Hi FabienJ, This is possible. You'd need an external web-server to host the GP software. Now, if you can configure some sort of authentication there, that's all well and good. If not, you can make use of PAN OS 8.0 for the 'Authentication policy' feature (this is what I'll demonstrate). For authentication policy approach, you should be hosting the file on a http server. Using this method, you can even do MFA for just the download, so I guess that's a plus. Well, here are the steps: Login to the command line and issue the following commands: set global-protect redirect location <path of the external server repository of the file> set global-protect redirect on In my case, since I didn't have a http server, I just chose something random like: http://www.ipvoid.com Run the command - set global-protect redirect show You should see the output similar to mine: cfg.global-protect.redirect.flag: True cfg.global-protect.redirect.location: http://www.ipvoid.com At this point, you are pretty much done if you are doing authentication on that external server. Proceed if you want to use the Authentication policy approach. 1. Create a captive portal Redirect host, in your case, will be the external facing address that can server the authentication page. Choose an appropriate SSL/TLS profile and authentication profile. 2. Create an authentication policy Please keep in mind that you'd have to choose the source zone as Outside. I am using Inside because of the way my lab setup is configured. Also, the destination zone would be something depending on where the file hosting server lies and if NAT is required or not. Destination adddress would be whatever address you have entered as the file server. You can choose Authentication Enforcement to use two-factor, if you want. I am just using a simple Web-form (captive portal). Here's the demo: Whether I go to the GP-portal, login and then click on the download GP client links or directly enter https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows , I will get an MFA portal page (customizable btw, under Device->Response pages), which will look like this: I would authenticate and then the firewall would redirect me to the file server (in this case it's just going to ipvoid.com). Hope that helps. Regards, Anurag
... View more