanism when the smart card is not available to authenticate users to the GlobalProtect app.

When you set smart card authentication for the end users to authenticate to the GlobalProtect app and when the configured smart card is not available, the user authentication will now fallback to any other username and password authentication methods that you have configured for the app.

The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.

You can predeploy the customized Windows Registry key values for the profile options <PIV> and <NO PIV>

When CIE (SAML) multi-authentication is configured for the GlobalProtect app as the authentication method, end users are no longer required to enter their single sign-on (SSO) credentials when they try to authenticate to the app.

You can now predeploy the registry key CASSKIPHUBPAGE (path: \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings) on the Windows endpoints to enable this feature.

After you enable this feature, end users are not prompted to enter their SAML credentials while authenticating to the app using the embedded browser or the default browser. This feature is supported only on Windows platforms.

The following new features are introduced in GlobalProtect app 6.3.0.

You can now configure the GlobalProtect app to rerun the HIP remediation script whenever the GlobalProtect endpoint fails the process check after running the configured HIP remediation process.

This feature enables the app to rerun the HIP remediation script when the process fails after the set HIP remediation timeout period to help the endpoint recover from a HIP check failure. The app reruns the remediation script after a process check failure based on the HIP Process Remediation Retry count you configure through the app settings of the GlobalProtect portal. When you enable this feature, the GlobalProtect app resubmits the HIP report only after the app reruns the HIP remediation script in case of HIP check failures.

For example, if you configure the retry count as 3 and the remediation timeout period as 5 mins in the portal configuration, then every time the endpoint fails the process check after performing the remediation process, the app runs the script three times and waits up to 5 mins before it submits the HIP report.

You can now use the GlobalProtect app with smart card and ActivClient software without entering the smart card PIN multiple times when the Connect Before Logon (CBL) connection method is configured for the GlobalProtect app.

Previously, when ActivClient software was installed on the devices and Connect Before Logon was configured for the GlobalProtect app, end users were prompted to enter the smart card PIN multiple times while trying to connect using the CBL method.

This enhancement removes the multiple smart card PIN prompts received by the end users from the Windows identity provider and ActivClient while connecting the GlobalProtect app with the smart card along with ActivClient software. The GlobalProtect app now prompts the user to enter a PIN only once and the PIN prompt is from ActivClient software.

The smart card authentication method is enhanced to include an authentication fallback mechanism when the smart card is not available to authenticate users to the GlobalProtect app.

When you set smart card authentication for the end users to authenticate to the GlobalProtect app and when the configured smart card is not available, the user authentication will now fallback to any other username and password authentication methods that you have configured for the app.

The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.

Corporate users travel between multiple countries for their work. The intelligent portal selection feature enables automatic selection of the appropriate portal when a user travels across multiple countries for seamless and secure connectivity. After you configure intelligent portal in your environment, you're automatically routed to the appropriate Prisma Access portal based on your country location. For example, when you travel to China, you are directed to the China Prisma Access portal and to the North America portal when you're in the United States. This eliminates the need for manual selection of portals and improves the end user experience.

The intelligent portal feature is supported for the Always-On and Always-On (Pre-logon) modes. It is supported for Connect Before Logon if there are no portal addresses defined.

You can deploy GlobalProtect with this feature, or add entries to the Windows Registry or macOS plist file. For more information, see Configure Intelligent Portal.

To meet Federal Government compliance regulations, you can choose to prevent GlobalProtect fallback to SSL tunnel in case IPSec tunnel fails. If IPSec is not configured on the gateway, the GlobalProtect app stays disconnected.

The existing Connect with SSL Only feature and new Connect with IPSec Only features are combined under the single unified portal configuration of Advanced Control for Tunnel Mode Behavior . For more information, see step 5 in Customize the GlobalProtect App.

Starting with GlobalProtect 6.3, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 and WebKit are also compatible with FIDO2-based authentication methods.

By default, tenants using SAML authentication are configured to utilize the embedded WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser. With this enhancement, there's no need for end users to configure a SAML landing page, eliminating the necessity to manually close the browser. This streamlines the authentication process.

In a Microsoft entra-joined environment with SSO enabled, users are not required to enter their credentials in order to authenticate to Prisma Access using GlobalProtect. This seamless experience is true whether the user is logging in to their environment for the first time or whether they have logged in before. If there is an error during the authentication, it is displayed in the embedded browser. This authentication process works across all device states.

In a non entra-joined environment with SSO enabled, users must enter their credentials during the initial login. On subsequent logins, the credentials are auto-filled as long as the SAML identity provider (IdP) session is active and has not timed out. For more information, see CIE (SAML) Authentication using Embedded Web-view.

GlobalProtect 6.3.0 supports End User Coaching. End User Coaching allows you to display notifications to your users in the Access Experience User Interface when they generate an Enterprise Data Loss Prevention (E-DLP) incident. For more information, see the Enterprise DLP Administration.