New GlobalProtect 5.2 Is Here

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Community Team Member

GlobalProtect 5.2 New Features InsideGlobalProtect 5.2 New Features Inside

 

Palo Alto Networks is excited to announce the release of GlobalProtect 5.2. Protecting your networks is our top priority, and the new features in GlobalProtect 5.2 will help you improve your security posture for a more secure network.

 

 

The newest version of GlobalProtect has been released, and there are several new features that include new Windows 10-related features like Split DNS and Connect before logOn. These new features allow much more functionality when configuring SplitDNS. There are even new features for enabling GlobalProtect Network Access. 

 

New GlobalProtect 5.2 Features*

NEW GLOBALPROTECT FEATURE DESCRIPTION
Enforce GlobalProtect Connections with FQDN Exclusions (Windows 10 and macOS running macOS Catalina 10.15.4 or later)

To improve user experience when the Enforce GlobalProtect for Network Access feature is enabled, you can now specify the fully qualified domain names for which you allow access when you enforce GlobalProtect connections for network access. For example, the endpoint can communicate with a cloud-hosted identity provider (ldP) for authentication purposes or a remote device management server even when the Enforce GlobalProtect for Network Access feature is enabled.


Available with Content Release Version 8284-6139 or later.

Split DNS (Windows 10 and macOS running macOS Catalina 10.15.4 or later)

To enable users to access applications or local resources, you can now specify exclusions or inclusions and send DNS queries to a local DNS server using the physical adapter on the endpoint. With split DNS, you can configure which domains are resolved by the VPN assigned DNS servers and which domains are resolved by the local DNS servers.

Available with Content Release Version 8284-6139 or later.

Default System Browser for SAML Authentication (Windows 10, macOS, Linux, iOS, and Android)

If you have set up the GlobalProtect portal to authenticate users through Security Assertion Markup Language (SAML) authentication, end users can now connect without having to re-enter their credentials in the GlobalProtect app, for a seamless single sign-on (SSO) experience. End users can now leverage the same login for GlobalProtect and their default system browser such as Chrome, Firefox, or Safari. This enables end users to connect to GlobalProtect and to allow single-sign on to SAML-enabled applications on first-use only. After end users successfully authenticate, their saved user credentials will be remembered by the default system browser.


Additionally, on any browser that supports the Web Authentication (WebAuthn) API, you can use Universal 2nd Factor (U2F) security tokens such as YubiKeys for multi-factor authentication (MFA) to authenticate to identity providers (ldPs) such as Onelogin or Okta.


Available with Content Release Version 8284-6139 or later.

Connect Before Logon (Windows 10)

To simplify the login process and improve your experience, end users can now establish the VPN connection to the corporate network before logging in to Windows endpoint using a Smart card, authentication service such as LDAP, RADIUS, or Security Assertion Markup Language (SAML), username/password-based authentication, or one-time password (OTP) authentication. Connect Before Logon is particularly useful for onboarding new users on the endpoint that is not set up with a local profile or account for the user. Users can log in to the Windows endpoint for the first-time without a local administrator profile. And because Connect Before Logon enables the user to log in to the VPN before logging into the Windows endpoint, it reduces the frustration for users who get locked out of their account when they fail to reset the password in time, for example.

* - Features have been reprinted from the GlobalProtect 5.2 Release Notes in Palo Alto Networks TechDocs.

 

 

For even more information about these features, please see the GlobalProtect App New Features Guide:

 

 

Additional Information on LIVEcommunity

 

GlobalProtect Resource Page

Prisma Access Resource Page

Endpoint Protection Resource Page

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

5,903 Views
Comments
L0 Member

Hi, how true is that "Connect Before Logon" works only for PANOS 10.0

5,735 Views
Community Team Member

@kehernandez , Thanks for the question.. 

According to all of the information that I have, PAN-OS 10.0 does not appear to be a requirement for "Connect Before Logon"

 

I used this for a basis:

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

5,713 Views

I was able to use it on PanOS 9.0.9. However, their instructions are not very good. I am still having issues, to make the options Show Portal to be present.

5,314 Views
L0 Member

The documentation for Connect Before Logon is infuriatingly lacking. I've tried everything I can think of using the documentation here: https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-apps/deploy-a...

 

  • Manually creating the keys and values in CLSID doesn't work. I have to run 'PanGps.exe -registerplap'.
  • Step 2 expects me to modify values in a key that doesn't exist. I've attempted to create this key and what I interpreted these instructions to mean but I can't figure out how to get the portal address to display before GlobalProtect attempts to connect.
  • Step 3, again, instructs modification of a key and values that don't exist.

This step in particular is confusing: "Change the Portal <portal_value> value to portal_address_<number>. For example, portal_address_1. Repeat this step for each portal that you want to add.

 

I have no idea what this is referring to. I attempted to create strings in the CBL key named "portal_address_1" and "portal_address_2" with values equal to the FQDN of two portals... and nothing. How are we supposed to work with half-written directions?

4,876 Views
Community Team Member

I am sorry that the instructions are lacking.  I can try to reach out to the group responsible and let them know. 

 

In the meantime, I would recommend that you get on the GlobalProtect discussion area and post this question there to see if anyone else has been able to get this working, and if so how. 

That area is here:

https://live.paloaltonetworks.com/t5/globalprotect-discussions/bd-p/GlobalProtect_Discussions

 

Otherwise I will see what the documentation group says and what they can provide.

 

Thanks,

Joe Delio

4,779 Views

We created those entries manually with no issues, as for the portal, here what you have to do:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL

- Create an entry for Portal1 (no spaces) - type REG_SZ and Data: portal-address DO NOT ADD THE NUMBER as the documentation suggests. (repeat if you have more, specifying Portal2...

- Create an entry with AlwaysShowPortal - REG_SZ - yes

That made the portals show up.

4,749 Views
Labels