The following new feature is introduced in GlobalProtect app 6.3.1.
Traffic Enforcement with Forwarding Profiles
Enable traffic enforcement to block outgoing connections.
You can block outbound UDP and IPv6 traffic from endpoints when GlobalProtect agent is
deployed in proxy mode. You can also customize your block actions. This option is
available only if you have Prisma Access managed by Strata Cloud Manager and
GlobalProtect agent 6.3.1. For more information, see Prisma Access Explicit Forwarding
Profiles.
Intelligent Internal Host Detection
Information about the new parameter, Enable Intelligent Internal Host Detection.
GlobalProtect 6.3.1 and later releases include the Intelligent Internal Host Detection
parameter. This feature applies when users use the GlobalProtect app in internal host
detection mode for User-ID while using 3rd party VPN for accessing private party
applications. When internal host detection takes place before the 3rd party VPN
establishes a tunnel, it fails to establish the User-ID. With the Enable
Intelligent Internal Host Detection parameter, the GlobalProtect app can
now detect Internal Host Detection in presence of 3rd party VPN agent by re-triggering
network discovery until Internal Host Detection is successful.
Best Gateway Selection Criteria
Best Gateway Selection Criteria
GlobalProtect uses a network discovery method to select the best available gateway from
the available multiple gateway options. GlobalProtect attempts to communicate with all
the gateways and uses criteria such as gateway priority, load, and response time from
the gateway to determine the best available gateway to connect. Suboptimal endpoint
conditions such as load and high CPU can impact the response time leading to incorrect
gateway selection.
GlobalProtect Best Gateway Selection Criteria
feature prevents suboptimal endpoint conditions effects on GlobalProtect network
discovery resulting in the reliable best available GlobalProtect gateway selection in a
suboptimal endpoint environment.
You can now configure the best gateway selection criteria in the app settings of the
GlobalProtect portal configuration for the endpoints to select the best available
gateway when the end users are connecting from an external network.
When the end user is connecting from an external network, the GlobalProtect app first
attempts to connect to the external gateways listed in its client configuration, and
then it establishes a connection to the gateway with the highest priority and shortest
response time.
Previously, the time taken for a successful TLS handshake was used by the app to measure
the time taken to establish an external gateway connection.
With this feature enabled, you can configure the app to use the time taken for a
successful TCP connection as the external gateway measurement criteria. When you select
the Best Gateway Selection Criteria option as Response
Time in the app settings of the portal configuration, the duration of
the TCP handshake is used by the app to measure the time taken to establish an external
gateway connection.
Wildcard Support for Split Tunnel Settings Based on the Application
Wildcard Support for Split Tunnel Settings Based on the Application
You can configure the path for the endpoint application using wildcard
character (*) while configuring split-tunnel based on application, both for
exclude as well as include traffic. You can add up to 200 entries to the list to exclude
or include the traffic through the VPN tunnel.
When you use the wildcard character in the application path and add it in the exclude or
include list for split-tunnel, GlobalProtect bypasses the application check for that
particular application path even when the application path changes after a software or
patch update.
For example, when you apply wildcard character to the path for third-party applications
such as Symantec Web Security Service (WSS) or MicrosoftTeams, you don't need to
manually update the exclude list for the application in the split-tunnel configuration
each time the third-party application path changes after a software update.
Enhancements for Authentication Using Smart Cards
Enhancements for Authentication Using Smart Cards on macOS Endpoints
Enhancements for Authentication Using Smart Cards on macOS
Endpoints
The enhancements for authentication using smart card is now extended to
endpoints running on macOS.
When you set smart card authentication for the end users to authenticate to the
GlobalProtect app and when the configured smart card is not available, the user
authentication will now fallback to any other username and password authentication
methods that you have configured for the app.
The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client
Certificate option while configuring the GlobalProtect gateway and portal.
This option defines whether users can authenticate to the portal or gateway using
credentials and/or client certificates.
Enhancements for Authentication Using Smart Cards on Windows
Endpoints
You can predeploy the customized Windows Registry key values for the profile options
<PIV> and <NO
PIV>
Improvements for Multi Authentication CIE Experience
Improvements for Multi Authentication CIE Experience
When CIE (SAML) multi-authentication is configured
for the GlobalProtect app as the authentication method, end users are no longer required
to enter their single sign-on (SSO) credentials when they try to authenticate to the
app.
You can now predeploy the registry key CASSKIPHUBPAGE (path:
\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings) on the Windows endpoints to enable this
feature.
After you enable this feature, end users are not prompted to enter their SAML credentials
while authenticating to the app using the embedded browser or the default browser. This
feature is supported only on Windows platforms.
Features Introduced in GlobalProtect App 6.3.0
The following new features are introduced in GlobalProtect app 6.3.0.
Enhanced HIP Remediation Process Improvements
Enhanced HIP remediation process improvements
You can now configure the GlobalProtect app to rerun the HIP remediation script whenever the
GlobalProtect endpoint fails the process check after running the configured HIP
remediation process.
This feature enables the app to rerun the HIP remediation script when the
process fails after the set HIP remediation timeout period to help the endpoint recover
from a HIP check failure. The app reruns the remediation script after a process check
failure based on the HIP Process Remediation Retry count you configure through the app
settings of the GlobalProtect portal. When you enable this feature, the GlobalProtect
app resubmits the HIP report only after the app reruns the HIP remediation script in
case of HIP check failures.
For example, if you configure the retry count as 3 and the remediation timeout period as
5 mins in the portal configuration, then every time the endpoint fails the process check
after performing the remediation process, the app runs the script three times and waits
up to 5 mins before it submits the HIP report.
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts
Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN
Prompts
Previously, when ActivClient software was installed on the devices and Connect Before
Logon was configured for the GlobalProtect app, end users were prompted to enter the
smart card PIN multiple times while trying to connect using the CBL method.
This enhancement removes the multiple smart card PIN prompts received by the end users
from the Windows identity provider and ActivClient while connecting the GlobalProtect
app with the smart card along with ActivClient software. The GlobalProtect app now
prompts the user to enter a PIN only once and the PIN prompt is from ActivClient
software.
Enhancements for Authentication Using Smart Cards-Authentication Fallback
Enhancements for Authentication Using Smart Cards-Authentication Fallback
When you set smart card authentication for the end users to authenticate to the
GlobalProtect app and when the configured smart card is not available, the user
authentication will now fallback to any other username and password authentication
methods that you have configured for the app.
The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client
Certificate option while configuring the GlobalProtect gateway and portal.
This option defines whether users can authenticate to the portal or gateway using
credentials and/or client certificates.
Intelligent Portal
Learn how to get routed to the appropriate Prisma Access portal based on your
location.
Corporate users travel between multiple countries for their work. The intelligent portal
selection feature enables automatic selection of the appropriate portal when a user
travels across multiple countries for seamless and secure connectivity. After you
configure intelligent portal in your environment, you're automatically routed to the
appropriate Prisma Access portal based on your country location. For example, when you
travel to China, you are directed to the China Prisma Access portal and to the North
America portal when you're in the United States. This eliminates the need for manual
selection of portals and improves the end user experience.
The intelligent portal feature is supported for the Always-On and Always-On (Pre-logon)
modes. It is supported for Connect Before Logon if there are no portal addresses
defined.
You can deploy GlobalProtect with this feature, or add entries to the Windows Registry or
macOS plist file. For more information, see Configure Intelligent Portal.
Connect to GlobalProtect App with IPSec Only
Learn how to choose the connection option for the GlobalProtect app.
To meet Federal Government compliance regulations, you can choose to prevent
GlobalProtect fallback to SSL tunnel in case IPSec tunnel fails. If IPSec is not
configured on the gateway, the GlobalProtect app stays disconnected.
The existing Connect with SSL Only feature and new
Connect with IPSec Only features are combined under the
single unified portal configuration of Advanced Control for Tunnel Mode
Behavior . For more information, see step 5 in Customize the GlobalProtect App.
Embedded Browser Framework Upgrade
Learn about WebView2.
Starting with GlobalProtect 6.3, the embedded browser framework for SAML authentication
has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides
a consistent experience between the embedded browser and the GlobalProtect client.
WebView2 and WebKit are also compatible with FIDO2-based authentication methods.
By default, tenants using SAML authentication are configured to utilize the embedded
WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser.
With this enhancement, there's no need for end users to configure a SAML landing page,
eliminating the necessity to manually close the browser. This streamlines the
authentication process.
In a Microsoft entra-joined environment with SSO enabled, users are not
required to enter their credentials in order to authenticate to Prisma Access using
GlobalProtect. This seamless experience is true whether the user is logging in to their
environment for the first time or whether they have logged in before. If there is an
error during the authentication, it is displayed in the embedded browser. This
authentication process works across all device states.
In a non entra-joined environment with SSO enabled, users must enter their
credentials during the initial login. On subsequent logins, the credentials are
auto-filled as long as the SAML identity provider (IdP) session is active and has not
timed out. For more information, see CIE (SAML) Authentication using Embedded
Web-view.
Support for End User Coaching
GlobalProtect 6.3.0 supports End User Coaching. End User Coaching allows you to display
notifications to your users in the Access Experience User Interface when they generate
an Enterprise Data Loss Prevention (E-DLP) incident. For more information, see the Enterprise DLP Administration.