GlobalProtect Agent

Overview

The GlobalProtect Agent is a key component in Palo Alto Networks’ GlobalProtect infrastructure. It is the client-side software that runs on endpoints (desktops, laptops, and mobile devices), allowing them to connect securely to internal network resources through GlobalProtect portals and gateways.

The agent manages the connection to the GlobalProtect portal for configuration and to the GlobalProtect gateway for enforcement of security policies and secure tunnel establishment.

Supported Platforms

• Windows 11/10 (x64)
• macOS
• Linux (Ubuntu, Red Hat Enterprise Linux)
• iOS (via App Store)
• Android & ChromeOS (via Google Play)
• Windows UWP

For the full list of supported OS and minimum required versions, consult the Compatibility Matrix .

Deployment Methods

• Via the GlobalProtect Portal (for Windows and macOS)
• Mobile device management systems (MDM): Workspace ONE, Microsoft Intune, Jamf, MobileIron, Google Admin Console
• Manual installation via MSI or PKG packages

Configuration

The agent behavior is centrally managed by the GlobalProtect Portal. Key configuration options include:

• Portal and Gateway selection
• Authentication methods (SAML, LDAP, RADIUS, etc.)
• Client certificates and SSL/TLS service profiles
• Split tunneling policies (based on routes, domain, applications, etc.)
• HIP reporting settings
• UI customization and restrictions (tabs, notifications, logout behavior)

Authentication Behavior

• Uses same credentials for both portal and gateway by default
• Supports cookie-based SSO to reduce repeated logins
• Credential forwarding can be customized per gateway type (internal, external)
• Supports machine and user certificates
• Supports multifactor authentication including OTP, Smart Cards, and SCEP enrollment

App Logging and Troubleshooting

• Diagnostic logs collected locally from app
• Integration with Strata Logging Service
• Logs include connection state, auth failures, HIP evaluation, tunnel errors
• Useful for troubleshooting user access and policy mismatch issues

GlobalProtect Agent Connection Flow

sequenceDiagram
    participant User as Endpoint
    participant Portal as GP Portal
    participant Gateway as GP Gateway

    User->>Portal: Connect and authenticate
    Portal-->>User: Return configuration and certificate
    User->>Gateway: Establish tunnel and authenticate
    Gateway-->>User: Enforce security policies and allow traffic
  

Best Practices

• Use trusted public CA-signed certificates for portals to avoid certificate errors
• Configure pre-logon when machine authentication is required before user logon
• Use split tunneling only when necessary and properly scoped to minimize risk
• Regularly update GlobalProtect agent versions
• Enable HIP checks for enhanced endpoint posture validation

References

• GlobalProtect Administrator’s Guide
• Where Can I Install the GlobalProtect App?
• Deploy Server Certificates
• GlobalProtect User Authentication