New GlobalProtect Features
IPv6 for GlobalProtect
GlobalProtect clients and satellites can now connect to portals and gateways using IPv6. This feature allows connections from clients that are in IPv6-only environments, IPv4 only environments, or dual-stack (IPv4 and IPv6) environments. You can tunnel IPv4 traffic over an IPv6 tunnel and the IP address pool can assign both IPv4 and IPv6 addresses. To use this feature, you must install a GlobalProtect subscription on each gateway that supports GlobalProtect clients that use IPv6 addresses.
Define Split Tunnels by Excluding Access Routes
You can now exclude specific destination IP subnets traffic from being sent over the VPN tunnel. With this feature, you can send latency-sensitive or high-bandwidth-consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
External Gateway Priority by Source Region
GlobalProtect can now use the geographic region of the GlobalProtect client to determine the best external gateway. By including source region as part of the external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This can help avoid distant connections when there are momentary fluctuations of network latency. This can also be used to ensure all connections stay within a region if desired.
Internal Gateway Selection by Source IP Address
GlobalProtect can now restrict internal gateway connection choicesbasedonthe source IP address of the client. In a distributed enterprise, this features allows you to have users from a branch to authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches.
GlobalProtect Agent Login Enhancement
To simplify GlobalProtect agents and prevent unnecessary login prompts when a username and password are not required, the panel that showed portal, username, and password is now split into two screens (one screen for the portal address and another screen for username and password). The GlobalProtect agent now displays login prompts for username and password only if this information is required. GlobalProtect automatically hides the username and password screen for authentication types—such as cookie or client certificate authentication—that do not require a username and password.
Authentication Policy and Multi-Factor Authentication for GlobalProtect
You can leverage the new Authentication Policy and Multi-Factor Authentication enhancements within GlobalProtect to support access to non-HTTP applications that require multi-factor authentication. GlobalProtect can now notify and prompt the user to perform the timely, multi-factor authentication needed to access sensitive network resources.
SAML 2.0 Authentication for GlobalProtect
GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication . If you have chosen SAML as your authentication standard, GlobalProtect portals and gateways can act as Security Assertion Markup Language (SAML)2.0 service providers and GlobalProtect clients can authenticate users directly to the SAML identity provider.
Restrict Transparent Agent Upgrades to Internal Network Connections
You can now control when transparent upgrades occur for a GlobalProtect client. With this configuration, if the user connects from outside the corporate network, the upgrade is postponed. Later, when the user connects from within the corporate network, the upgrade is activated. This feature allows you to hold the updates until users can take advantage of good network availability and high bandwidth from within the corporate network. The upgrades will not hinder users when they travel to environments with low bandwidth.
The PAN-OS Windows User-ID agent has been extended to support a new AirWatch MDM Integration service. This service acts a replacement for the GlobalProtect Mobile Security Manager and enables GlobalProtect to use the host information collected by the service to enforce HIP-based policies on devices managed by VMware AirWatch. Running as part of the PAN-OS Windows User-ID agent, the AirWatch MDM integration service uses the AirWatch API to collect information from mobile devices (including Android and iOS) that are managed by AirWatch and translate this data into host information.
Increased Capacity for Split Tunnel Include Access Routes
(PAN-OS 8.0.2 and later releases)
The firewall now supports up to 800 access routes used to include traffic in a split tunnel gateway configuration on Chromebooks and up to 1000 access routes on all other endpoints. This enables you include a greater number of routes from being sent over the GlobalProtect VPN tunnel than was previously available. Note that the exclude tunnel capacity remains the same at 200 access routes. For upgrade and downgrade considerations for this feature, see the PAN-OS 8.0 New Features Guide .