Client Settings Tab
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Client Settings Tab
- NetworkGlobalProtectGateways<gateway-config>Agent<agent-config>Client Settings
Select the Client Settings tab to configure
settings for the virtual network adapter on the endpoint when the
GlobalProtect app establishes a tunnel with the gateway.
Some Client Settings options are available only after you
enable tunnel mode and define a tunnel interface on the Tunnel
Settings Tab.
GlobalProtect Gateway Client
Settings and Network Configuration | Description |
---|---|
Config Selection Criteria tab | |
Name | Enter a name to identify the client settings configuration
(up to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores. |
Source User | Add the specific
users or user groups to which this configuration applies. You
must configure group mapping (DeviceUser IdentificationGroup Mapping Settings)
before you can select users and groups. To deploy this
configuration to all users, select any from
the Source User drop-down. To deploy this
configuration only to users with GlobalProtect apps in pre-logon
mode, select pre-logon from the Source
User drop-down. The client settings configuration
is deployed to users only if the user matches the criteria for Source
User, OS, AND Source Address. |
OS | To deploy this configuration based on the
operating system of the endpoint, Add an OS
(Android, Chrome, iOS, IoT, Linux, Mac, Windows, WindowsUWP).
Alternatively, you can set this value to Any so that
configuration deployment is based only on the user or user group
and not on the operating system of the endpoint. The
client settings configuration is deployed to users only if the user
matches the criteria for Source User, OS,
AND Source Address. |
Source Address | To deploy this configuration based on user
location, Add a source Region or
local IP Address (IPv4 and IPv6). To deploy
this configuration to all user locations, do not specify a Region or IP Address.
You must also leave these fields empty if your users are running
GlobalProtect app 4.0 and earlier releases, as this feature is not
supported on older GlobalProtect app releases. The Source Address match
is successful if the location of a connecting user matches either
the Region or the IP Address that
you configure. The client settings configuration
is deployed to users only if the user matches the criteria for Source
User, OS, AND Source Address. |
Authentication Override tab | |
Authentication Override | Enable the gateway to use secure, device-specific, encrypted
cookies to authenticate the user after the user first authenticates
using the authentication scheme specified by the authentication
or certificate profile.
Ensure that the gateway and portal both
use the same certificate to encrypt and decrypt cookies. |
IP Pools tab | |
Retrieve Framed-IP-Address attribute from
authentication server | Select this option to enable the GlobalProtect gateway
to assign fixed IP addresses by use of an external authentication
server. When this option is enabled, the GlobalProtect gateway allocates
the IP address for connecting to devices by using the Framed-IP-Address attribute
from the authentication server. |
Authentication Server IP Pool | Add a subnet or range
of IP addresses to assign to remote users. When the tunnel is established,
the GlobalProtect gateway allocates the IP address in this range
to connecting devices using the Framed-IP-Address attribute from
the authentication server. You can add IPv4 addresses (such as 192.168.74.0/24
and 192.168.75.1-192.168.75.100) or IPv6 addresses (such as 2001:aa::1-2001:aa::10). You
can enable and configure Authentication Server IP Pool only
if you enable Retrieve Framed-IP-Address attribute from
authentication server. The authentication
server IP pool must be large enough to support all concurrent connections.
IP address assignment is fixed and is retained after the
user disconnects. Configure multiple ranges from different subnets
to allow the system to offer clients an IP address that does not
conflict with other interfaces on the client. The servers
and routers in the networks must route the traffic for this IP pool
to the firewall. For example, for the 192.168.0.0/16 network, a
remote user can receive the address 192.168.0.10. |
IP Pool | Add a range of IP addresses
to assign to remote users. When the tunnel is established, an interface
is created on the remote user’s endpoint with an address in this
range. You can add IPv4 addresses (such as 192.168.74.0/24 and 192.168.75.1-192.168.75.100)
or IPv6 addresses (such as 2001:aa::1-2001:aa::10). To
avoid conflicts, the IP pool must be large enough to support all
concurrent connections. The gateway maintains an index of clients
and IP addresses so that the client automatically receives the same
IP address the next time it connects. Configuring multiple ranges
from different subnets allows the system to offer clients an IP address
that does not conflict with other interfaces on the client. The
servers and routers in the networks must route the traffic for this
IP pool to the firewall. For example, for the 192.168.0.0/16 network,
a remote user may be assigned the address 192.168.0.10. |
Split Tunnel tab | |
Access Route tab | |
No direct access to local network |
Use this option to enable or disable local network access on Windows,
macOS and Linux endpoints (Linux endpoints must be running
GlobalProtect app version 6.0.0 or later) when users are connected
to GlobalProtect. When this option is enabled users cannot send
traffic directly to proxies or local resources such as printers
while connected to GlobalProtect. Split tunnel traffic based on
access route, destination domain, and application still works as
expected.
This options is supported on Windows, macOS, and Linux endpoints
(Linux endpoints must be running GlobalProtect app version 6.0.0 or
later).
Enable the No
direct access to local network setting to reduce
risks in untrusted networks such as rogue Wi-Fi access
points. |
Include |
Add routes to include in the VPN tunnel. These
are the routes the gateway pushes to the remote users’ endpoint to
specify what user endpoints can send through the VPN connection.
You can include IPv6 or IPv4 subnets. On PAN-OS 8.0.2 and later
releases, up to 100 access routes can be used to include traffic in
a split tunnel gateway configuration. Unless combined with
GlobalProtect app 4.1.x or a later release, up to 1,000 access
routes can be used.
To include all destination subnets or address objects,
Include 0.0.0.0/0 and ::/0 as access
routes.
|
Exclude |
Add routes to exclude from the VPN tunnel.
These routes are sent through the physical adapter on endpoints
rather than through the virtual adapter (the tunnel).
You can define the routes you send through the VPN tunnel as routes
you include in the tunnel, routes you exclude from the tunnel, or a
combination of both. For example, you can set up split tunneling to
allow remote users to access the internet without going through the
VPN tunnel. Excluded routes should be more specific than the
included routes to avoid excluding more traffic than you intend to
exclude.
You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100
exclude access routes in a split tunnel gateway configuration.
Unless combined with GlobalProtect app 4.1 and later releases, up to
200 exclude access routes can be used. You cannot exclude access
routes for endpoints running Android on Chromebooks. Only IPv4
routes are supported on Chromebooks.
If you do not enable split tunneling, every request is routed through
the tunnel (no split tunneling). In this case, each internet request
passes through the firewall and then out to the network. This method
can prevent the possibility of an external party accessing user
endpoints and gaining access to the internal network (with a user
endpoint acting as a bridge).
|
Domain and Application
tab | |
Include Domain |
Add the software as a service (SaaS) or public
cloud applications that you want to include in the VPN tunnel based
on the destination domain and port (optional). These are the
applications the gateway pushes to the remote users’ endpoint to
specify what user endpoints can send through the VPN connection.
ICMP is not included. You can add up to 200 entries to the list.
For example, add the *.office365.com domain to
allow all Office 365 traffic to go through the VPN tunnel.
You can configure a list of ports for each domain. If no ports
are configured, all ports for the specified domain are subject
to this policy.
|
Exclude Domain |
Add the software as a service (SaaS) or public
cloud applications that you want to exclude from the VPN tunnel
based on the destination domain and port (optional). These
applications are sent through the physical adapter on endpoints
rather than the virtual adapter (the tunnel). You can add up to 200
entries to the list.
For example, add the *.ringcentral.com domain
to exclude all RingCentral traffic from the VPN tunnel.
You can configure a list of ports for each domain. If no ports
are configured, all ports for the specified domain are subject
to this policy.
If you do not enable split tunneling, every request is routed through
the tunnel (no split tunneling). In this case, each Internet request
passes through the firewall and out to the network. This method can
prevent external parties from accessing user endpoints to gain
access to the internal network.
|
Include Client Application Process
Name |
Add the complete path of each application
process for which you want to include the traffic in your VPN
tunnel. These are the applications the gateway pushes to the
endpoints of remote users to specify what those user endpoints can
send through the VPN connection. You can add up to 200 entries to
the list.
For example, add
/Application/Safari.app/Contents/MacOS/Safari
to allow all Safari-based traffic to go through the VPN tunnel on
macOS endpoints.
|
Exclude Client Application Process
Name |
Add the complete path of each application
process for which you want to exclude the traffic from your VPN
tunnel. These applications are sent through the physical adapter on
endpoints rather than the virtual adapter (the tunnel). You can add
up to 200 entries to the list.
For example, to exclude traffic from the RingCentral application:
If you do not enable split tunneling, every request is routed through
the tunnel (no split tunneling). In this case, each Internet request
passes through the firewall and out to the network. This method can
prevent external parties from accessing user endpoints to gain
access to the internal network.
|
Network Services tab | |
DNS Server | Specify the IP address of the
DNS server to which the GlobalProtect app with this client setting
configuration sends DNS queries. You can add multiple DNS servers
by separating each IP address with a comma. |
DNS Suffix | Specify the DNS suffix that the endpoint
should use locally when an unqualified hostname is entered that
the endpoint cannot resolve. You can enter multiple DNS suffixes
(up to 100) by separating each suffix with a comma. |