GlobalProtect Clientless VPN: Now With Expanded Access to Applications

GlobalProtect Clientless VPN is now GA in PAN-OS 8.0.4

One of the core preventive measures of our Next-Generation Security Platform comes from the role that the network plays in delivering protection. By placing security controls in the network, your organization can stop threats from reaching the user and control who has access to applications.

GlobalProtect Clientless VPN, initially realeased in beta in PAN-OS 8.0, is now GA with the release of PAN-OS 8.0.4, allows organizations to deploy GlobalProtect to a broader set of user communities, providing access to applications in situations where the GlobalProtect app isn’t installed. Now users can access applications in the cloud or data center with virtually any current browser. This makes it possible to support application access on endpoints that may have locked down configurations (such as machines where users do not have admin rights) or hardened configurations like a kiosk.

The traffic for accessing the application passes through the next-generation firewall, allowing organizations to set up User-ID policies to control who can access the application, along with the content inspection capabilities for stopping threats in traffic. You can use file blocking policies to control file blocking functionality when accessing internal applications on non-trusted endpoints.


Clientless VPN allows users to access applications in the data center or the cloud. Traditionally, organizations tried to address various use cases with a mix of remote access VPN, cloud access products and network security appliances in a non-integrated manner. GlobalProtect takes the approach of delivering Clientless VPN through the Palo Alto Networks Next-Generation Security Platform, providing better security with a streamlined user experience.

Organizations have a variety of user populations, and many of them are not using corporate assets. The BYOD trend, for example, leads to use cases where employees own the device but use it with business applications. Contractors have similar needs; some may be using laptops managed by another organization, and some may not be managed at all. You can use Clientless VPN as a complement to your BYOD strategy to increase your options for supporting access on personally owned devices. For example, your organization may choose to support BYOD in two ways: for managed personally owned devices, use integration with MobileIron, AirWatch and Microsoft InTune to deploy the GlobalProtect app in Per-App VPN configurations. In scenarios where the GlobalProtect app cannot be used, provide access to applications using Clientless VPN.

If you want to learn more about these capabilities: