Enforce GlobalProtect for Network Access
Focus
Focus
GlobalProtect

Enforce GlobalProtect for Network Access

Table of Contents

Enforce GlobalProtect for Network Access

To reduce the security risk of exposing your enterprise when a user is off-premise, you can force users on endpoints running Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect to access the network.
When this feature is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway. After the agent establishes a connection, GlobalProtect permits internal and external network traffic according to your security policy thus subjecting the traffic to inspection by the firewall and security policy enforcement. This feature also prevents the use of proxies as a means to bypass the firewall and access the internet.
If users must connect to the network using a captive portal (such as at a hotel or airport), you can also configure a grace period that provides users enough time to connect to the captive portal and then connect to GlobalProtect.
Because GlobalProtect blocks traffic unless the GlobalProtect agent can connect to a gateway, we recommend that you enable this feature only for users that connect in User-logon mode. Keep in mind that if you configure the app to use User-logon mode and the user disables or disconnects from GlobalProtect they will be able to connect to the network because the enforcement feature only works when GlobalProtect is enabled. To prevent users from accessing the network without a GlobalProtect connection make sure you do not enable the users in User-logon mode to disable or disconnect GlobalProtect.
  1. Create or modify an agent configuration.
    1. Select
      Network
      GlobalProtect
      Portals
      and select the portal configuration for which you want to add a client configuration or
      Add
      a new one.
    2. From the
      Agent
      tab, select the agent configuration you want to modify or
      Add
      a new one.
    3. Select the
      App
      tab.
  2. Configure GlobalProtect to force all network traffic to traverse a GlobalProtect tunnel.
    In the App Configuration area, set
    Enforce GlobalProtect Connection for Network access
    to
    Yes
    . By default this option is set to
    No
    meaning that users can still access the internet if GlobalProtect is disabled or disconnected.
  3. (Optional) To provide additional information, configure a traffic blocking notification message.
    The message can indicate the reason for blocking the traffic and provide instructions on how to connect, such as
    To access the network, you must first connect to GlobalProtect
    . If you enable a message, GlobalProtect will display the message when GlobalProtect is disconnected but detects the network is reachable.
    1. In the App Configuration area, make sure
      Display Captive Portal Detection Message
      is set to
      Yes
      . The default is
      No
      .
    2. Specify the message text in the
      Captive Portal Detection Message
      field. The message must be 512 or fewer characters.
    3. To specify the amount of time in which the user has to authenticate with a captive portal, enter the
      Captive Portal Exception Timeout
      in seconds (default is 0; range is 0 to 3600). For example, a value of 60 means that the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
    4. If you have a
      Captive Portal Detection Message
      enabled, the message appears 85 seconds before the
      Captive Portal Exception Timeout
      occurs. If the
      Capture Portal Exception Timeout
      is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.
  4. Click
    OK
    twice to save the configuration and then
    Commit
    your changes.

Recommended For You