GlobalProtect 6.1: New Features and Behavior

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member



Traditional technologies used to protect mobile endpoints but have long outlived their usefulness and are no longer capable of stopping advanced techniques used by modern attackers. Both users and applications have shifted to locations outside the traditional network perimeter. GlobalProtect enables organizations to protect the mobile workforce by extending the Next-Generation Security Platform to all users, regardless of location.


Read on to learn about all the new features and behavior introduced with the release of GlobalProtect 6.1.


Proxy Auto Configuration (PAC) Deployment from GlobalProtect


The GlobalProtect portal can now push the URL for your proxy auto-configuration (PAC) files to your endpoints. Upon connection, the portal returns the PAC URL to the endpoint. After establishing a tunnel with the gateway, the endpoint connects to the PAC URL and fetches the PAC file, which will update the proxy settings on the endpoint. Different PAC URLs can be deployed to different endpoints based on username or group membership. Once the endpoint has the proxy settings, it uses the proxy server to access the internet.

After you enable the feature, the new proxy configurations pushed through the app replaces the proxy settings already available on the endpoint. When the user disconnects the GlobalProtect app, the endpoint proxy configurations get automatically disabled, reverting to the initial settings on the endpoint.


This feature is available for all GlobalProtect users.


globalprotect portal, globalprotectglobalprotect portal, globalprotect


Note: Both Proxy Auto-Config (PAC) and Web Proxy Auto-Discovery Protocol (WPAD) standards are supported.


Advanced Internal Host Detection


You can now configure advanced internal host detection through the portal if you want to add an extra security layer during internal host detection by the GlobalProtect app. The app validates the server certificate of the internal gateways in addition to performing a reverse DNS lookup of the internal host to determine whether the app is inside the enterprise network.

Enabling the advanced internal host detection stops malicious actors from spoofing the reverse DNS server response during the internal host detection and prevents unauthorized access to the endpoints in the enterprise network. 


globalprotect portal, globalprotect, advanced internal host detectionglobalprotect portal, globalprotect, advanced internal host detection


Simplified macOS GlobalProtect App Deployment Using Jamf MDM Integration


Jamf Pro can now be used to deploy the GlobalProtect app to macOS endpoints to support large-scale GlobalProtect app deployments in on-premises and Prisma Access environments. Administrators can also provide a seamless user experience for macOS end users by deploying Jamf configuration profiles that can automatically load system and network extensions.



Additional information



We encourage you to check out the GlobalProtect resources on LIVEcommunity. Ideally, LIVEcommunity's product pages (find 'em in our nav bar) will be your first and last stop on your journey to learn more about the Palo Alto Networks products you're using. From discussions and blogs to videos and additional resources, LIVEcommunity can help you get the most from your cybersecurity toolbox.


Feel free to share your questions, comments and ideas in the section below.


Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.


Kiwi out!

L6 Presenter

Nice! Maybe with the "Proxy Auto-Config (PAC) and Web Proxy Auto-Discovery Protocol (WPAD)" in the future globalprotect could be able to be used as a proxy application agent for the Palo Alto Prisma Access Explicit Proxy to enforce the PAC file on the endpoint without any VPN establishment.

L2 Linker

Looks like 6.1 on Mac removes the ability to set a preferred gatewaymacos-gp61.png

L0 Member

Hi Jason,


You need to connect the GP Portal first before you can select a specific gateway

L2 Linker

Correct.  I was referring to the new ability in GP 5.x client to manually set your preferred gateway.  That option is no longer available in 6.1.0

L1 Bithead

+1 to add preferred gateway option back to 6.1 client.  Our large engineering base uses this feature a lot.

**Also, long ipv6 address are cut off on the Connection Statistics Assigned IP Address(es) section with no way to expand the window to see the full address and the Gateway IP address displayed cuts off half the actual IP address. There's room for improvement with this layout. It's unfortunate IPv6 did not receive much attention in this design. 



L0 Member

Once connected, the Star button to the left of the gateway sets this gateway as preferred for the next login.




Register or Sign-in
Top Liked Authors