How to configure GlobalProtect tunnel mode for both SSLVPN and IPsec on the same gateway?

• Configure GlobalProtect to use SSLVPN for specific users connecting through a Portal.
• Other users are required to use default IPSec method.
• SSLVPN tunnel mode can be enforced using Portal App Settings and IPSec method using Gateway agent settings.

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) App versions 6.3.0 and above
• App/Content version 8846-8732 or higher
• Windows or macOS clients

1. Create a specific Portal agent configuration for the users who want to connect to the GP using SSLVPN.
2. This is configured in the Portal > App Configuration area, choose the "Advanced Control for Tunnel Mode behavior" and choose "Connect with SSL only".
3. The rest of the users should have a different Portal agent configuration with "Advanced Control for Tunnel Mode behavior" set to "No".
4. These users will connect to GlobalProtect using the default IPsec method.

GUI: Network > GlobalProtect > Portals > [portal-name] > Agent > [agent-name] > App > Advanced Control for Tunnel Mode Behavior 

5. The "Config Selection Criteria" can be used to filter these users.

GUI: Network > GlobalProtect > Portals > [portal-name] > Agent > [agent-name] 

6. Once the changes are committed, the tunnel information for users is displayed under GUI: Network > GlobalProtect > Gateways > [gateway-name] > Remote Users 

• This is only available in Windows and MAC as of this TOI (July 2024).  Check Compatibility Matrix.
• Application/Content 8846-8732: This changes the name associated with the setting in the PAN-OS Gateway and added the option for Connect with IPSec Only.
• GP Version 6.3.0+:  When using  versions <6.3.0,  a Gateway set to Connect with IPSec Only will use the User Can Change option.