In addition to route-based split tunnel policy, GlobalProtect™ now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application. This feature works on Windows and macOS endpoints and enables you to:

GlobalProtect endpoints running macOS 10.10 and later releases now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO, which is primarily intended for internal gateway deployments, provides accurate User-ID™ information without user interaction and helps enforce user and HIP policies.

GlobalProtect now supports SAML single sign-on (SSO) for Chrome OS. If you configure SAML as the authentication standard for Chromebooks, users can authenticate to GlobalProtect by leveraging the same login they use to access the Chromebook applications. This allows users to connect to GlobalProtect without having to re-enter their credentials in the GlobalProtect app. With SSO enabled (default), Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to your organization’s SAML identity provider.

The GlobalProtect credential provider logon screen on Windows 7 and Windows 10 endpoints now displays the pre-logon connection status when you configure pre-logon for remote users. The pre-logon connection status indicates the state of the pre-logon VPN connection prior to user logon. By providing more visibility on the pre-logon connection status, this feature allows end-users to determine whether they will be able to access network resources upon logon, which prevents them from logging in prematurely before the connection establishes and network resource become available.

If the GlobalProtect app determines that an endpoint is internal (connected to the corporate network), the logon screen displays the GlobalProtect connection status as Internal. If the GlobalProtect app determines that an endpoint is external (connected to a remote network), the logon screen displays the GlobalProtect connection status as Connected or Not Connected.

End users can now change their Active Directory (AD) password using the GlobalProtect credential provider on Windows 10 endpoints. This enhancement improves the single sign-on (SSO) experience by allowing users to update their AD password and access resources that are secured by GlobalProtect using the GlobalProtect credential provider. Users can change their AD password using the GlobalProtect credential provider only when their AD password expires or an administrator requires a password change at the next login.

Remote users can now change their RADIUS or Active Directory (AD) password through the GlobalProtect app when their password expires or a RADIUS/AD administrator requires a password change at the next login. With this feature, users can change their RADIUS or AD password when they are unable to access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user authenticates with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).

GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess the endpoint state and the third-party security applications running on the endpoint. OPSWAT is a security tool leveraged by the Host Information Profile (HIP) to collect information about the security status of your endpoints. GlobalProtect uses this information for policy enforcement on the GlobalProtect gateway.

This integration follows the end-of-life (EoL) announcement for OPSWAT SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in PAN-OS 8.0 and earlier releases.

The new GlobalProtect app for Linux now extends User-ID and security policy enforcement to users on Linux endpoints. The GlobalProtect app provides a command-line interface and functions as an SSL or IPSec VPN client. The GlobalProtect app supports common GlobalProtect features and authentication methods, including certificate and two-factor authentication and both user-logon and on-demand connect methods. The app can also perform internal host detection to determine whether the Linux endpoint is on the internal network and collects host information (such as operating system and operating system version, domain, hostname, host ID, and network interface). Using this information, you can allow or deny access to a specific Linux endpoint based on the adherence of that endpoint to the host policies you define.

The GlobalProtect app for Linux is available for the Linux distribution of Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and requires a GlobalProtect subscription.

You can now configure GlobalProtect to preserve the existing VPN tunnel when users log out of their endpoint. With this enhancement, you can specify the amount of time for which the GlobalProtect session remains active during user logout.