Fixed an issue where GlobalProtect clients (versions 6.3.3-h2-6.3.3-h4) intermittently failed to honor enforcer bypass rules for FQDNs and IP addresses after the client machine woke up from sleep. This resulted in connections to bypassed URLs being blocked, including GlobalProtect's own SAML authentication requests, and required a manual restart of the PanGPS service to restore connectivity.

Fixed an issue where, on macOS GlobalProtect clients, exclude routes were not properly removed from the system routing table after a PanGPS (GlobalProtect client) crash. This occurred because the routes remained in the macOS kernel, and upon reconnection, the client's `checkExistingExRts()` function only validated the destination and netmask, not the gateway. As a result, these stale routes, pointing to an old or unreachable gateway, were marked as existing and skipped during the reconnection process, leading to a corrupted routing state and preventing correct route injection, especially after a network change.

Fixed an issue where, in the GlobalProtect app on macOS, keyboard focus did not automatically move to the required "Enter portal Address" field when a user attempted to add a new portal without entering an address. This accessibility issue impacted keyboard-dependent users.

Fixed an issue where the firewall, when configured to obtain IP addresses from a DHCP server for GlobalProtect clients, sent a MAC address of '00' to the DHCP server specifically for MacOS 26 (Tahoe) clients running GlobalProtect App versions 6.2 or 6.3, which resulted in IP address collisions on the DHCP server.

Fixed an issue where the GlobalProtect Connect Before Logon tunnel disconnected for new users on their first logon. This issue affected GP client versions 6.2.8-hx and 6.3.3-hx.

Fixed an issue where the GlobalProtect Portal welcome page, when displayed in German, incorrectly presented a button labeled 'Genau' instead of 'Zustimmen' (Accept).

Fixed an issue where GlobalProtect clients, after upgrading to versions 6.2.8-263, 6.3.3-h2, or 6.3.3-h3, would get stuck in a connecting loop and fail to connect to the portal or gateways. This occurred because the GlobalProtect app crashed when attempting to delete previous SAML user data, specifically when the user data folder path contained non-ANSI characters that the app could not convert to a UTF-16 path.

Fixed an issue where split tunneling domain exclusions on GlobalProtect App version 6.3.3-C711 for Windows clients failed to function as expected after the application disconnected and reconnected. This resulted in traffic for domains configured for exclusion being incorrectly routed through the VPN tunnel instead of directly, because the TTLMap for split tunneling domain rules was not properly cleared when the GlobalProtect App re-established its connection.

Fixed an issue where GlobalProtect clients running version 6.3.3-711 would randomly get stuck in a 'connecting' status, preventing them from establishing a successful VPN connection.

Fixed an issue where GlobalProtect HIP reports on macOS devices intermittently failed with an "Invalid client IP" error. This occurred on GlobalProtect client version 6.2.8-h4 (c317) due to a race condition where the HIP report thread sent the report during the VPN disconnect transition, causing the client to use a stale tunnel IP address instead of the physical IP address.

Fixed an issue where the GlobalProtect client on Windows machines truncated the Proxy Auto-Configuration file URL (autoConfigURL) at 104 characters when configured through the GlobalProtect Portal, preventing the full URL (up to 256 characters) from being correctly set in the Windows registry due to an insufficient internal buffer size.

Fixed an issue where GlobalProtect clients on macOS devices, specifically version 6.3.3-h2, were unable to resolve internal IPv6 domains when split tunneling was enabled and the operating system lacked native IPv6 connectivity. This occurred because the client's logic, which was designed to apply IPv6 configuration only when the OS already had native IPv6 connectivity, prevented the GlobalProtect tunnel from properly handling IPv6 traffic, resulting in "Err name not resolved" errors for internal FQDNs.

Fixed an issue where GlobalProtect portal authentication failed for some macOS users when attempting to use saved credentials. This issue, observed on GlobalProtect client versions 6.2.8 and 6.3.3, resulted in an immediate authentication failure on the client and firewall logs indicating an invalid username or password, even though the credentials were valid for other macOS clients.

Fixed an issue where the Host Information Profile (HIP) banner was not displayed on Windows 11 client machines running GlobalProtect client versions 6.2.8-h7 and 6.3.3. This occurred due to a timing or race condition where the GlobalProtect client (PanGPA) received an outdated status, preventing the visual display of HIP match or not-match notifications, even though the messages were recorded in the client logs.

Fixed an issue where GlobalProtect Client version 6.2.8 running in Windows 365 environments, would experience PanGPA getting stuck during the tunnel rename process. This prevented successful gateway authentication and registration after users closed and re-opened their Windows 365 session, leading to a pop-up message prompting users to re-authenticate.

Fixed an issue where GlobalProtect clients on macOS devices, after upgrading to version 6.2.8-h2, were unable to connect to the authentication server. This occurred because incorrect logic in the GlobalProtect Agent code prevented the Webview Process ID from syncing with the Network Extension process, causing the Network Extension to block SAML authentication traffic, resulting in a "Could not connect to the authentication server" error and a blank embedded browser during SAML authentication.

Fixed an issue where GlobalProtect clients running version 6.2.8-h1 (6.2.8-c223) experienced intermittent connection failures and disconnections, with the client agent getting stuck in a 'connecting' state even when backend logs indicated a successful connection. This occurred because, when conditional connect mode was enabled, the client attempted to impersonate a user and write On-Demand settings to the user's registry hive (HKEY_CURRENT_USER) during pre-logon. As no user was logged in at that stage, user impersonation failed, leading to incorrect registry access or failed registry operations, which caused service instability or misconfiguration.

Fixed an issue where the GlobalProtect app experienced connectivity issues after the host computer resumed from sleep mode due to a missing self-pointed route. This issue resulted in a delay of 5 to 10 minutes for the GlobalProtect connection to get stabilized.

Fixed an issue where the GlobalProtect Agent incorrectly displayed "N/A" in the "Last Scan Time" field for the Trend Micro Deep Security Agent within the Host Information Profile (HIP) report.

Fixed an issue where users from overseas locations were disconnected from GlobalProtect due to the HIP report not being sent with manual gateway selection.

Fixed an issue where GlobalProtect client 6.1.1-5 would select the incorrect Windows tile by default after locking the screen when using Single Sign-On for Smart Card PIN (Windows) with the Yubikey Smart Card Minidriver. When multiple smart cards were present, GlobalProtect incorrectly selected the last enumerated card instead of the currently active one.