GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
Captive Portal and Enforce GlobalProtect for Network Access
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. GlobalProtect Quick Configs
  4. Captive Portal and Enforce GlobalProtect for Network Access
Download PDF
GlobalProtect

Captive Portal and Enforce GlobalProtect for Network Access

Table of Contents

Captive Portal and Enforce GlobalProtect for Network Access

In most instances, mobile users connect to Wi-Fi networks on which a captive portal has been enabled, such as those used in coffee shops, airports, and hotels. Internet access becomes available only after users log in to the captive portal. Users can log in through a browser-based captive portal login page or OS-based captive portal assistant using identifiers such as a name and email address. With this configuration, you can limit the amount of time for which users can log in to the captive portal. If a user logs in successfully and the internet becomes reachable, the GlobalProtect app automatically establishes a connection. If a user fails to log in within the specified time period, all traffic will be blocked.
To further reduce the risk of exposing your network to security threats, you can also Enforce GlobalProtect for Network Access. When you enable this option, GlobalProtect blocks all network traffic until the app connects to a GlobalProtect gateway. All traffic is required to go through the VPN tunnel for inspection and policy enforcement, thereby enabling you to maintain full visibility and control over your users’ traffic.
Based on the presence of a captive portal and whether the GlobalProtect connection is required for network access, users must follow a specific workflow to access the network:
Captive Portal
Enforce GlobalProtectfor Network Access
Workflow
YesYes
If the GlobalProtect connection is required for network access, and your end users must also log in to a captive portal to access the internet, they must use the following steps to access the network:
  1. Connect to the Wi-Fi network.
    After you connect to the Wi-Fi network, GlobalProtect automatically detects the captive portal. If your administrator configures a captive portal detection message, the GlobalProtect app notifies you that you must log in to the captive portal to access the network.
    Administrators can also configure the amount of time after which the captive portal detection message is displayed.
  2. Use one of the following options to log in to the captive portal:
    • Open a web browser to log in through the captive portal login page.
    • Log in through the native captive portal assistant built in to the endpoint operating system (OS).
    If captive portal log in is successful, the internet becomes reachable and the GlobalProtect app connects automatically. If the app does not connect immediately, and your administrator configures a traffic blocking notification message to indicate that you must connect to GlobalProtect for network access, it displays this message until the connection is established.
    Administrators can also configure the amount of time after which the traffic blocking notification is displayed.
    If captive portal log in fails and the captive portal login page times out or if GlobalProtect is unable to establish a connection, you will be blocked from using the network. To re-initiate portal login and thereby re-trigger the captive portal login period, launch the GlobalProtect app and then select Refresh Connection from the app settings (
    ) menu.
YesNo
If your end users must log in to a captive portal to access the internet, but the GlobalProtect connection is not required for network access, they must use the following steps to access the network:
  1. Connect to the Wi-Fi network.
    After you connect to the Wi-Fi network, GlobalProtect automatically detects the captive portal.
  2. Use one of the following options to log in to the captive portal:
    • Open a web browser to log in through the captive portal login page.
    • Log in through the native captive portal assistant built in to the endpoint operating system (OS).
    If log in is successful and the internet becomes reachable, the GlobalProtect app connects automatically.
NoYes
If the GlobalProtect connection is required for network access, but your end users do not have to log in to a captive portal to access the internet, they must connect to the Wi-Fi network. As soon as the Wi-Fi is connected and internet is reachable, the GlobalProtect app connects automatically.
If the app does not connect immediately, and your administrator configures a traffic blocking notification message to indicate that you must connect to GlobalProtect for network access, it displays this message until the connection is established. If GlobalProtect is unable to establish a connection, you will be locked out of the network. You must re-initiate network discovery by disconnecting and then reconnecting to the Wi-Fi network, rebooting your endpoint, or refreshing the GlobalProtect connection.
Use the following steps to the customize captive portal settings and indicate whether the GlobalProtect connection is required for network access:
Configure the Enforce GlobalProtect for Network Access option only if you configure GlobalProtect with the Always On connect method.
  1. Set Up Access to the GlobalProtect Portal.
  2. Define the GlobalProtect Agent Configurations.
  3. Customize the GlobalProtect App.
    • To ensure that the GlobalProtect connection is always on, set the Connect Method to User-logon (Always On).
    • If your users must log in to a captive portal to access the internet, you can customize the captive portal settings by configuring the following options:
      • In the Captive Portal Exception Timeout (sec) field, enter the amount of time (in seconds) within which users can log in to the captive portal (range is 0 to 3600 seconds; default is 0 seconds). If users do not log in within this time period, the captive portal login page times out and users will be blocked from using the network.
      • To enable the GlobalProtect app to notify users when it detects a captive portal, set the Display Captive Portal Detection Message to Yes.
        • In the Captive Portal Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the captive portal detection message (range is 1 to 120 seconds; default is 5 seconds). GlobalProtect initiates this timer after the captive portal has been detected but before the internet becomes reachable.
        • Customize the Captive Portal Detection Message that displays when GlobalProtect detects a captive portal.
    • To force all network traffic to traverse the GlobalProtect VPN tunnel, configure the following options:
      • Set the Enforce GlobalProtect for Network Access option to Yes.
      • To enable the GlobalProtect app to notify users that the GlobalProtect connection is required for network access, set the Display Traffic Blocking Notification Message to Yes. The GlobalProtect app displays this message when the internet becomes reachable but before the GlobalProtect connection is established.
        • In the Traffic Blocking Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the traffic blocking notification message (range is 5 to 120 seconds; default is 15 seconds). GlobalProtect initiates this timer after the internet becomes reachable.
        • Customize the Traffic Blocking Notification Message that displays when the GlobalProtect connection is required for network access. This message must be 512 characters or less.
  4. Commit the changes.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.