Hardware reference guide
44 GlobalProtect Administrator’s Guide
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure
Step 2 Define what the end users with this
configuration can do from the agent.
The settings on the
Agent tab can
also be configured in the end client
via group policy by adding settings to the
Windows Registry/Mac plist. On
Windows systems, you can also set them
using the msiexec utility from the
command line during the agent
installation. However, settings defined in
the web interface or the CLI take
precedence over Registry/plist settings.
See Deploy Agent Settings Transparently
for details.
Another option for specifying
whether the agent should prompt
the end user for credentials if Windows
SSO fails is available through the
Windows command line (MSIEXEC) or
Windows Registry only. By default this
Registry setting—
can-prompt-user-credential—is set
to
yes. To modify this behavior, you must
change the value in the Registry or during
the agent installation via MSIEXEC:
msiexec.exe /i GlobalProtect.msi
CANPROMPTUSERCREDENTIAL="no"
For more information, see Deploy Agent
Settings Transparently.
By default, the agent functionality is fully enabled (meaning all check
boxes are selected). To remove functionality, clear the corresponding
check box for any or all of the following options:
• If you want users to only be able to see basic status information
from within the application, clear the
Enable advanced view
check box. By default, the advanced view is enabled, which allows
end users to see detailed statistical, host, and troubleshooting
information and perform tasks such as changing their passwords.
• If you want hide the GlobalProtect agent on the end user systems,
clear the
Show GlobalProtect icon check box. When the icon is
hidden, users cannot perform other tasks such as changing
passwords, rediscovering the network, resubmitting host
information, viewing troubleshooting information, or performing
an on-demand connection. However, HIP notification messages,
login prompts, and certificate dialogs will still display as necessary
for interacting with the end user.
• Clear the
Allow user to change portal address check box to
disable the
Portal field on the Settings tab in the GlobalProtect
agent. Because the user will then be unable to specify a portal to
which to connect, you must supply the default portal address in
the Windows Registry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo
Alto Networks\GlobalProtect\PanSetup
with key Portal) or
the Mac plist (
/Library/Preferences/com.
paloaltonetworks.GlobalProtect.pansetup.plist
with key
Portal under dictionary PanSetup). For more information, see
Deploy Agent Settings Transparently.
• If you do not want users to be able to save their passwords on the
agent (that is, you want to force them to provide the password—
either transparently via the user agent or by manually entering
one—each time they connect), clear the
Allow user to save
password
check box.
• To prevent users from performing a network rediscovery, clear the
Enable Rediscover Network option check box.
• To prevent users from manually resubmitting HIP data to the
gateway, clear the
Enable Resubmit Host Profile option check
box. This option is enabled by default, and is useful in cases where
HIP-based security policy prevents users from accessing
resources because it allows the user to fix the compliance issue on
the computer and then resubmit the HIP.
• If you do not want the agent to establish a connection with the
portal if the portal certificate is not valid, clear the
Allow user to
continue if portal certificate is invalid
check box. Keep in mind
that the portal provides the agent configuration only; it does not
provide network access and therefore security to the portal is less
critical than security to the gateway. However, if you have
deployed a trusted server certificate for the portal, deselecting this
option can help prevent man in the middle (MITM) attacks.
Customize the Agent (Continued)