New Features in GlobalProtect App 5.1

Community Team Member

GlobalProtect  5.1 Product Enhancements.pngGlobalProtect 5.1 Product Enhancements

Palo Alto Networks releases new features in GlobalProtect app 5.1 that include several content release versions. See what's new and how it can help to keep your network secure. Got questions? Get answers on LIVEcommunity!

 

GlobalProtect app 5.1 introduces new features

 

Software Support: Starting with GlobalProtect™ app 5.1 with PAN-OS 9.1

OS Support: Fingerprint support on Windows, macOS, iOS, and Android; Face ID support on iOS X and later releases only.

For enhanced usability, GlobalProtect now supports biometric sign-in. When biometric sign-on is enabled on an endpoint, end users must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways. On iOS X, GlobalProtect also supports facial recognition with Face ID. GlobalProtect does not store the fingerprint or facial template used for authentication, but relies on the operating system scanning capabilities to determine the validity of a scan match.

 

Software Support: Starting with GlobalProtect™ app 5.1 with Content Release version 8196-5685

OS Support: Windows and macOS

You can now configure exclusions for specific local IP addresses or network segments when you enforce GlobalProtect for network access. By configuring exclusions, you can improve the user experience by allowing users to access local resources when GlobalProtect is disconnected. For example when GlobalProtect is not connected, GlobalProtect can allow access to link-local addresses. This allows a user to access to a local network segment or broadcast domain.

 

Software Support: Starting with GlobalProtect™ app 5.1 and PAN-OS 9.1. To support host information for IoT, you must also use Content Release version 8196-5685 or later

OS Support: IoT operating systems—Android, Raspbian, Ubuntu, or Windows IoT Enterprise

With GlobalProtect for IoT, you can secure traffic from and extend security policy enforcement to your IoT devices. After you set up GlobalProtect for IoT, the GlobalProtect app authenticates with the GlobalProtect portal or gateways using client certificates and optionally a username and password and establishes an IPSec tunnel. In the event that a connection using IPSec is unsuccessful, you can configure the GlobalProtect app to fall back to an SSL tunnel.

To help you troubleshoot connection and performance issues for a specific user, GlobalProtect now collects and reports telemetry information for latency between the GlobalProtect gateway and the endpoint. With this information, you can easily identify the gateway to which the user is connected, the current stage of the connection, and statistics about the pre-tunnel and post-tunnel network latency. To view latency information, filter for it in the GlobalProtect Logs (Monitor > Logs > GlobalProtect) on PAN-OS 9.1 and later releases.

 

Software Support: Starting with GlobalProtect™ app 5.1

OS Support: Linux operating systems with graphic interface support (but supported on Ubuntu 18.04 only). Linux with KDE is not supported.

 

Software Support: Starting with GlobalProtect™ app 5.1

OS Support: macOS

The GlobalProtect app can now automatically detect and inherit proxy settings on macOS endpoints. This enables you to deploy GlobalProtect on macOS endpoints that do not have a direct internet connection and that route traffic through a proxy server. GlobalProtect for macOS supports both the use of PAC files and manual proxy configuration.

 

Software Support: Starting with GlobalProtect™ app 5.1 and PAN-OS 9.1

OS Support: The GlobalProtect app for Android now supports SAML single sign-on (SSO) for Chromebooks. End users can authenticate to GlobalProtect by leveraging the same login they use to access their Chromebook device or account. This enables users to connect to GlobalProtect without having to re-enter their credentials in the GlobalProtect app.

 

Software Support: Starting with GlobalProtect™ app 5.1

OS support: Windows operating systems (requires registry key changes)

To simplify the login process and improve the users’ experience, GlobalProtect offers seamless soft-token authentication with a two-factor authentication vendor such as RSA SecurID. The user enters the RSA PIN in the GlobalProtect Password field, and GlobalProtect retrieves the passcode from RSA and proceeds with the connection without the user taking the extra step of opening the RSA application.

With this change, users no longer need a two-step process where they are required to first open their software token app and enter their PIN to obtain a passcode, then enter the passcode in their GlobalProtect app in the Password field.

 

Seamless soft-token authentication is supported for all three RSA modes: PinPad Style (PIN integrated with token code), Fob Style (PIN followed by token code) and Pinless mode. For PinPad and Fob Style, the user enters the PIN in the Password field and GlobalProtect retrieves the passcode. In Pinless mode, the Password field is grayed out and users enter their username.

 

Software Support: Starting with GlobalProtect™ app 5.1 with Content Release version 8196-5685

OS Support: macOS

The GlobalProtect app now supports single sign-on for macOS endpoints. Single sign-on improves the user experience by reducing the number of times users must enter credentials when they log in. When a user logs in to macOS, the GlobalProtect app acquires and uses the credentials to authenticate with the GlobalProtect portal and gateways. To enable single-sign on, set Use Single Sign-on (macOS) to Yes in the App configuration of your GlobalProtect portal.

 

Software Support: Starting with PAN-OS 9.1 and GlobalProtect™ app 5.1 with Content Version 8207-5750

OS Support: Windows only

To prevent users from uninstalling the GlobalProtect app and getting around the security and compliance requirements you want to enforce, you can now configure a password that users must enter in order to uninstall GlobalProtect. After you set a password on the GlobalProtect portal and configure the dynamic app configuration to require the password for uninstallation, when the GlobalProtect app connects to the portal and fetches the configuration, it saves the uninstall with password settings to the registry.

 

Software Support: Starting with GlobalProtect™ app 5.1 with Content Release version 8196-5685

OS Support: Windows, macOS, iOS, Android, and Chrome OS

You can now prohibit or allow users to log out of GlobalProtect by configuring a new option in the app configuration of your GlobalProtect portal.

 

Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out!

490 Views
Ask Questions Get Answers Join the Live Community
Labels