To reduce the security risk of exposing your
enterprise when a user is off-premise, you can force users on endpoints running
Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect
to access the network.
When this feature is enabled, GlobalProtect
blocks all traffic until the agent is internal or connects to an
external gateway. After the agent establishes a connection, GlobalProtect
permits internal and external network traffic according to your
security policy thus subjecting the traffic to inspection by the
firewall and security policy enforcement. This feature also prevents
the use of proxies as a means to bypass the firewall and access
the internet.
If users must connect to the network using a
captive portal (such as at a hotel or airport), you can also configure
a grace period that provides users enough time to connect to the
captive portal and then connect to GlobalProtect.
Because GlobalProtect blocks traffic unless the GlobalProtect agent can connect to a gateway, we
recommend that you enable this feature only for users that connect in User-logon
mode. Keep in mind that if you configure the app to use User-logon mode and the user
disables or disconnects from GlobalProtect they will be able to connect to the
network because the enforcement feature only works when GlobalProtect is enabled. To
prevent users from accessing the network without a GlobalProtect connection make
sure you do not enable the users in User-logon mode to disable or disconnect
GlobalProtect.