>
    Strata Copilot
    Captive Portal and Enforce GlobalProtect for Network Access
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Portals
    5. Captive Portal and Enforce GlobalProtect for Network Access
    Download PDF
    GlobalProtect

    Captive Portal and Enforce GlobalProtect for Network Access

    Table of Contents

    Captive Portal and Enforce GlobalProtect for Network Access

    Learn how captive portal detection, network access enforcement, and the GlobalProtect embedded browser work together to keep your endpoints secure on public networks.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect app 6.3.3-h12 (6.3.3-c1046) or later for embedded browser captive portal support on Windows:
    In most public Wi-Fi environments — airports, hotels, and cafes — a captive portal intercepts all traffic and requires you to authenticate through a login page before granting internet access. When you also enable Enforce GlobalProtect for Network Access, GlobalProtect® blocks all traffic until it establishes a VPN connection to a gateway. All traffic then traverses the VPN tunnel for inspection and policy enforcement, preventing proxies from bypassing the firewall and accessing the internet directly. This creates a direct conflict with captive portals: the captive portal requires internet access to display its login page, but the enforcer blocks that access until GlobalProtect connects. On Windows, GlobalProtect resolves this deadlock using an embedded browser that opens the captive portal login page as a process it spawns directly. Because the enforcer implicitly allows traffic from its own processes, captive portal authentication completes without the enforcer ever being disabled and without needing IP- or FQDN-based enforcer exceptions. On macOS, GlobalProtect uses the native Captive Network Assistant (CNA) for captive portal login; if CNA is not invoked, it falls back to the default browser.
    Because the enforcer blocks all traffic until GlobalProtect connects, enable Enforce GlobalProtect for Network Access only for users configured with the User-logon (Always On) or Pre-logon connect method. Users in On-demand mode may not be able to establish a connection within the permitted grace periods. If you enable User-logon mode, also ensure that users cannot disable or disconnect from GlobalProtect — if they can, the enforcer has no effect while the app is disabled.
    Based on whether a captive portal is present and whether the GlobalProtect connection is required for network access, users follow one of these workflows:
    Captive Portal
    Enforce GlobalProtect for Network Access
    Workflow
    YesYes
    Connect to the Wi-Fi network. GlobalProtect automatically detects the captive portal and, if configured, notifies you that you must log in to access the network. Log in to the captive portal using one of the following options:
    • The embedded browser (Windows only, if configured)
    • A web browser
    • The native captive portal assistant built in to the endpoint operating system (OS)
    If login is successful and internet becomes reachable, GlobalProtect connects automatically. If it does not connect immediately and a traffic blocking notification is configured, the notification displays until the connection is established.
    If login fails or the captive portal login page times out and GlobalProtect cannot establish a connection, you are blocked from the network. To re-initiate captive portal login, use one of the following options:
    • If you closed the embedded browser window, select Connect in the GlobalProtect app to reopen it.
    • Select Refresh Connection from the app settings (
      ) menu to restart the full captive portal detection flow.
    YesNo
    Connect to the Wi-Fi network. GlobalProtect automatically detects the captive portal. Log in through the embedded browser, default browser, or the OS captive portal assistant. If login is successful and internet becomes reachable, GlobalProtect connects automatically.
    NoYes
    Connect to the Wi-Fi network. As soon as internet is reachable, GlobalProtect connects automatically. If it does not connect immediately and a traffic blocking notification is configured, the notification displays until the connection is established. If GlobalProtect cannot establish a connection, you are locked out of the network. Disconnect and reconnect to Wi-Fi, reboot your endpoint, or select Refresh Connection from the app settings menu to retry.
    If you configure the traffic blocking notification message, GlobalProtect displays it 85 seconds before the Captive Portal Exception Timeout expires. If the timeout is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.

    Captive Portal Behavior Improvements

    When the embedded browser is enabled, it launches as a foreground window that immediately prompts you for captive portal authentication — unlike the default browser, which may open the login page in a background tab. Starting with GlobalProtect app 6.3.3-h12, the embedded browser includes the following runtime improvements on Windows endpoints.
    • Native Captive Portal Refresh Workflow — If you close the captive portal embedded browser window before completing captive portal authentication, a Connect button appears in the GlobalProtect app. Select Connect to reopen the captive portal embedded browser and complete authentication without disconnecting and reconnecting GlobalProtect.
    • Automatically close the captive portal embedded browser window after authentication — After you successfully authenticate with the captive portal, the embedded browser closes automatically after 30 seconds and displays a countdown notification before closing.
    • Captive portal certificate error handling — If the captive portal page returns a certificate error, the embedded browser displays a certificate error prompt and requires you to manually select Continue to proceed. GlobalProtect does not automatically bypass certificate errors.
    • Captive portal network error handling — If the captive portal page encounters a network error, the embedded browser displays a Refresh option so you can retry without reopening GlobalProtect. After 5 consecutive failed retry attempts, the embedded browser displays a persistent error notification.
    • Captive Portal exception timeout handling — If the captive portal exception timeout expires while the embedded browser is open (applicable when Captive Portal Exception Timeout (sec) is set to a value greater than 0), the embedded browser displays a Refresh GlobalProtect option instead of an error. Selecting Refresh GlobalProtect resets the timeout and starts a fresh captive portal detection so you do not have to disconnect and reconnect GlobalProtect.
    To enable and configure captive portal settings and network access enforcement, configure the App tab settings in Customize the GlobalProtect App.

    © 2026 Palo Alto Networks, Inc. All rights reserved.