One of our use cases is that it is used by our internal users, our employees, when they need to work remotely. They'll be out in the field and, wherever they have an internet connection, they run the GlobalProtect client, connect, and they can access our resources as if they're in our building. For example, we have health inspectors who go to different sites.
Of course, we're doing more teleworking like everyone right now. Also, our admins all use it because that's how we get in and do remote work. And, periodically, we have contractors or vendors who need remote access. We'll build an account in AD and either have them download the client and connect to us, or if they currently use the GlobalProtect client for some other VPN connection, we can just provide our gateway and they can use their existing client to connect to the resources that we allow them.
We also have a clientless VPN by Palo Alto. It's a website where you can enter your AD credentials, and it will publish internal web apps that you can access through a browser. We have some users, and a set of contractors, who use that to access some of our internal systems for COVID response.
It's a cloud-based VPN, but it's managed from our Panorama instance, which is on-site. There's the GlobalProtect client that gets installed, that's the VPN client on your laptop, and that automatically updates from the cloud when a new version is available.