GlobalProtect
Enforce GlobalProtect for Network Access
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Enforce GlobalProtect for Network Access
To reduce the security risk of exposing your
enterprise when a user is off-premise, you can force users on endpoints running
Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect
to access the network.
When this feature is enabled, GlobalProtect
blocks all traffic until the agent is internal or connects to an
external gateway. After the agent establishes a connection, GlobalProtect
permits internal and external network traffic according to your
security policy thus subjecting the traffic to inspection by the
firewall and security policy enforcement. This feature also prevents
the use of proxies as a means to bypass the firewall and access
the internet.
If users must connect to the network using a
captive portal (such as at a hotel or airport), you can also configure
a grace period that provides users enough time to connect to the
captive portal and then connect to GlobalProtect.
Because
GlobalProtect blocks traffic unless the GlobalProtect agent can
connect to a gateway, we recommend that you enable this feature only
for users that connect in User-logon or Pre-logon modes.
- Configure the GlobalProtect portal.
- Create or modify an agent configuration.
- Select NetworkGlobalProtectPortals and select the portal configuration for which you want to add a client configuration or Add a new one.
- From the Agent tab, select the agent configuration you want to modify or Add a new one.
- Select the App tab.
- Configure GlobalProtect to force all network traffic
to traverse a GlobalProtect tunnel.In the App Configuration area, set Enforce GlobalProtect Connection for Network access to Yes. By default this option is set to No meaning that users can still access the internet if GlobalProtect is disabled or disconnected.
- (Optional) To provide additional information, configure
a traffic blocking notification message.The message can indicate the reason for blocking the traffic and provide instructions on how to connect, such as To access the network, you must first connect to GlobalProtect. If you enable a message, GlobalProtect will display the message when GlobalProtect is disconnected but detects the network is reachable.
- In the App Configuration area, make sure Display Captive Portal Detection Message is set to Yes. The default is No.
- Specify the message text in the Captive Portal Detection Message field. The message must be 512 or fewer characters.
- To specify the amount of time in which the user has to authenticate with a captive portal, enter the Captive Portal Exception Timeout in seconds (default is 0; range is 0 to 3600). For example, a value of 60 means that the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
- If you have a Captive Portal Detection Message enabled, the message appears 85 seconds before the Captive Portal Exception Timeout occurs. If the Capture Portal Exception Timeout is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.
- Click OK twice to save the configuration and then Commit your changes.