1. No category

GlobalProtect Agent 3.1 Release Notes

GlobalProtect™ Agent 3.1.6 Release Notes
Revision Date: February 23, 2017
Review important information about Palo Alto Networks GlobalProtect agent 3.1 software, including new features introduced, workarounds for open issues, and issues that are addressed in GlobalProtect agent 3.1 releases. For the latest version of these release notes, refer to the Palo Alto Networks technical documentation portal.
GlobalProtect Agent 3.1 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in GlobalProtect Agent 3.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in GlobalProtect Agent 3.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Features Introduced in GlobalProtect Agent 3.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Features Introduced in GlobalProtect Agent 3.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes to Default Behavior in 3.1.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes to Default Behavior in 3.1.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes to Default Behavior in 3.1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changes to Default Behavior in 3.1.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Upgrade/Downgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Associated Software Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
GlobalProtect Agent 3.1.6 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
GlobalProtect Agent 3.1.5 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
GlobalProtect Agent 3.1.4 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
GlobalProtect Agent 3.1.3 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
GlobalProtect Agent 3.1.2 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
GlobalProtect Agent 3.1.1 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
GlobalProtect Agent 3.1.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 1
Table of Contents
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Requesting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information

Features Introduced in GlobalProtect Agent 3.1.5

Features Introduced in GlobalProtect Agent 3.1.3

Features Introduced in GlobalProtect Agent 3.1.1

Features Introduced in GlobalProtect Agent 3.1.0

Changes to Default Behavior

Upgrade/Downgrade Considerations

Associated Software Versions

Known Issues

GlobalProtect Agent 3.1.6 Addressed Issues

GlobalProtect Agent 3.1.5 Addressed Issues

GlobalProtect Agent 3.1.4 Addressed Issues

GlobalProtect Agent 3.1.3 Addressed Issues

GlobalProtect Agent 3.1.2 Addressed Issues

GlobalProtect Agent 3.1.1 Addressed Issues

GlobalProtect Agent 3.1.0 Addressed Issues

Getting Help
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 3
Features Introduced in GlobalProtect Agent 3.1.5
GlobalProtect Agent 3.1 Release Information
Features Introduced in GlobalProtect Agent 3.1.5
The following table describes the new features introduced in the GlobalProtect agent 3.1.5 release. Feature
Description
Proxy Connection
Timeout
To improve connection time between GlobalProtect clients and portals and gateways when proxy servers are used, GlobalProtect now enforces a proxy connection timeout. This timeout value is based on TCP Connection Timeout which you can configure from a GlobalProtect portal agent configuration (default is 60 seconds; range is 1‐600 seconds). You can also configure this setting in the Windows registry or Mac plist (ConnectTimeout <seconds>). When the proxy server is unreachable and this timeout expires, GlobalProtect stops trying to reach the proxy server and proceeds with the portal or gateway connection. This is useful in situations where proxy servers are used internally but are not required for users that are roaming or are outside of the internal network because GlobalProtect can proceed with the connection when the (internal) proxy server is unreachable. 4 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information
Features Introduced in GlobalProtect Agent 3.1.3 Features Introduced in GlobalProtect Agent 3.1.3
The following table describes the new features introduced in the GlobalProtect agent 3.1.3 release. Feature
Description
GlobalProtect App for
Windows 10 Phone
GlobalProtect now extends its coverage to Windows 10 Phone leveraging Windows 10 Universal Windows Platform (UWP) technology. Since the app supports UWP, the same app will run on Windows 10 devices including desktops, laptops, tablets and phones. Support requires PAN‐OS 6.1 with content release version 612 or later releases and a gateway subscription for each gateway that supports Windows 10 UWP devices.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 5
Features Introduced in GlobalProtect Agent 3.1.1
GlobalProtect Agent 3.1 Release Information
Features Introduced in GlobalProtect Agent 3.1.1
The following table describes the new features introduced in the GlobalProtect agent 3.1.1 release. Feature
Description
Enforce GlobalProtect
Connection for Network
Access
New app configuration options for the GlobalProtect app are available with PAN‐OS content release version 607 and later releases.
• You can now enable or disable the message users see when GlobalProtect detects a captive portal. By default Display Captive Portal Detection Message is set to No. Select Yes to enable the message. If you have a Captive Portal Detection Message enabled, the message appears 90 seconds before the Captive Portal Exception
Timeout occurs. If the Capture Portal Exception Timeout is 90 seconds or less, the message appears after a captive portal is detected.
• You can now enable or disable the message users see when traffic blocking occurs. By default Display Traffic Blocking Notification Message is set to Yes. Select No to disable the message. Support for iOS 10
GlobalProtect now supports iOS 10 in the following releases:
• GlobalProtect agent 3.0.2 and later 3.0 releases
• GlobalProtect agent 3.1.1 and later 3.1 releases
These agents require PAN‐OS 6.1 or a later release. Support for Mac OS
10.12
GlobalProtect now supports Mac OS 10.12 in GlobalProtect agent 3.1.1 and later 3.1 releases.
This agent requires PAN‐OS 6.1 or a later release. 6 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information
Features Introduced in GlobalProtect Agent 3.1.0 Features Introduced in GlobalProtect Agent 3.1.0
The following table describes the new features introduced in the GlobalProtect agent 3.1.0 release. This release requires content release version 590 or later.
New Feature
Description
Pre-logon then
On-Demand Connect
Method
The new Pre‐logon then On‐demand connect method leverages existing pre‐logon functionality, which enables connectivity to the corporate network before the user logs in to the endpoint, and provides on‐demand functionality after the user logs in. With the on‐demand connect method, the user must launch the GlobalProtect agent to initiate a connection. The new connect method provides an alternative to the legacy pre‐logon connect method which provides always‐on functionality after the user logs in. This feature is supported on endpoints running Windows 7 or Mac OS 10.9 and later releases.
Enforce GlobalProtect
for Network Access
To better protect endpoints (running Windows 7 or Mac OS 10.9 and later releases) and reduce their risk of infection, you can now force users to connect to GlobalProtect before they can access the network. When this feature is enabled, GlobalProtect permits only the traffic required to establish the connection and blocks all other network traffic from the endpoint. After establishing a connection, GlobalProtect permits internal and external network traffic according to your security policy regardless of whether users are on or off the enterprise network. For access through captive portals (such as in hotels and airports), configure a delay to allow users enough time to connect to the captive portal before GlobalProtect begins blocking traffic. If you do not configure a delay, access to captive portals is blocked by default when the enforce GlobalProtect feature is enabled. Connection Behavior on On Windows endpoints, you can now customize the connection behavior when a user Smart Card Removal
disconnects a smart card containing a client certificate. By default, GlobalProtect retains the GlobalProtect tunnel when the user removes the smart card. For stricter smart card security requirements, you can change this behavior so that GlobalProtect disconnects the tunnel when the user removes the smart card.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 7
Changes to Default Behavior
GlobalProtect Agent 3.1 Release Information
Changes to Default Behavior

Changes to Default Behavior in 3.1.6

Changes to Default Behavior in 3.1.3

Changes to Default Behavior in 3.1.1

Changes to Default Behavior in 3.1.0
Changes to Default Behavior in 3.1.6
Traffic on a loopback interface is no longer blocked when you Enforce GlobalProtect for Network Access (Network > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > App > App
Configurations) and GlobalProtect is not connected. This change allows local applications that use ports for internal communication to run without a GlobalProtect connection. Previously, applications using the loopback interface failed.
Changes to Default Behavior in 3.1.3
The default behavior of the GlobalProtect agent has changed so that the agent automatically clears the DNS cache on the endpoint after it establishes a tunnel. Previously, to flush the DNS cache, you needed to require endpoints to Update DNS Settings at Connect (Network > GlobalProtect > Portals > <GlobalProtect-portal-config> >
Agent > <agent-config> > App > App Configurations). This change compensates for a DNS query result that persisted in the DNS cache within Microsoft Windows, which caused some applications, such as Microsoft Outlook, to fail after GlobalProtect established a new VPN tunnel.
In GlobalProtect agent 3.1.3 and later releases, when you require endpoints to Update DNS Settings at Connect, GlobalProtect resets the DNS entry on the physical adapter to match the DNS server configuration of the GlobalProtect tunnel adapter so that both the tunnel adapter and the physical adapter use the same DNS entry. You should require endpoints to Update DNS Settings at Connect only when a DNS name fails to resolve or resolves incorrectly due to Microsoft Windows sending a DNS query to the DNS server configured on the physical adapter instead of on the GlobalProtect tunnel adapter.
The following example issues can be resolved by requiring endpoints to Update DNS Settings at Connect:


A tunnel is established but an internal DNS name fails to resolve.
A tunnel is established but some applications, such as Microsoft Outlook, are resolved to an internet DNS name instead of an internal DNS name because the internal DNS name and the internet DNS name are the same.
8 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information
Changes to Default Behavior Changes to Default Behavior in 3.1.1
New app configuration defaults for the GlobalProtect app are available: 


The default message that users see when GlobalProtect detects a captive portal has changed. The new default is: GlobalProtect has temporarily permitted network access for you to
connect to the internet. Follow instructions from your internet provider. If
you let the connection time out, open GlobalProtect and click Connect to try
again. Also, the maximum allowable message size has increased from 256 characters to 512 characters. This change is available with PAN‐OS content release version 607 and later releases.
The default message users see when traffic blocking occurs (GlobalProtect is disconnected but detects that the network is reachable) has changed. The new default is: To access the network, you must
first connect to GlobalProtect. Also, the maximum allowable message size has increased from 256 characters to 512 characters. This change is available with PAN‐OS content release version 607 and later releases.
The default timeout value for connecting to GlobalProtect portals and gateways has changed. Previously, the default value for TCP Connection Timeout was 5 seconds. The new default is 60 seconds. This gives users with two‐factor authentication more time to log in. This change is available with PAN‐OS content release version 609 and later releases.
Changes to Default Behavior in 3.1.0




When you configure the connect method as on‐demand, the options that are available from the GlobalProtect home panel on Windows and Mac endpoints are now consistent with the options in the notification area (system tray). GlobalProtect now displays the Connect option until the tunnel is fully established and, after successfully connecting, displays the option to Disconnect the tunnel. Previously, you could not toggle between the two options regardless of the connection state. This change does not apply if the connect method is user‐logon or pre‐logon.
To prevent Windows and Mac users from inadvertently locking their accounts by repeatedly clicking Connect from the agent home screen (such as when not seeing an immediate response to their request), after a user initiates a connection request, GlobalProtect now deactivates the button. The button remains grayed‐out until GlobalProtect establishes the connection or identifies a disconnection or connection failure (such as a failure to authenticate). If the connection request is unsuccessful or GlobalProtect does not receive a valid status, the button returns to an active state after 30 seconds. The Rediscover Network option, which is available from the agent menu in the notification area (system tray), also exhibits the same behavior.
On Windows and Mac endpoints, the configuration of the Enable Advanced View option now determines whether the Status and Show Panel options are enabled or disabled (grayed out) in the notification‐area menu for the agent. When Enable Advanced View is set to Yes, GlobalProtect disables the Status option and enables the Show Panel option. When Enable Advanced View is set to No, GlobalProtect enables the Status option and disables the Show Panel option.
The internal host detection behavior of GlobalProtect when internal gateways are configured has changed. Now, when GlobalProtect performs a reverse DNS lookup and detects an internal endpoint, GlobalProtect immediately sets the status as internal. When this occurs, GlobalProtect changes the icon in the notification area (system tray) to a globe with a house and proceeds to authenticate to internal gateways in the background. Previously, GlobalProtect spun the icon while trying to authenticate to internal gateways and required a successful connection to at least one gateway before it would update the status to internal.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 9
Changes to Default Behavior


GlobalProtect Agent 3.1 Release Information
The logic for the Maximum Internal Gateway Connection Attempts feature has been enhanced. With this enhancement, GlobalProtect sends host information to any internal gateways to which it can authenticate during the retry attempt. GlobalProtect continues to authenticate to any internal gateways that were previously unreachable until the number of retry attempts is exhausted or GlobalProtect successfully connects to all the internal gateways. Previously, GlobalProtect would wait to send host information to reachable internal gateways until the retry attempts were exhausted. This change enables GlobalProtect to send the most up‐to‐date host information to available gateways without delays caused by unreachable gateways.
When the Show Advanced View option is enabled for Windows and Mac endpoints and a user launches GlobalProtect from either the Start menu (Windows only) or notification area (system tray), the agent now always opens to the Home tab. Previously, the agent could open up to a different tab. This change ensures users always have the same experience every time they launch the app.
10 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information
Upgrade/Downgrade Considerations Upgrade/Downgrade Considerations
This section lists the features that have upgrade or downgrade impacts. Make sure you understand all potential issues before you upgrade to or downgrade from GlobalProtect Agent 3.1.5.
On Windows endpoints, if you Enforce GlobalProtect for Network Access in a GlobalProtect portal agent configuration and then you upgrade from an earlier 3.x release of GlobalProtect Agent to GlobalProtect Agent 3.1.5, the installation can fail and the enforcement configuration continues to block all traffic. This issue is caused by an OS limitation that occurs when multiple Microsoft installer (msiexec.exe)instances are running at the same time on the Windows endpoint. Use the following procedure to correct the installer conflict.
Fix an Installer Conflict on Windows Endpoints
Step 1
Restart the endpoint.
Use the Programs > Restart command to reboot your Windows endpoint.
Step 2
Stop all third party installers that are running in the background.
1.
Press Ctrl+Alt+Delete and Start the Task Manager.
2.
In the Task Manager, find any third‐party msiexec programs that are currently running (for example, msiexec command
line - Google Search).
3.
Select the third party installer and click End Task to stop it.
1.
If necessary, install the older, existing version of GlobalProtect to repair it. This step is necessary if the upgrade continues to fail.
2.
Allow the upgrade to proceed as expected.
Step 3
Restore the existing version of GlobalProtect, then upgrade.
Associated Software Versions
For additional information about supported operating systems and to see where you can install the GlobalProtect app, see GlobalProtect compatibility information in the Palo Alto Networks® Compatibility Matrix.
Software
Minimum Supported Version
PAN-OS
PAN‐OS 6.1 and later releases for GlobalProtect gateways
PAN‐OS 7.1 and later releases for GlobalProtect portals
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 11
Known Issues
GlobalProtect Agent 3.1 Release Information
Known Issues
The following list describes known issues in the GlobalProtect Agent 3.1 release:
Starting with GlobalProtect agent 3.1.3, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product‐specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
GPC-3904
Description
Due to an issue with the packaging of the GlobalProtect agent software, GlobalProtect agent 3.1.4 is not recommended for Windows or Mac endpoints.
GlobalProtect agent 3.1.5 on Windows endpoints does not reconnect to the GlobalProtect This issue is now resolved. gateway after a Windows update if you enable Update DNS Settings at Connect (Network
See GlobalProtect Agent > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> >
App > App Configurations). This issue occurs because the agent does not restore the 3.1.6 Addressed Issues.
automatic DNS configuration.
If you do not require your Windows endpoints to Update DNS Settings at Connect, we recommend you disable this setting in your GlobalProtect configuration. If this update is required, then we recommend you do not use GlobalProtect agent 3.1.4 or 3.1.5.
GPC-3903
GPC-3860
A corrupt tray‐icon cache In Microsoft Windows sometimes causes Windows Explorer to crash when the GlobalProtect icon changes, such as from connected to disconnected. This is a known issue for the Windows operating system.
Workaround: To clean up the tray icon cache, create a batch file with the following commands and then run the batch file on your Windows endpoint:
taskkill /im explorer.exe /f
reg delete "HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v IconStreams /f
reg delete "HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v PastIconsStream /f
start "Shell Restarter" /d "%systemroot%" /i /normal explorer.exe
GPC-3827
When authenticating to GlobalProtect on a Mac endpoint, the Authentication dialog does not respond to keyboard inputs if you open the GlobalProtect tab while the Authentication dialog is displayed on the screen. Workaround: Move the Authentication dialog or double‐click GlobalProtect Login at the top of the authentication prompt. Alternatively, select Cancel and relaunch the authentication attempt.
GPC-3605
On Windows 10 UWP endpoints, the wrong button name appears when a VPN tunnel is established between the endpoint and a firewall gateway: NETWORK & INTERNET > VPNs shows Remove instead of Disconnect.
Workaround: Select Remove to disconnect the tunnel. GPC-3604
Windows 10 UWP endpoints do not support UDP connections. You cannot use IPSec to secure VPN tunnels between UWP endpoints and firewall gateways.
Workaround: Use SSL to secure the VPN tunnels.
12 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Information
Issue ID
Known Issues Description
The GlobalProtect agent on Windows endpoints does not reconnect to the GlobalProtect This issue is now resolved. gateway after the endpoint experiences a crash or hard reboot if you enable the Update
See GlobalProtect Agent DNS Settings at Connect option (Network > GlobalProtect > Portals >
<GlobalProtect-portal-config> > Agent > <agent-config> > App > App Configurations). 3.1.5 Addressed Issues.
This issue occurs because the agent does not restore the automatic DNS configuration. If your GlobalProtect deployment uses the Update DNS Settings on Connect option for Windows endpoints, disable this setting. GPC-3431
GPC-3369
On Windows 10 UWP endpoints, after a user successfully connects to the GlobalProtect portal for the first time, subsequent attempts to connect fail with error code 602. This issue occurs when you configure the GlobalProtect app to Save Username Only as the Save User Credentials option in a GlobalProtect portal agent configuration (Network >
GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> >
Authentication).
GPC-3321
On Windows 10 UWP endpoints, when you configure the gateway with WINS server addresses, the GlobalProtect app connects to the gateway but fails to install the server address on the endpoint. This issue occurs because the Windows UWP framework does not support WINS servers.
Workaround: Configure the gateway to use only DNS servers.
GPC-3317
On Windows 10 UWP endpoints, app sharing can stop working when a VPN tunnel connection is active. This disables the GlobalProtect Email Logs feature and prevents users from automatically collecting log flies to send in email.
Workaround: Disconnect the VPN tunnel (NETWORK & INTERNET > VPNs) and restart the GlobalProtect application.
GPC-3303
The GlobalProtect app for Windows 10 UWP fails to establish a connection to gateways that use RSA server certificates with 512 bits. This occurs because Microsoft no longer supports MD5 for server authentication and blocks RSA keys smaller than 1,024 bits.
Workaround: Use RSA server certificates with 1,024, 2,048, or 3,074 bits and SHA256.
GPC-2874
When you Disconnect from GlobalProtect on a Windows 10 UWP endpoint, the Connect button becomes active immediately; however, GlobalProtect fails to establish a new connection if you attempt to connect within 10 seconds of the previous disconnection.
Workaround: To prevent connection issues, wait at least 10 seconds after you disconnect from GlobalProtect before you attempt to reconnect.
(92586)
If you Enforce GlobalProtect for Network Access and specify the Pre-logon (Always On) This issue is now resolved. connect method in a GlobalProtect portal agent configuration, the agent correctly starts See GlobalProtect Agent up in pre‐logon mode after a reboot and attempts to establish a VPN tunnel. However, if the agent fails to create a pre‐logon tunnel and a user who disabled the agent before the 3.1.1 Addressed Issues.
reboot logs back in to the endpoint, traffic is blocked even though the agent correctly displays disabled status for that user.
Workaround: Enable and disable the GlobalProtect agent.
98552
97299
© Palo Alto Networks, Inc.
If you Enforce GlobalProtect for Network Access and you specify the On-demand connect method in a GlobalProtect portal agent configuration, the agent will not display the traffic blocking notification message until after users connect to the portal. To ensure that the GlobalProtect agent displays the traffic blocking notification as soon as a user logs in to the endpoint, use the User-logon or a Pre-logon connect method instead of the On-demand method.
GlobalProtect Agent 3.1 Release Notes • 13
Known Issues
Issue ID
GlobalProtect Agent 3.1 Release Information
Description
After an upgrade to GlobalProtect 3.1 and content release version 590‐3397, the OPSWAT OESIS Framework SDK will correctly recognize the Code42 CrashPlan disk This issue is now resolved.
See GlobalProtect Agent backup software. However, when you specify this in a HIP object on the firewall (Objects
> GlobalProtect > HIP Objects > <object> > Disk Backup), the vendor name for Code42 in 3.1.1 Addressed Issues.
the drop‐down is CodeFortyTwo Software, which is recognized only by GlobalProtect agents running on Windows endpoints; Mac endpoints report a different vendor name for Code42 (Code42 Software), which will fail to match the HIP object configured on the firewall.
96170
95722
If you Enforce GlobalProtect for Network Access in a GlobalProtect portal agent configuration and then you downgrade from a GlobalProtect agent 3.1 release to GlobalProtect agent 3.0 or an earlier release on Mac endpoints, the enforcement configuration is not removed and continues to block all traffic. To avoid this issue, Palo Alto Networks recommends that you uninstall the GlobalProtect agent completely and then install the appropriate older GlobalProtect agent release.
82686
Modified app data restriction configuration values are not pushed to GlobalProtect agents when running in the Android for Work environment if modifying and pushing the configuration from an AirWatch MDM server.
Workaround: On the MDM server, delete the app data restriction you need to modify and then add it back in with the new value.
80783
When you configure GlobalProtect to run a custom script before or after establishing the connection or before disconnecting the connection, environment variables for command and file registry keys used in those scripts are resolved to incorrect paths. This occurs after you upgrade from one GlobalProtect agent 2.3 release to another or to a GlobalProtect agent 3.0 release.
80782
When you configure GlobalProtect to run a custom script after establishing a connection and display a notification message when an error occurs, the notification errors do not clear as expected when GlobalProtect switches from an external gateway to an internal gateway. As a result, users must manually dismiss the notification each time they switch between gateways.
71662
On Android 5.0, when you uninstall and reinstall the GlobalProtect app on a device, the app fails to establish a VPN tunnel during the initial attempt to connect to the external gateway. This issue occurs even after the user gives consent to trust the app to create VPN connections.
Workaround: Reboot the device, launch the GlobalProtect app, and accept the request for user’s consent when prompted to trust the app and allow it to establish a VPN tunnel to the gateway.
61720
By default, the GlobalProtect app adds a route on iOS mobile devices that causes traffic to the GP‐100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel.
Workaround: To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP‐100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway (In PAN‐OS 7.0: Network > GlobalProtect > Gateways > Client
Configuration > Network Settings > Access Route; or, in PAN‐OS 7.1: Network >
GlobalProtect > Gateways > <gateway-config> > Agent > Client Settings >
<client-settings-config> > Network Settings > Access Route):
• Add 0.0.0.0/0 as an access route.
• Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route.
14 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.6 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.6 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Issue Identifier
Description
GPC-3976
Fixed an issue with two‐factor authentication using one‐time passwords (OTPs) where users were unable to log in to GlobalProtect due to a portal refresh during gateway authentication.
GPC-3959
Fixed an issue with GlobalProtect gateway hostname resolution for proxied clients that prevented successful connections to gateways. With this fix, the GlobalProtect client resolves gateway hostnames as expected and successfully connects proxied clients to the gateway.
GPC-3909
Fixed an issue where the GlobalProtect agent was unable to use a client‐side certificate stored on the Gemalto SafeNet eToken for client certificate authentication.
GPC-3903
Fixed an issue where the GlobalProtect agent on Windows endpoints did not reconnect to the GlobalProtect gateway after a Windows update if you configured endpoints to Update DNS Settings at Connect (Network > GlobalProtect > Portals >
<GlobalProtect-portal-config> > Agent > <agent-config> > App > App
Configurations).
GPC-3889
Fixed an issue where Internal Host Detection did not work if you configured Pre-logon then On-demand as the connect method (Network > GlobalProtect >
Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > App > App
Configurations). With this fix, when using the Pre-logon then On-demand connect method, the GlobalProtect app correctly detects when a host is internal and, as a result, does not attempt to set up a pre‐logon tunnel when the endpoint is connected to the corporate network.
GPC-3884
Fixed an issue with Single Sign‐On (SSO) on Windows 8.1 where endpoint users were required to click multiple times on the GlobalProtect agent sign‐in icon before they could select it.
GPC-3857
Fixed an issue where, if you Enforce GlobalProtect for Network Access in the GlobalProtect portal configuration (Network > GlobalProtect > Portals >
<GlobalProtect-portal-config> > Agent > <agent-config> > App > App
Configurations), the GlobalProtect agent blocked re‐transmission of client DHCP requests with the same Transaction ID as the initial request (such as when re‐transmitting the request after failing to receive a response from the server to the initial request). This issue was encountered only in unstable or other environments that require more than one DHCP request before receiving a response from the server.
GPC-3545
Fixed an issue where the GlobalProtect host information profile (HIP) did not correctly evaluate Last Full Scan Time for Norton Security antivirus software.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 15
GlobalProtect Agent 3.1.6 Addressed Issues
Issue Identifier
Description
GPC-3431
Fixed an issue where the GlobalProtect agent on a Windows endpoint could not reconnect to GlobalProtect after the endpoint experienced a crash or hard reboot if you required endpoints to Update DNS Settings at Connect (Network >
GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config>
> App > App Configurations). This issue occurred because the agent could not restore the automatic DNS configuration.
16 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.5 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.5 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Issue Identifier
Description
GPC-3812
Fixed an issue where the GlobalProtect agent on a Windows endpoint stopped responding during a flush DNS at the same time machine was shutting down.
GPC-3781
Fixed an issue where the GlobalProtect agent on a Windows endpoint stopped responding if you enabled the Update DNS Settings at Connect GlobalProtect portal agent configuration (Network > GlobalProtect > Portals > <GlobalProtect-portal-config> >
Agent > <agent-config> > App > App Configurations) and the endpoint shut down or went into standby mode.
GPC-3765
Fixed an issue with a memory leak on a GlobalProtect agent on a Windows endpoint.
GPC-3762
Fixed an issue where the GlobalProtect agent on a Windows endpoint stopped responding when the user attempted to authenticate using a client certificate stored on a Gemalto smart card.
GPC-3590
Fixed an issue where the GlobalProtect agent on a Mac endpoint stopped responding during tunnel disconnect and then restarted.
GPC-3577
Fixed an issue where connection time was delayed for a GlobalProtect agent on Windows endpoints when the proxy auto‐configuration (PAC) file—referenced by Internet Explorer—was unavailable.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 17
GlobalProtect Agent 3.1.5 Addressed Issues
18 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.4 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.4 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Issue Identifier
GPC-3904
© Palo Alto Networks, Inc.
Description
Due to an issue with the packaging of the GlobalProtect agent software, GlobalProtect agent 3.1.4 is not recommended for Windows and Mac endpoints.
GlobalProtect Agent 3.1 Release Notes • 19
GlobalProtect Agent 3.1.4 Addressed Issues
20 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.3 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.3 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Do not upgrade to GlobalProtect agent 3.1.3 if your GlobalProtect deployment uses the Update DNS Settings on
Connect configuration for Windows endpoints. Refer to Known Issue GPC‐3431. Customers who do not enable Update DNS Settings on Connect may upgrade to GlobalProtect agent 3.1.3 as necessary.
Starting with GlobalProtect agent 3.1.3, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product‐specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue Identifier
Description
GPC-3601
Fixed an issue with the GlobalProtect agent on Mac OS X Sierra endpoints where the agent failed to connect to the gateway if the Root CA of the GlobalProtect gateway certificate was not installed and trusted in the OS X Keychain.
GPC-3472
Fixed an issue where the GlobalProtect agent could not connect to a gateway when the gateway and the portal use certificate profiles that require different client certificates.
GPC-3469
Fixed an issue where the GlobalProtect agent on a Mac OS X endpoint failed to reauthenticate to GlobalProtect after the endpoint briefly lost WiFi connectivity.
GPC-3402
Fixed an issue where the GlobalProtect agent did not pre‐populate the username field with domain and username for gateway authentication when the gateway was manually selected
GPC-3379
Fixed an issue where upgrading the GlobalProtect agent on a Windows 10 endpoint failed, and the GlobalProtect driver did not install and uninstall correctly.
GPC-3377
Fixed an issue where GlobalProtect single‐sign on (SSO) failed when the user logged on to an endpoint using Windows Remote Desktop (RDP).
GPC-3372
Fixed an issue on Windows endpoints where, after upgrading the GlobalProtect agent from 2.3.3, 2.3.4 or 2.3.5 to a GlobalProtect agent 3.1 release, portal information disappeared when the portal IP was deployed using the MSI installer (msiexec).
GPC-3363
Fixed an issue where, if you enabled the Update DNS settings on connect GlobalProtect feature (Network > GlobalProtect > Portals > <GlobalProtect‐portal‐config> > Agent >
<agent‐config> > App), and then physically disabled and then enabled the WiFi adapter on the endpoint, the DNS configuration on the endpoint was lost and the user could not access websites.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 21
GlobalProtect Agent 3.1.3 Addressed Issues
Issue Identifier
Description
GPC-3344
Fixed an issue where the GlobalProtect agent launched software on the endpoint even though an administrator had configured GlobalProtect to exclude the product or the software vendor in the antivirus and antispyware categories. With this fix, software will not launch on the endpoint if the product or vendor are excluded in the GlobalProtect configuration.
GPC-3306
Fixed an issue where the GlobalProtect agent showed an Authentication Failed message and prompted the user to enter credentials on the initial connection to the GlobalProtect Portal. With this fix Authentication Failed message does not display because the agent has not made an actual attempt to authenticate.
GPC-3228
Fixed an issue where the GlobalProtect agent on Windows endpoints experienced inconsistent connections and connection timeouts in pre‐logon tunnel setup.
GPC-2973
Fixed an issue where the GlobalProtect agent HIP check did not detect Malwarebytes anti‐spyware software installed on the endpoint.
22 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.2 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.2 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Do not upgrade to GlobalProtect agent 3.1.2 if your GlobalProtect deployment uses the Update DNS Settings on
Connect configuration for Windows endpoints. Refer to Known Issue GPC‐3431. Customers who do not enable Update DNS Settings on Connect may upgrade to GlobalProtect agent 3.1.2 as necessary.
Issue Identifier
Description
100000
Fixed an issue where, if you required a DNS flush on the endpoint after the agent connected, you had to enable the Update DNS Settings on Connect configuration in GlobalProtect (Network > GlobalProtect > Portals > <GlobalProtect‐portal‐config> > Agent
> <agent‐config> > App). When enabled, this configuration instructed the agent to overwrite the physical adapter DNS configuration after establishing a tunnel connection, which is generally not desirable behavior. With this fix, the default behavior has changed so that the GlobalProtect agent always performs a flush of the DNS cache after a tunnel connection is established, and the Update DNS Settings on Connect configuration is not required. You should only enable the Update DNS Settings on Connect configuration if you want to set the VPN‐provided DNS server on all physical interfaces after the tunnel is setup so that DNS queries must go to the tunnel DNS server under all circumstances.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 23
GlobalProtect Agent 3.1.2 Addressed Issues
24 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.1 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.1 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Do not upgrade to GlobalProtect agent 3.1.1 if your GlobalProtect deployment uses the Update DNS Settings on
Connect configuration for Windows endpoints. Refer to Known Issue GPC‐3431. Customers who do not enable Update DNS Settings on Connect may upgrade to GlobalProtect agent 3.1.1 as necessary.
Issue Identifier
Description
102333
Fixed an issue where the GlobalProtect agent automatically reconnected after being disabled on Mac OS X endpoints.
102244
Fixed an issue for GlobalProtect agents on endpoints running a non‐English version of Windows where the agent could not restore previously saved DNS settings because the agent incorrectly saved the initial network interface DNS information. This issue occurred when you configured the option Update DNS Settings at Connect on the firewall (Network > GlobalProtect > Portals > <GlobalProtect‐portal‐config> > Agent >
<agent‐config> > App).
101614
Fixed an issue where the GlobalProtect agent on an endpoint with common access card (CAC) authentication failed to trigger network discovery after coming out of sleep mode.
101563
Fixed an issue where, if you used the RDP Connection to a Remote Client, the GlobalProtect agent icon displayed the message Connecting even though the agent was already connected.
100669
A security‐related change was made to address CVE‐2016‐2105, CVE‐2016‐2106, CVE‐2016‐2107, CVE‐2016‐2109, and CVE‐2016‐2176 (PAN‐SA‐2016‐0023).
100589
Fixed an issue on the GlobalProtect agent where, if you enabled No direct access to local
network on the firewall under Network > Gateways > Agent > Client > Network Settings, the agent on a Mac endpoint failed to connect to the GlobalProtect gateway. With this fix and a restart of the endpoint after installation, the agent connects as expected. 100164
Fixed an issue where GlobalProtect did not honor the Simple Certificate Enrollment Protocol (SCEP) certificate delivered via GlobalProtect portal. This happened when the portal was not reachable during authentication or configuration refresh and GlobalProtect app used the cached portal configuration to connect.
99679
Fixed an issue where the Japanese language interface on Windows 7 displayed invalid characters in the LDAP password expiration message.
99261
Fixed an issue where the GlobalProtect agent presented authentication prompts from both the GlobalProtect portal and the GlobalProtect gateway at the same time. With the fix, only one prompt is active at a time.
99230
Fixed an issue on Mac endpoints where some GlobalProtect agent user interface elements appeared in English instead of Japanese, German, Spanish or French, or where the elements were translated incorrectly.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 25
GlobalProtect Agent 3.1.1 Addressed Issues
Issue Identifier
Description
99200
Fixed an issue in the GlobalProtect agent where there was a misspelling in the error message displayed by the agent when you unplugged a common access card (CAC).
98568
Fixed an issue in the French version of the Mac OS X GlobalProtect client where the context menu displayed the string Soumettre à nouveau les infos de l'hôte with incorrect characters.
98552
Fixed an issue where, if you enabled Enforce GlobalProtect Connection for Network Access and specified the Pre-logon (Always On) connect method in a GlobalProtect portal agent configuration, the agent correctly started up in pre‐logon mode after a reboot and attempted to establish a VPN tunnel. However, if the agent failed to create a pre‐logon tunnel and a user disabled the agent before the reboot logged back in to the endpoint, traffic is blocked even though the agent correctly displayed disabled status for that user.
98483
Fixed an issue where the user provided the GlobalAgent portal address, username, and password in the GlobalProtect agent user interface, but the agent sent blank credentials to the portal, causing authentication to fail.
98361
Fixed an issue where, after you upgraded to GlobalProtect 3.0 and content release version 586‐3361, the OPSWAT OESIS Framework SDK correctly recognized the CylancePROTECT antivirus software installed on the endpoint. However, if you specified this in a HIP object on the firewall (Objects > GlobalProtect > HIP Objects > <object> > Antivirus), the vendor name for CylancePROTECT in the drop‐down was Cylance Protect Software, which was recognized only by GlobalProtect agents running on Windows endpoints; Mac endpoints reported the vendor name as "CylancePROTECT", which failed to match the HIP object configured on the firewall.
96170
Fixed an issue where, after you upgraded to GlobalProtect 3.0 and content release version 590‐3397, the OPSWAT OESIS Framework SDK correctly recognized the Code42 CrashPlan disk backup software. However, if you specified this in an HIP object on the firewall (Objects > GlobalProtect > HIP Objects > <object> > Disk Backup), the vendor name for Code42 in the drop‐down was CodeFortyTwo Software, which was recognized only by GlobalProtect agents running on Windows endpoints; Mac endpoints reported a different vendor name for Code42 (Code42 Software), which failed to match the HIP object configured on the firewall.
26 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1.0 Addressed Issues
The following table lists the issues that are fixed in the GlobalProtect™ agent 3.1.0 release. For new features introduced in GlobalProtect agent 3.1, known issues, and changes in default behavior, see the GlobalProtect Agent 3.1 Release Information.
Do not upgrade to GlobalProtect agent 3.1.0 if your GlobalProtect deployment uses the Update DNS Settings at
Connect configuration for Windows endpoints. Refer to Known Issue GPC‐3431. Customers who do not enable Update DNS Settings at Connect may upgrade to GlobalProtect agent 3.1.0 as necessary.
Issue Identifier
Description
97088
Fixed an issue where the GlobalProtect agent failed to open automatically following installation of the agent on Windows endpoints. With this fix, the GlobalProtect agent now opens automatically if the portal field is empty or the connect method is user‐logon (default). If you pre‐deployed the portal address value or if the connect‐method is set to on‐demand (through the registry), the GlobalProtect agent still, as expected, does not open automatically.
97042
A security‐related fix was made to address a privilege escalation issue on the GlobalProtect agent for Mac clients (PAN‐SA‐2016‐0017).
96829
Fixed an issue where users received an error message when using remote desktop protocol (RDP) to log in to an endpoint remotely when that endpoint was running Windows 7 with GlobalProtect agent 3.0 and when Interactive logon: do not display last
username is enabled for the local security policy on that Windows 7 endpoint.
95512
Fixed an issue where the Dell KACE patch management software was not recognized by the GlobalProtect agent on Mac OS clients.
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 27
GlobalProtect Agent 3.1.0 Addressed Issues
28 • GlobalProtect Agent 3.1 Release Notes
© Palo Alto Networks, Inc.
Getting Help
The following topics provide information on where to find out more about our products and how to request support:

Related Documentation

Requesting Support
Related Documentation
Refer to the following documents on the Technical Documentation portal at https://www.paloaltonetworks.com/documentation for more information on our products:


For information on GlobalProtect™, including information on how to Deploy the GlobalProtect Agent Software, refer to the GlobalProtect Administrator’s Guide.
For other related content, including Knowledge Base articles and videos, search the Technical Documentation Portal. Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
To provide feedback on the documentation, please write to us at: [email protected].
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2016–2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Revision Date: February 23, 2017
© Palo Alto Networks, Inc.
GlobalProtect Agent 3.1 Release Notes • 29

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz