Global Protect Conditional Connect

Conditional Connect is a hidden configuration option within Global Protect. Defining it allows you to have an on-demand configuration for remote workers that will function like a User-Logon configuration when the user is on-network.

This is handy when you don’t want remote users to be “always-on” but want to take advantage of the Global Protect User-ID features while on-network.

To enable the conditional connect method you need two items configured on the portal:

  • Internal Host Detection / Internal Gateway
  • The endpoints are configured to use the on-demand connect method.

Windows Configuration

The Windows registry key is defined at:

[HKEY_LOCAL_MACHINE\Software\Palo Alto Networks\GlobalProtect\Settings]
"conditional-connect"=string:yes

You can use the following Powershell commands (as Administrator) to set and verify the values:

Set-ItemProperty -Path "HKLM:\Software\Palo Alto Networks\GlobalProtect\Settings" -Name "conditional-connect" -Value "yes" -Type String
Get-ItemProperty -Path "HKLM:\Software\Palo Alto Networks\GlobalProtect\Settings" | Select-Object "conditional-connect"

MacOS Configurtion

The MacOS plist value is defined within:

/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

You can add and verify the value using the MacOS PlistBuddy tool:

sudo /usr/libexec/PlistBuddy -c "Add :'Palo Alto Networks':GlobalProtect:Settings:conditional-connect string yes" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
sudo /usr/libexec/PlistBuddy -c "Print :'Palo Alto Networks':GlobalProtect:Settings" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

The original reference is available at: Configure Conditional Connect Method Based on Network Type

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

How to enable the Palo Alto Global Protect conditional connect method

By Sean, 2025-04-06