GLOBALPROTECT

Prevent Breaches and Secure the Mobile Workforce

GlobalProtect extends the protection of Palo Alto Networks Next-Generation
­Security Platform to the members of your mobile workforce, no matter where
they may go.

The world you need to secure continues to expand as both users and
Key Usage Scenarios and Benefits applications shift to locations outside the traditional network perimeter.
Security teams face challenges with maintaining visibility into network
Remote Access VPN
traffic and enforcing security policies to stop threats. Traditional
• Provides secure access to internal and technologies used to protect mobile endpoints, such as host endpoint
cloud-based business applications antivirus software and remote access VPN, are not capable of stopping
the advanced techniques employed by today’s more sophisticated
Advanced Threat Prevention attackers.
• Secures internet traffic
Palo Alto Networks® GlobalProtect™ network security client for
• Stops threats from reaching the endpoint
endpoints enables organizations to protect the mobile workforce by
• Protects against phishing and credential theft extending the Next-Generation Security Platform to all users, regardless
of location. It secures traffic by applying the platform’s capabilities to
URL Filtering understand application use, associate the traffic with users and devices,
• Enforces acceptable use policies and enforce security policies with next-generation technologies.

• Filters access to malicious domains and Extending the Platform Protection Externally
adult content
GlobalProtect safeguards the mobile workforce by inspecting all traffic
• Prevents the use of avoidance and
evasion tools using the organization’s next-generation firewalls that are deployed
as internet gateways, whether at the perimeter, in the DMZ or in the
Secure Access to SaaS Applications cloud. Laptops, smartphones and tablets with the ­GlobalProtect app
automatically establish a secure SSL/IPsec VPN connection to the
• Controls access and enforces policies next-generation firewall with the best performance for a given location,
for SaaS applications while blocking
unsanctioned applications thus providing the organization with full visibility of all network traffic,
applications, ports and protocols. By eliminating the blind spots in
BYOD mobile workforce traffic, the organization maintains a consistent view
into applications.
• Supports app-level VPN for user privacy
• Enables secure clientless access for part- Securing the Network Internally
ners, business associates and contractors
Not all users need access to every corner of the corporate network.
Security teams are adopting network segmentation to partition their
Strengthens Internal Network
network and enforce precise controls for access to internal resources.
Segmentation
GlobalProtect provides the fastest, most authoritative user identifica-
• Delivers reliable user identification tion for the platform, enabling organizations to write precise policies
• Delivers immediate and accurate host that allow or restrict access based on business need. Furthermore,
information for visibility and policy GlobalProtect provides host information that establishes device criteria
enforcement associated with security policies. These measures allow organizations to
• Enforces step-up multi-factor authentica- take preventive steps to secure their internal networks, adopt Zero Trust
tion to access sensitive resources network controls and reduce the attack surface area.

Palo Alto Networks | GlobalProtect | Datasheet 1

When GlobalProtect is deployed in this manner, the internal These options help organizations strengthen the proof of
network gateways may be configured for use with or without identity for access to internal data center or SaaS applications.
a VPN tunnel.
GlobalProtect has options to make strong authentication even
easier to use and deploy:
Inspection of Traffic and Enforcement of Security Policies
GlobalProtect enables security teams to build policies that are • Cookie-based authentication: After authentication, an
consistently enforced whether the user is internal or remote. organization may choose to use an encrypted cookie for
Security teams can apply all of the platform’s capabilities for subsequent access to a portal or gateway for the lifetime of
cyberattack prevention, including: that cookie.

• App-ID™ technology – Identifies application traffic, regard- • Simplified certificate enrollment protocol support:
less of port number, and enables organizations to establish ­GlobalProtect can automate the interaction with an
policies to manage application usage based on users and ­enterprise PKI for managing, issuing and distributing
devices. ­certificates to GlobalProtect clients.

• User-ID™ technology – Identifies users and group member- Host Information Profile
ships for visibility as well as the enforcement of role-based
GlobalProtect checks the endpoint to get an inventory of
network security policies.
how it’s configured and builds a host information profile that’s
• Decryption – Inspects and controls applications that are shared with the next-generation firewall. The next-generation
encrypted with SSL/TLS/SSH traffic. Stops threats within firewall uses the host information profile to enforce appli-
the encrypted traffic. cation policies that only permit access when the endpoint
is properly configured and secured. These principles help
• WildFire™ cloud-based threat analysis service – Auto-
enforce compliance with policies that govern the amount of
mates the analysis of content to identify new, previously
access a given user should have with a particular device.
unknown, and highly targeted malware by its behavior and
generates the threat intelligence to stop it in near-real time. Host information profile policies can be based on a number of
attributes, including:
• Threat Prevention for IPS and antivirus – Intrusion preven-
tion blocks network-based exploits targeting vulnerable • Operating system and application patch level
applications and operating systems, DoS attacks, and port
• Host anti-malware version and state
scans. Antivirus profiles stop malware and spyware from
reaching the endpoint using a stream-based engine. • Host firewall version and state
• URL Filtering with PAN-DB – PAN-DB categorizes URLs • Disk encryption configuration
based on their content at the domain, file and page level,
• Data backup product configuration
and receives updates from WildFire so that when web
content changes, so do categorizations. • Customized host conditions (e.g., registry entries,
running software)
• File Blocking – Stops the transfer of unwanted and dan-
gerous files while further scrutinizing allowed files with
Control Access to Applications and Data
WildFire.
Security teams can establish policies based on application,
• Data Filtering – Enables administrators to implement poli- user, content and host information to maintain granular con-
cies that can be used to stop the unauthorized movement trol over access to a given application. These policies may be
of data, such as the transfer of customer information or associated with specific users or groups defined in a directory
other confidential content. to ensure that organizations provide the correct levels of
access based on business need. The security team can further
Customized Host Conditions (e.g., Identifying Users establish policies for step-up, multi-factor authentication in
and Devices) order to provide additional proof of identity before accessing
particularly sensitive resources and applications.
User Authentication
GlobalProtect supports all of the existing PAN-OS® Secure and Enabled BYOD
a­ uthentication methods, including Kerberos, RADIUS,
The effects of BYOD are changing the number of use case
LDAP, SAML 2.0, client certificates and a local user database.
permutations that security teams need to support. It is neces-
Once GlobalProtect authenticates the user, it immediately
sary to provide access to applications to a broader spectrum
provides the next-generation firewall with a user-to-IP-­
of employees and contractors using a wide range of mobile
address mapping for User-ID.
devices.
Strong Authentication Options Integration with mobile device management solutions, such
GlobalProtect supports a range of third-party, multi-factor as AirWatch® and MobileIron®, help organizations deploy
authentication methods, including one-time password tokens, ­GlobalProtect as well as provide additional security measures
certificates and smart cards, through RADIUS integration. through the exchange of intelligence and host configura-
tion. When used in conjunction with GlobalProtect, the

Palo Alto Networks | GlobalProtect | Datasheet 2

­ rganization can maintain visibility and the enforcement of
o Cloud-Based Gateways
security policy on a per-app basis while maintaining data Workforces shift from one location to another, creating
separation from personal activities to honor the user’s changes in traffic load. This is especially true when considering
expectations of privacy in BYOD scenarios. how companies evolve, whether on a temporary basis (such
GlobalProtect supports clientless SSL VPN for secure access as a natural disaster in a region) or a permanent one (such as
to applications in the data center and the cloud from unman- entering new markets).
aged devices. This approach offers convenience and security GlobalProtect cloud service provides a co-managed option
by providing access to specific applications through a web for deploying coverage in the locations organizations need,
interface without requiring the user to install a client before- using your security policies. It can be used in conjunction
hand or set up a full tunnel. with existing firewalls, making your architecture adaptable to
changing conditions.
Architecture Matters
GlobalProtect cloud service supports auto-scaling, which
The flexible architecture for GlobalProtect provides many
­dynamically allocates new firewalls based on load and
capabilities that help organizations solve an array of security
demand in a given region.
challenges. At the most basic level, organizations can use
GlobalProtect as a replacement for the traditional VPN gate-
Conclusion
way, eliminating the complexity and headaches of administer-
ing a stand-alone, third-party VPN gateway. The protections provided by Palo Alto Networks Next-­
Generation Security Platform play a critical role in preventing
Options for manual connections and gateway selection enable breaches. Use GlobalProtect to extend the protection of the
organizations to tailor the configuration to support business platform to users wherever they go. By using GlobalProtect,
requirements as needed. organizations can get consistent enforcement of security poli-
In a more comprehensive deployment for securing traffic, cy so that even when users leave the building, their protection
GlobalProtect can be deployed with an always-on VPN con- from cyberattacks remains in place.
nection with a full tunnel, ensuring that protection is always
present and transparent to the user experience.

GlobalProtect Features

Category Specification
VPN Connection IPsec

SSL

Clientless VPN

Per-app VPN on Android™, iOS, Windows® 10

Gateway Selection Automatic selection

Manual selection

External gateway selection by source location

Internal gateway selection by source IP

Connection Methods User login (always-on)

On-demand

Pre-login (always-on)

Pre-login, then on-demand

Connection Mode Internal mode

External mode

Layer 3 Protocols IPv4

IPv6

Single Sign-On SSO (Windows credential provider)

Kerberos SSO

Palo Alto Networks | GlobalProtect | Datasheet 3

 Category Specification
Split-Tunneling Include routes

Exclude routes

Authentication Methods SAML 2.0

LDAP

Client certificates

Kerberos

RADIUS

Two-factor authentication

Host Information Profile

Reporting, Policy Enforcement Patch management
and Notifications

Host anti-spyware

Host antivirus

Host firewall

Disk encryption

Disk backup

Data loss prevention

Customized host information profile conditions (e.g., registry entries, running software)

Multi-Factor Authentication Advanced authentication for sensitive resource access

Other Features User-ID

IPsec to SSL VPN fallback

Enforce GlobalProtect connection for network access

SCEP-based automatic user certificate management

Script actions that run before and after sessions

Dynamic GlobalProtect app customization

App configuration based on users, groups and/or operating systems

Automatic internal/external detection

Manual/automatic upgrade of GlobalProtect app

Certificate selection by OID

Block access from lost or stolen and unknown devices

Smart card support for connection/disconnection

Transparent distribution of trusted root CAs for SSL decryption

Disable direct access to local networks

Customizable welcome and help pages

RDP connection to a remote client

Palo Alto Networks | GlobalProtect | Datasheet 4

 Category Specification
MDM/EMM Integration AirWatch

MobileIron

Palo Alto Networks Next-Generation Security Platform, including physical (such as the PA-7000 Series,
Management Tools and APIs the PA-3000 Series and the PA-200) and virtual (VM-Series) form factors

Microsoft InTune®

GlobalProtect cloud service

GlobalProtect App Supported

Microsoft® Windows and Windows UWP
Platforms

Apple® Mac® OS X®

Apple iOS

Google® Chrome® OS

Android® OS

Linux® supported using third-party VPNC and StrongSwan client

IPsec Xauth Apple iOS IPsec client

Android OS IPsec client

GlobalProtect App Localization English

Spanish

German

French

Japanese

Chinese

3000 Tannery Way © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
Main: +1.408.753.4000 https://www.paloaltonetworks.com/company/trademarks.html. All other
Sales: +1.866.320.4788 marks mentioned herein may be trademarks of their respective companies.
Support: +1.866.898.9087 ­globalprotect-ds-082817

www.paloaltonetworks.com