Features Introduced in GlobalProtect Agent 4.0
Features Introduced in GlobalProtect Agent 4.0.5
The following table describes the new feature introduced in the GlobalProtect agent 4.0.5 release.
New GlobalProtect Features Description
IPsec Tunnel Mode for Windows UWP Windows UWP endpoints now support IPsec tunnel mode.
Features Introduced in GlobalProtect Agent 4.0.3
The following table describes the new features introduced in the GlobalProtect agent 4.0.3 release.
New GlobalProtect Features Description
GlobalProtect Support for macOS 10.13 You can now install and use the GlobalProtect app on Mac endpoints running macOS 10.13. Support for macOS 10.13 is available with GlobalProtect app 4.0.3 or a later release. The GlobalProtect app for macOS requires you to specify a SSL/TLS Service Profile which uses TLS 1.2 encryption in your portal and the gateway configuration. For more information, see: https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/ConfigurationArticles/article-id/2223.
Enhanced Always-On VPN for Android Always-On VPN has been enhanced to provide increased security for GlobalProtect on endpoints running Android 7.0 and later releases. Automatically connect at boot time —With Always-On VPN, GlobalProtect now connects at boot time instead of waiting for the user to unlock the endpoint. This process takes fewer than 60 seconds and enables GlobalProtect to apply security policies sooner thus ensuring immediate and consistent security protection. Lockdown mode —GlobalProtect Always-On VPN can now operate in either lockdown or non-lockdown mode (the default). With lockdown mode, network traffic is permitted only after GlobalProtect establishes a connection. This behavior persists even if GlobalProtect is disabled. With non-lockdown mode, users can access the network when GlobalProtect is disabled or disconnected. Lockdown mode is supported for external gateway configurations and is not supported with internal gateways or captive portals. This is because GlobalProtect does not permit the endpoint to connect to the network before establishing the VPN connection. You can configure Lockdown mode from third-party endpoint management systems such as AirWatch that support this option.
Resilient VPN Connection The GlobalProtect VPN connection is now enhanced to provide more resiliency when network disconnects occur due to network instability or endpoint state changes. Examples of network disconnect scenarios include switching between wireless networks, and switching from a wired network to a wireless network. Now, when the connection drops, GlobalProtect can automatically retry the connection. This reduces the overall effort by your users to maintain the connection and ensures the immediate and consistent enforcement of security policies.
Gateway Selection Enhancement To improve the logic the GlobalProtect agent uses to select the best gateway, the agent now prioritizes the gateways assigned highest, high, and medium priority ahead of gateways assigned a low or lowest priority regardless of response time. By appending gateways with lower priority to the list of gateways, you can ensure that the GlobalProtect agent first attempts to connect to the gateways that you configure with a higher priority. This is useful in redundant data center deployments to ensure that agents to prioritize connections to gateways in the primary data center (with higher priority) over connections to gateways in the backup data center (with lower priority).
DNS Query Enhancement The DNS resolution logic is now enhanced on Windows endpoints to provide better DNS performance. When the GlobalProtect VPN is connected, Windows endpoints send DNS queries to the DNS servers configured on the GlobalProtect gateway. In some cases where the DNS servers configured on the GlobalProtect gateway cannot resolve the DNS query, Windows sends the query to the DNS servers set to the physical adapter. This can result in long wait times to resolve DNS queries. This feature addresses this behavior by preventing Windows from sending DNS queries to the physical adapter when the tunnel is connected thus yielding better DNS performance.
Features Introduced in GlobalProtect Agent 4.0.2
The following table describes the new feature introduced in the GlobalProtect agent 4.0.2 release.
New GlobalProtect Features Description
Included Access Route Capacity Enhancement In PAN-OS 8.0.2 with GlobalProtect agent 4.0.2, the firewall now supports up to 800 access routes used to include traffic in a split tunnel gateway configuration on Chromebooks and 1,000 access routes on all other endpoints. This enables you include a greater number of access routes to send over the GlobalProtect VPN tunnel than was previously available. Note that the split tunnel exclude capacity remains the same at 200 access routes. For upgrade and downgrade considerations for this feature, see the PAN-OS 8.0 New Features Guide.
Pre-Logon Tunnel Rename Timeout ( Windows endpoints only ) On a firewall running PAN-OS 8.0 with content release version 704-4052 or later and with GlobalProtect agent 4.0.2 installed on Windows endpoints, you can now configure a Pre-Logon Tunnel Rename Timeout. This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway ( Network > GlobalProtect > Portals > <portal-configuration> > Agent > <agent-configuration> > App). The values you can enter are: –1—The pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway. 0—When the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the Connect Method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon. 1 to 600 —This is the number of seconds in which the pre-logon tunnel remains active after a user logs on to the endpoint. During this time, GlobalProtect enforces policies on the pre-logon tunnel. If the user authenticates to the GlobalProtect gateway within the timeout period, GlobalProtect assigns the tunnel to the user. If the user does not authenticate within the timeout period, GlobalProtect terminates the pre-logon tunnel.
Features Introduced in GlobalProtect Agent 4.0.0
The following table describes the new features introduced in the GlobalProtect agent 4.0.0 release. Unless otherwise stated for a specific feature, these new features require content release version 657 or later.
New GlobalProtect Feature Description
IPv6 for GlobalProtect GlobalProtect endpoints and satellites can now connect to portals and gateways using IPv6. This feature allows connections from endpoints that are in IPv6-only environments, IPv4 only environments, or dual-stack (IPv4 and IPv6) environments. You can tunnel IPv4 traffic over an IPv6 tunnel and the IP address pool can assign both IPv4 and IPv6 addresses. To use this feature, you must install a GlobalProtect subscription on each gateway that supports GlobalProtect endpoints that use IPv6 addresses.
Define Split Tunnels by Excluding Access Routes You can now exclude specific destination IP subnets traffic from being sent over the VPN tunnel. With this feature, you can send latency-sensitive or high-bandwidth-consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
External Gateway Priority by Source Region GlobalProtect can now use the geographic region of the GlobalProtect endpoint to determine the best external gateway. By including source region as part of external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This helps avoid distant connections when there are momentary fluctuations in network latency. You can also use this feature to ensure all connections stay within a region when necessary.
Internal Gateway Selection by Source IP Address GlobalProtect can now restrict internal gateway connection choices based on the source IP address of the endpoint. In a distributed enterprise, this features allows you to have users from a branch to authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches.
GlobalProtect Agent Login Enhancement To simplify GlobalProtect agents and prevent unnecessary login prompts when a username and password are not required, the panel that showed portal, username, and password is now split into two screens (one screen for the portal address and another screen for username and password). The GlobalProtect agent now displays login prompts for username and password only if this information is required. GlobalProtect automatically hides the username and password screen for authentication types—such as cookie or client certificate authentication—that do not require a username and password.
Authentication Policy and Multi-Factor Authentication for GlobalProtect You can leverage the new Authentication Policy and Multi-Factor Authentication enhancements within GlobalProtect to support access to non-HTTP applications that require multi-factor authentication. GlobalProtect can now notify and prompt the user to perform the timely, multi-factor authentication needed to access sensitive network resources.
SAML 2.0 Authentication for GlobalProtect GlobalProtect portals, gateways, and agents now support Security Assertion Markup Language (SAML) 2.0 authentication. If you configured SAML as your authentication method, GlobalProtect portals and gateways can act as SAML service providers and GlobalProtect agents can authenticate users directly to the SAML identity provider.
Restrict Transparent Agent Upgrades to Internal Network Connections You can now control when transparent upgrades occur for a GlobalProtect agent. With this configuration, if the user connects from outside the corporate network, the upgrade is postponed. Later, when the user connects from within the corporate network, the upgrade is activated. This feature allows you to hold the updates until users can take advantage of a reliable, high-bandwidth connection from within the corporate network. The upgrades will not hinder users when they travel to environments with low bandwidth.

Related Documentation