PAN-OS: Configuring Multiple GlobalProtect Gateway Agent Configurations

Introduction: Tailoring the Client Experience

While a single GlobalProtect Gateway can serve many users, you might encounter scenarios where different groups of users connecting to that same Gateway require distinct settings pushed down to their GlobalProtect agents. For example, you might need different split-tunneling rules, DNS servers, or IP pools based on user group, operating system, or device compliance (via HIP profiles).

PAN-OS addresses this need by allowing you to configure multiple Agent Configurations within a single GlobalProtect Gateway definition. The firewall then uses matching criteria (like user group, OS, or HIP profile) to determine which specific configuration to apply to a connecting client.

This powerful feature allows one logical Gateway infrastructure object on the firewall to provide customized experiences and network access parameters for diverse user populations, enhancing flexibility and granular control over your GlobalProtect deployment.

     This article focuses on multiple
     
      Agent Configurations on a single Gateway
     
     . This is distinct from deploying multiple separate GlobalProtect Gateway instances (which might have different IP addresses or serve entirely different geographical regions).

Why Use Multiple Gateway Agent Configurations?

Common scenarios where multiple configurations on a single Gateway are beneficial:

Different Access Levels (Split Tunneling):
Providing full-tunnel access (all traffic via VPN) for some user groups (e.g., IT Admins, Developers needing to test external access through corporate IPs) while enabling split-tunneling (only specific corporate traffic via VPN) for others (e.g., Sales team accessing only CRM and internal file shares).
Operating System Specific Settings:
Pushing different DNS servers, specific Access Routes, or even different connect methods based on whether the user is connecting from Windows, macOS, Linux, iOS, or Android. For example, mobile devices might get a more restrictive set of routes.
Device Compliance (HIP-Based Settings):
Assigning different IP pools, access routes, or DNS servers based on the device's security posture. For instance, fully compliant devices get a standard IP with broad access, partially compliant devices get an IP with limited access, and non-compliant devices might be shunted to an IP pool on a restricted remediation network with access only to update servers and helpdesk.
BYOD vs. Corporate Devices:
Providing more restricted access (e.g., limited split-tunnel routes, no "save password" option) for personally owned devices (BYOD) compared to corporate-managed devices. This differentiation is often achieved using HIP profiles or user group membership.
Regional Differences (Limited Gateway Scope):
If users from different internal departments or roles connect to the same centralized Gateway, you might assign them different DNS servers or slightly varied access routes pertinent to their primary work resources, based on their user group.

Note: For true geographical diversity (e.g., users in AMER vs. EMEA vs. APAC), deploying multiple distinct Gateways selected via Portal configuration based on Source Region is generally the preferred approach. However, for role-based differences within a single Gateway's user base, multiple agent configs are ideal.
Testing and Phased Rollouts:
Introduce new settings (like a new DNS server or split-tunnel rule) to a specific pilot user group or OS type before rolling it out to everyone, all while using the same production Gateway.
Varying Client Software Settings:
Pushing different client settings like "Enable Inactivity Logout," "Disable User Credential Saving," or "Collect HIP data" based on user role or device posture.

     Understanding these use cases is key for the exam, as questions often present a scenario and ask how to achieve it using Gateway Agent Configurations.
    

Configuration Location and Key Concepts

Location within the Gateway

You configure multiple agent configurations within the settings of a specific GlobalProtect Gateway.

GUI Path: Network > GlobalProtect > Gateways > [Select/Edit Your Gateway Name] > Agent tab

Within the Agent tab, the primary area for these multiple configurations is the Client Settings sub-tab. Here, you will add and order multiple "Client Settings Configuration" blocks.

Illustrative: GlobalProtect Gateway > Agent > Client Settings tab is where you add multiple configurations.

Core Concept: Matching Criteria & Order

When a GlobalProtect client connects to the Gateway, the firewall evaluates the list of configured Client Settings configurations sequentially from top to bottom .

Flowchart of Gateway Agent Configuration Matching Logic.

Matching Criteria & Order of Evaluation

The effectiveness of multiple agent configurations hinges on correctly defining the matching criteria and the order of these configurations.

Matching Criteria

Each Client Settings configuration block allows you to specify criteria that the connecting client's attributes (OS, user identity, device posture) must meet to receive that specific set of configurations. The key matching criteria tabs within a Client Settings configuration are:

Operating System Tab: Select specific OS versions (e.g., Windows 10, macOS Ventura, specific Android versions, iOS). You can select 'any' or be very granular.
User and Group Tab: Select specific Usernames or User Groups. This requires User-ID to be configured and functioning correctly on the firewall so it can identify the user and their group memberships. You can select 'any', specific users, or specific groups.
HIP Profile Tab: Select one or more pre-configured Host Information Profiles (HIP). This requires HIP Objects and Profiles to be configured and HIP data collection enabled. You can match if the client matches *any* of the selected HIP profiles (OR logic among selected HIP profiles) or if it matches *all* (if that option becomes available in future PAN-OS, currently it's typically 'any of').

     
      AND Logic within a Configuration Block:
     
     If you configure criteria across multiple tabs (e.g., OS is Windows, User Group is 'Engineers', AND HIP Profile is 'Compliant-Corporate') within a
     
      single
     
     Client Settings configuration block, the client must match
     
      ALL
     
     of these specified criteria to receive that configuration.

Order and "First Match Wins"

The order in which you list your Client Settings configurations is CRITICAL .

The firewall evaluates these configurations from the top of the list downwards .
The first configuration block whose criteria are fully met by the connecting client is applied.
No further configuration blocks in the list are evaluated for that client session once a match is found. This is known as the "first match wins" principle.

     The "top-down, first match wins" rule is a fundamental concept for PCNSE. Incorrect ordering is a common source of misconfiguration.
    

The Indispensable Default/Fallback Configuration

It is crucial to have a "catch-all" or default Client Settings configuration block at the very bottom of the list .

This block should typically have no specific OS, User/Group, or HIP criteria selected (i.e., all set to 'any' or left blank).
Its purpose is to apply a standard set of baseline settings to any client who doesn't match any of the more specific configurations defined above it.
Without a default/catch-all, clients not matching any specific rule might not receive any agent configuration, potentially leading to connection failures or unexpected behavior.

     
      Always configure a default/catch-all Client Settings configuration at the bottom of the list.
     
     This ensures all connecting clients receive some form of agent configuration.

Settings Defined Per Agent Configuration

Within each Client Settings configuration block (which is matched by OS, User/Group, and/or HIP criteria), you define the specific parameters that will be pushed down to the GlobalProtect agent on the client's endpoint. Key configurable settings include:

Key Tabs within a Client Settings Configuration Block:

When you "Add" or "Edit" a Client Settings configuration, you'll see several tabs. The most commonly used for defining agent behavior are:

General: Basic naming and description.
OS, User and Group, HIP Profile: These are for the matching criteria as discussed previously.
Network Settings (or similar naming based on PAN-OS version):
- IP Pools: Assign client IP addresses from specific IP address pools configured on the firewall. This allows for network segmentation based on client profile.
- Primary DNS Server, Secondary DNS Server: Specify DNS servers for clients.
- DNS Suffixes: Define DNS search suffixes.
Split Tunnel:
- Access Routes (Include/Exclude): Define IP-based routes.
  - Include Routes: Traffic destined for these networks will be sent through the GlobalProtect tunnel.
  - Exclude Routes: Traffic destined for these networks will bypass the tunnel and go via the client's local network interface.
  - Leaving "Include Access Routes" empty generally signifies a full-tunnel configuration (all traffic goes through the tunnel, except for what might be explicitly excluded).
- Domain and Application Split Tunnel (Include/Exclude): Define split tunneling based on FQDNs (domains) or specific applications (App-ID based, requires App-ID to be up-to-date). This offers more granular control than IP-based routes.
Client Settings (or similar, may be called "App" in older versions):
- Connect Method: (e.g., User-logon, Pre-logon, On-demand) - Can sometimes be varied.
- Enable Inactivity Logout / Logout Hold Time.
- Allow user to disable GlobalProtect app.
- Save User Credentials.
- Report HIP Data. (Though HIP collection is also enabled more globally).
- And other agent behavior settings.
Network Services:
- Settings like DNS Proxy, HTTP/HTTPS Proxy configuration for the client.

By customizing these settings within different agent configuration blocks, you can deliver precisely tailored network access and agent behavior to different sets of users connecting to the same Gateway.

     Familiarize yourself with the types of settings available under each tab (especially IP Pools, DNS, and Split Tunneling options) as you may be asked to identify where a particular setting is configured.
    

Configuration Workflow Example

Let's illustrate with a common scenario:

Scenario: You have one GlobalProtect Gateway. You need to:

Provide full-tunnel access for the 'IT-Admins' user group.
Provide split-tunnel access (only to internal network 10.0.0.0/8 ) for the 'Sales-Users' user group.
Provide highly restricted access (perhaps only to a remediation portal, e.g., 192.168.100.10/32 ) for any device that matches a 'Non-Compliant-Device' HIP profile, regardless of user group.
Provide a default full-tunnel with basic internet access for all other users who don't meet the above criteria.

Steps:

Navigate to Gateway Config:
Go to Network > GlobalProtect > Gateways > [Your Gateway Name] > Agent tab > Client Settings sub-tab.
Configure Non-Compliant Device Settings (Top Rule - Strictest Security Posture First):
- Click Add .
- Name: NonCompliant-RestrictedAccess
- HIP Profile Tab: Select the 'Non-Compliant-Device' HIP profile.
- Network Settings Tab: Assign a specific IP Pool (e.g., GP-Quarantine-Pool ), and DNS servers that might only resolve remediation sites.
- Split Tunnel Tab: Under 'Access Route' (Include), click Add and enter 192.168.100.10/32 (the remediation portal). Ensure no other include routes are present for maximum restriction.
- Click OK .
Configure IT Admins Settings (Second Rule - Specific User Group):
- Click Add .
- Name: IT-Admins-FullTunnel
- User and Group Tab: Select the 'IT-Admins' user group.
- Network Settings Tab: Assign an IP Pool (e.g., GP-IT-Pool ), assign appropriate corporate DNS Servers.
- Split Tunnel Tab: Leave 'Access Route' (Include) empty . This, combined with not having "Exclude local subnet access" (or similar options if present), typically signifies full tunnel. You might explicitly exclude video streaming sites if desired.
- Click OK .
Configure Sales Users Settings (Third Rule - Another Specific User Group):
- Click Add .
- Name: Sales-SplitTunnel
- User and Group Tab: Select the 'Sales-Users' user group.
- Network Settings Tab: Assign an IP Pool (e.g., GP-Sales-Pool ), assign appropriate corporate DNS Servers.
- Split Tunnel Tab: Under 'Access Route' (Include), click Add and enter 10.0.0.0/8 .
- Click OK .
Configure Default Settings (Bottom Rule - Catch-All):
- Click Add .
- Name: Default-FullTunnel-Basic
- OS Tab: Leave as 'any'.
- User and Group Tab: Leave this empty or set to 'any'.
- HIP Profile Tab: Leave as 'any'.
- Network Settings Tab: Assign a default IP Pool (e.g., GP-Default-Pool ) and general DNS servers (e.g., corporate or public).
- Split Tunnel Tab: Leave 'Access Route' (Include) empty for full tunnel.
- Click OK .
Order the Rules Correctly:
Use the up/down arrows in the Client Settings list to ensure the rules are in the correct order of precedence (most specific or most restrictive first, down to the general default):
1. NonCompliant-RestrictedAccess (HIP based, most restrictive access)
2. IT-Admins-FullTunnel (Specific User Group)
3. Sales-SplitTunnel (Another Specific User Group)
4. Default-FullTunnel-Basic (Catch-all)
If 'IT-Admins-FullTunnel' was above 'NonCompliant-RestrictedAccess', an IT Admin with a non-compliant device would get full tunnel access, bypassing the intended quarantine. Order is paramount!
Commit Changes:
Commit the configuration to the firewall.

Now, when users connect, the firewall will evaluate them against this ordered list and apply the first matching configuration.

Illustrative Diagrams

1. Agent Configuration Matching Logic Flowchart

Flowchart illustrating the top-down, first-match evaluation process for multiple agent configurations.

2. User Group to Configuration Mapping (Conceptual Graph)

Conceptual graph showing different user profiles/states mapping to distinct agent configurations on the same gateway.

3. Sequence Diagram: Client Connection and Configuration Assignment

Sequence diagram showing the interaction for assigning an agent configuration.

4. State Diagram: Possible Effective Configurations for a Client

State diagram illustrating how a client transitions to an effective configuration state based on matching criteria. (Simplified for clarity)

Use Cases & Scenarios

Common Use Cases (Recap)

As previously mentioned, the primary drivers for using multiple agent configurations on a single Gateway include:

Differentiated Split Tunneling: Full tunnel for some, specific routes for others.
OS-Specific Network Settings: Tailoring DNS, routes, or client behavior based on the endpoint's operating system.
HIP-Based Segmentation: Assigning different IP pools, DNS, or access levels (e.g., quarantine, limited, full) based on device compliance.
BYOD vs. Corporate Device Policies: More restrictive settings for personal devices.

Advanced & Granular Scenarios

Beyond the common cases, multiple agent configurations enable more nuanced control:

Granular IP Pool Assignment:
Assign very specific IP pools not just by broad group, but by a combination of user group AND operating system, or user group AND HIP profile. For example, 'Engineers' on 'Linux' get one pool, while 'Engineers' on 'Windows' get another, even if both are compliant.
Conditional Client Behavior Settings:
- Disable "Save User Credentials": For users in a 'Contractors' group or for any device matching a 'BYOD' HIP profile.
- Enforce "Inactivity Logout": With a shorter timeout for devices connecting from less trusted OS versions or with a 'Partially-Compliant' HIP status.
- Control "Allow User to Disable GlobalProtect": Disallow for standard employees but perhaps allow for IT support staff who might need to troubleshoot.
Targeted Network Service Configuration:
Push specific HTTP/HTTPS proxy settings only to users in a 'Guest-Access' group or to devices that are not domain-joined (identified via HIP). Other users might get direct internet access or different proxy settings.
Phased Deployment of New Features/Settings:
When introducing a new internal application that requires a specific access route, initially create an agent configuration targeting only the 'Pilot-Users' group with that new route. Once testing is successful, broaden the criteria or merge it into a standard configuration.
Location-Aware Customization (Indirectly via User Group/HIP):
If User-ID can populate groups based on a user's office location (e.g., 'NewYork-Users', 'London-Users'), you can assign location-specific DNS servers or access routes via agent configurations matched to these groups, even if they connect to a central Gateway.
Forcing Specific Connect Methods:
While often set globally in the Portal agent config, you could theoretically (though less common) attempt to influence connect methods if different OS versions or user types require variations, though this is more nuanced and typically handled at the Portal level or via client deployment methods.
Different Settings for Pre-Logon vs. User-Logon:
If using pre-logon, the "machine" context might match a generic agent configuration. Once the user logs in, User-ID and HIP data become available, potentially matching a more specific, user-centric agent configuration. This requires careful planning of the "pre-logon" agent config versus subsequent "user-logon" configs.

Scenario: Differentiated DNS for Developers

Goal: Developers need access to internal staging DNS servers, while all other users use standard corporate DNS. All users connect to the same Gateway.

Configuration:

Agent Config 1 (Top):
- Name: Developers-StagingDNS
- User and Group: Select 'Developer-Group'.
- Network Settings: Primary/Secondary DNS set to staging DNS servers.
- Split Tunnel: Appropriate access routes for developers.
Agent Config 2 (Bottom - Default):
- Name: Default-CorpDNS
- User and Group: 'any' (or leave blank).
- Network Settings: Primary/Secondary DNS set to standard corporate DNS servers.
- Split Tunnel: Standard access routes.

This ensures only developers get the staging DNS, while everyone else gets the standard. The order is vital.

Caveats & Gotchas

While powerful, using multiple Gateway Agent Configurations comes with points to watch out for:

Order, Order, Order!: This cannot be stressed enough. The top-down, first-match rule means incorrect ordering will lead to unintended configurations being applied. Always place more specific rules above more general ones.
Missing Default/Catch-All: Failure to include a comprehensive default configuration at the bottom of the list can result in some clients not receiving any agent settings, leading to connection issues or unexpected behavior.
Complexity Creep:
Having a very large number of granular agent configurations can become complex to manage, troubleshoot, and document. Strive for a balance between granularity and manageability. Consolidate where possible.
Dependency on Matching Criteria Data:
- User-ID Accuracy: If matching by User or Group, User-ID must be functioning correctly and providing timely user-to-IP mapping and group information. Delays or errors in User-ID can lead to incorrect config assignment.
- HIP Data Accuracy & Timeliness: If matching by HIP Profile, the GlobalProtect agent must successfully collect and submit HIP data, and the firewall must process it correctly. Issues with HIP (e.g., outdated content versions, agent problems) will affect matching.
Troubleshooting Specificity:
When a user reports an issue (e.g., wrong IP, cannot access X), you need to determine which agent configuration block they actually matched. Checking system logs for GlobalProtect connections often reveals the applied agent config name.

Monitor > Logs > System (filter for subtype globalprotect and search for username or IP). The log entry for a successful connection often indicates the name of the agent configuration that was applied.
"AND" Logic within a Block: Remember that if you specify OS, User/Group, AND HIP Profile within a single configuration block, all conditions must be met for that block to match. This is powerful but can be tricky if one criterion is unintentionally too restrictive.
Changes Require Commit: Like any firewall configuration change, modifications to Gateway Agent Configurations require a commit to take effect.
Client Reconnection for Changes: If an active user's attributes change in a way that would make them match a different agent configuration (e.g., they are added to a new group, their HIP status changes), they typically need to disconnect and reconnect to the Gateway for the new configuration to be evaluated and applied. The Gateway doesn't dynamically push a new full agent config mid-session without a reconnect. (Though HIP-based *policy* changes can take effect more dynamically based on periodic HIP updates).
Clarity of Naming: Use very clear and descriptive names for your agent configuration blocks (e.g., Win10-Sales-Compliant-SplitDNS ). This significantly aids in understanding and troubleshooting.
Testing Each Path: Thoroughly test client connections for each distinct set of matching criteria to ensure the correct agent configuration is applied and functions as expected.

     The order of rules, the need for a default, and troubleshooting which configuration was applied are frequent areas of focus.
    

Agent Configs on One Gateway vs. Multiple Actual Gateways

It's important to distinguish between using multiple Agent Configurations on a single Gateway versus deploying multiple distinct GlobalProtect Gateway instances (which could be on the same firewall or different firewalls).

Multiple Agent Configurations on a SINGLE Gateway:

Purpose: Provide different client-side settings (IP pool, DNS, split tunnel, client behavior) to diverse user groups/OS/HIP profiles connecting to the same Gateway IP address/FQDN .
Firewall Object: One GlobalProtect Gateway object in PAN-OS.
Authentication: Typically uses the same authentication profile defined for that single Gateway.
Ideal for: Role-based, OS-based, or posture-based customization for users who would otherwise connect to the same logical access point.

Multiple Distinct GlobalProtect Gateways:

Purpose:
- Geographical Distribution: Gateways in different regions (e.g., US-East, EMEA, APAC) to provide lower latency for users in those regions.
- High Availability/Redundancy: Multiple gateways for failover.
- Different Authentication Requirements: One gateway for SAML MFA, another for RADIUS, another for Kerberos (though often a single gateway can support multiple auth methods sequentially via Authentication Policy).
- Completely Separate Network Access/Security Scopes: A gateway for internal users (Internal Gateway) and another for external remote access (External Gateway). Or a gateway for standard corporate access and another highly restricted gateway for contractors.
- Capacity Scaling: Distributing load across multiple physical or virtual firewall instances each running a gateway.
- Different IP Addressing/Interfaces: Each gateway can listen on a different interface and IP address.
Firewall Object(s): Multiple GlobalProtect Gateway objects in PAN-OS.
Authentication: Each gateway can have its own distinct authentication profile.
Gateway Selection: The GlobalProtect Portal plays a key role in directing clients to the appropriate distinct gateway, often based on:
- Source Region: Portal assigns gateways based on the client's geographical source IP.
- Priority: Manually configured priority list of gateways.
- OS: Portal can direct different OS types to different gateways (less common for this specific purpose than agent configs).
Ideal for: True geographical diversity, scaling, distinct authentication realms, or fundamentally different access purposes.

     
      Key Takeaway:
     
     If you need to vary
     
      client-side settings
     
     for users hitting the
     
      same access point (Gateway)
     
     , use multiple Agent Configurations. If you need different access points due to geography, authentication, or major network segmentation, deploy multiple distinct Gateways and manage selection via the Portal.

You can, of course, use both: have multiple distinct Gateways, and each of those Gateways can itself have multiple Agent Configurations to further tailor the experience for users connecting to that specific Gateway instance.

PCNSE Exam Focus for Multiple Gateway Agent Configurations

For the PCNSE exam, understanding how to tailor the GlobalProtect client experience using multiple agent configurations on a single gateway is crucial. Key areas of focus include:

Core Mechanism:
- Knowing that multiple agent configurations are set within the Client Settings tab of a single GlobalProtect Gateway's agent configuration.
- Understanding the top-down, first-match wins evaluation logic.
Matching Criteria:
- Identifying the available matching criteria: Operating System, User and Group, HIP Profile .
- Understanding the AND logic applied when multiple criteria (OS, User/Group, HIP) are specified within a single agent configuration block.
Order of Precedence:
- The critical importance of ordering the agent configuration blocks correctly (most specific to least specific).
- The necessity and placement of a default/catch-all configuration at the bottom of the list.
Configurable Settings:
- Being familiar with the common settings that can be customized per agent configuration block:
  - IP Pools
  - DNS Servers & Suffixes
  - Split Tunneling: Access Routes (Include/Exclude IP-based), Domain/Application-based (Include/Exclude FQDN/App-ID). Understanding that empty include routes often mean full tunnel.
  - Basic client behavior settings (e.g., save credentials, inactivity logout).
Use Cases/Scenarios:
- Ability to determine how to configure agent settings to meet requirements like:
  - Full tunnel for Group A, split tunnel for Group B.
  - Different DNS for Windows vs. macOS.
  - Quarantine IP/DNS for non-compliant HIP devices.
Troubleshooting:
- Knowing where to look to verify which agent configuration was applied to a client (e.g., System Logs for GlobalProtect).
- Common reasons for misconfiguration (e.g., incorrect order, missing default, User-ID/HIP issues affecting matching).
Distinction:
- Briefly understanding how this differs from deploying multiple *actual* GlobalProtect Gateways (which are selected via the Portal).

     
      Study Tip:
     
     Practice scenarios. Given a set of requirements for different user types, mentally (or in a lab) walk through creating and ordering the necessary agent configuration blocks. Pay close attention to the "first match wins" logic.

GlobalProtect Gateway Agent Configurations - Interactive Quiz

Test your knowledge on configuring multiple agent settings for a GlobalProtect Gateway.

1. Where in the PAN-OS GUI do you configure multiple agent configurations for a single GlobalProtect Gateway?

Network > GlobalProtect > Portals > [Portal Name] > Agent Tab Objects > GlobalProtect > Clientless VPN Network > GlobalProtect > Gateways > [Gateway Name] > Agent Tab > Client Settings Device > User Identification > Group Mapping Settings

Correct Answer: C
Multiple agent configurations (Client Settings) are defined under the Agent tab of a specific GlobalProtect Gateway.

2. What is the evaluation logic used by the firewall when a client connects to a Gateway with multiple agent configurations defined?

Top-down, first match wins. Bottom-up, first match wins. Most specific criteria match, regardless of order. All matching configurations are merged.

Correct Answer: A
The firewall evaluates the ordered list of Client Settings configurations from the top. The first one that matches the client's attributes is applied, and no further configurations are checked.

3. Which of the following are valid matching criteria for a Gateway Agent Configuration (Client Settings)?

Source IP Address and Destination Zone Application and Service Time of Day and URL Category Operating System, User/Group, and HIP Profile

Correct Answer: D
The primary matching criteria tabs within a Client Settings configuration are Operating System, User and Group, and HIP Profile.

4. If an agent configuration block specifies criteria for OS (Windows), User Group (Engineers), and HIP Profile (Compliant), what logic is applied?

OR logic: The client must match any one of the criteria. AND logic: The client must match all three criteria. The HIP Profile takes precedence over OS and User Group. Only the User Group criterion is considered if specified.

Correct Answer: B
When multiple types of criteria (OS, User/Group, HIP) are set within a single agent configuration block, the client must satisfy all of them (AND logic) for that block to be a match.

5. Why is it critical to have a default/catch-all agent configuration at the bottom of the list?

To apply the most secure settings to all users. To log all connection attempts that don't match specific rules. To ensure clients not matching any specific criteria still receive a valid agent configuration. To override any settings from the GlobalProtect Portal.

Correct Answer: C
A default configuration (typically matching 'any' OS, 'any' user, 'any' HIP) ensures that if a client doesn't meet any of the more specific criteria, they still get a baseline set of agent settings, preventing connection failures or undefined behavior.

6. Which setting within an agent configuration block is typically left empty to signify a full-tunnel configuration for GlobalProtect?

Include Access Routes (under Split Tunnel) IP Pools (under Network Settings) Primary DNS Server (under Network Settings) Exclude Video Streaming Applications (under Split Tunnel)

Correct Answer: A
When "Include Access Routes" is left empty (and no overriding exclusions are present), it generally means all traffic from the client will be tunneled through the Gateway.

7. A company wants to provide different DNS servers to Windows users versus macOS users connecting to the same Gateway. This can be achieved by:

Configuring two separate GlobalProtect Gateway instances. Using HIP profiles to check the OS and then applying different Security Policies. Modifying the GlobalProtect Portal settings to assign DNS based on OS. Creating two Agent Configurations on the Gateway: one matching Windows (with DNS_A) and another matching macOS (with DNS_B), ordered appropriately.

Correct Answer: D
This is a prime use case for multiple agent configurations on a single Gateway. One configuration block would match Windows OS and assign its specific DNS, and another would match macOS and assign its DNS.

8. What is a potential issue if a more general agent configuration (e.g., matching 'any' user) is placed above a more specific one (e.g., matching 'IT-Admins' group)?

The firewall will generate a commit error. Users in the 'IT-Admins' group might receive the general configuration instead of their intended specific one. The specific configuration will always override the general one, regardless of order. Both configurations will be merged and applied to 'IT-Admins'.

Correct Answer: B
Due to the "top-down, first match wins" logic, if the general rule is matched first by an IT Admin, they will get that configuration, and their more specific rule lower in the list will never be evaluated.

9. To assign clients to a restricted "quarantine" IP pool if their device fails a HIP check for 'Antivirus-Disabled', you would typically:

Configure this directly in the HIP Object itself. Use a Security Policy to NAT non-compliant users to the quarantine pool. Create an Agent Configuration matching the 'Antivirus-Disabled' HIP Profile and assign the quarantine IP pool within that configuration's Network Settings. Set the quarantine IP pool as the default in the GlobalProtect Portal.

Correct Answer: C
The Agent Configuration is where you link a matching criterion (like a HIP Profile) to specific client settings (like an IP Pool). This configuration should be placed high in the order.

10. If User-ID is not functioning correctly and failing to identify a user's group membership, how might this impact Gateway Agent Configurations that rely on 'User and Group' matching?

The user might not match their intended specific agent configuration and could fall through to a default or less specific configuration. The GlobalProtect Gateway will automatically use OS-based matching instead. The user's connection to the Gateway will be denied outright. It will have no impact, as agent configurations primarily use HIP profiles.

Correct Answer: A
If the firewall cannot determine the user's group due to User-ID issues, any agent configuration that specifically matches on that group will not be hit. The user will likely match a more general rule or the default rule.

11. Which log on the Palo Alto Networks firewall is most helpful for determining which specific Gateway Agent Configuration was applied to a connecting GlobalProtect client?

Traffic Log System Log (filtered for subtype globalprotect) HIP Match Log User-ID Log

Correct Answer: B
The System Log, when filtered for GlobalProtect events (e.g., subtype


        globalprotect

and eventid


        globalprotectgateway-agent-config-match

or similar), often shows the name of the agent configuration profile that was matched and applied to the client during connection.

12. When is deploying multiple *distinct* GlobalProtect Gateways more appropriate than using multiple agent configurations on a single gateway?

When you want to assign different IP pools to different user groups. When you need to provide split-tunnel access for some users and full-tunnel for others. When you want to push different DNS servers based on the client OS. When you need gateways in different geographical regions for latency reduction or require completely separate authentication profiles per access point.

Correct Answer: D
Multiple distinct gateways are used for geographical distribution, high availability, differing authentication realms, or fundamentally separate network access points. Options A, B, and C can all be handled by multiple agent configurations on a single gateway.

13. A client connects and matches an agent configuration that assigns IP Pool 'Pool-A' and DNS 'DNS-1'. Later, an administrator changes that specific agent configuration to use 'Pool-B' and 'DNS-2' and commits. What happens to the already connected client?

The client's IP and DNS will dynamically update to Pool-B and DNS-2 immediately. The client will be disconnected and forced to re-authenticate. The client will continue to use Pool-A and DNS-1 until they disconnect and reconnect to the Gateway. The Gateway will send a client configuration update message prompting the user to accept changes.

Correct Answer: C
Gateway agent configurations are typically applied at the time of connection. Changes to the agent configuration settings usually require the client to disconnect and reconnect to receive the updated settings.

14. To provide split-tunnel access that only includes routes to 10.10.0.0/16 and 172.16.0.0/12 , how would you configure the "Access Routes" in the Split Tunnel tab of an agent configuration?

Add


         0.0.0.0/0

to Include, and add


         10.10.0.0/16

and


         172.16.0.0/12

to Exclude. Add


         10.10.0.0/16

and


         172.16.0.0/12

to Include, and leave Exclude empty. Leave Include empty, and add


         10.10.0.0/16

and


         172.16.0.0/12

to Exclude. Add


         0.0.0.0/0

to Exclude, and add


         10.10.0.0/16

and


         172.16.0.0/12

to Include.

Correct Answer: B
For split tunneling where only specific routes go through the tunnel, you add those specific routes to the "Include Access Routes" list. Traffic to other destinations will then go via the client's local network.

15. If no agent configuration block explicitly matches a connecting client, and there is no default/catch-all configuration defined at the bottom of the list, what is the likely outcome?

The client may fail to connect or receive no specific agent settings, potentially falling back to very basic global settings or failing. The client will automatically receive the settings from the first configuration block in the list. The client will receive the settings configured directly on the GlobalProtect Portal. The Gateway will prompt the administrator to create a new matching configuration.

Correct Answer: A
Without a matching agent configuration, including a default, the client might not receive necessary settings like an IP address or DNS, leading to connection issues or undefined behavior.

16. An administrator wants to disable the "Save User Credentials" option for GlobalProtect agents connecting from devices that match a 'Public-Kiosk' HIP Profile. This should be done in:

The HIP Profile configuration itself. The GlobalProtect Portal's main agent configuration. A Security Policy rule matching the 'Public-Kiosk' HIP Profile. A Gateway Agent Configuration (Client Settings) that matches the 'Public-Kiosk' HIP Profile, under its Client Settings/App tab.

Correct Answer: D
Client behavior settings like "Save User Credentials" are configured within a specific Gateway Agent Configuration block, which can be matched based on criteria like a HIP Profile.

17. To ensure that an agent configuration for "Contractor Users" (who are also part of the "All_Staff" group) takes precedence over a more general configuration for "All_Staff", how should they be ordered?

Order does not matter; the most specific group match is always chosen. Place the "All_Staff" configuration above the "Contractor Users" configuration. Place the "Contractor Users" configuration above the "All_Staff" configuration. Create a combined group "Contractor_And_All_Staff" for a single rule.

Correct Answer: C
The more specific rule ("Contractor Users") must be placed higher in the list than the more general rule ("All_Staff") to ensure contractors get their intended settings due to the top-down, first-match logic.

18. The "Domain and Application Split Tunnel" feature within a Gateway Agent Configuration allows you to:

Only exclude specific IP subnets from the tunnel. Include or exclude traffic based on FQDNs or App-ID signatures, offering more granularity than IP-based routes. Force all DNS requests through the tunnel regardless of other split tunnel settings. Define which domains can be resolved by the client's local DNS servers.

Correct Answer: B
This feature provides finer control over what traffic is tunneled by specifying domains (FQDNs) or applications (using App-ID), rather than just relying on IP addresses/subnets.

19. If you have two agent configurations, ConfigA (matches UserGroupX) and ConfigB (matches OS_Windows), and a Windows user from UserGroupX connects, which config applies if ConfigA is listed above ConfigB?

ConfigA, because it's the first match in the list. ConfigB, because OS match is more specific. Both ConfigA and ConfigB settings will be merged. Neither, the default config will apply.

Correct Answer: A
The evaluation is strictly top-down. If ConfigA matches UserGroupX, and that user is in UserGroupX, ConfigA is applied regardless of whether ConfigB (lower in the list) would also have matched based on OS.

20. Which of these is NOT typically configured within a Gateway Agent Configuration's "Client Settings" block?

IP Pool assignment DNS Server addresses Split Tunnel Access Routes The Gateway's external listening IP address

Correct Answer: D
The Gateway's external listening IP address is part of the main Gateway configuration (Network tab), not a setting that varies per agent configuration block for clients connecting to it. Agent configurations define what settings are *pushed to the client*.