>
    Strata Copilot
    Captive Portal and Enforce GlobalProtect for Network Access
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Quick Configs
    5. Captive Portal and Enforce GlobalProtect for Network Access
    Download PDF
    GlobalProtect

    Captive Portal and Enforce GlobalProtect for Network Access

    Table of Contents

    Captive Portal and Enforce GlobalProtect for Network Access

    Configure captive portal settings and enforce GlobalProtect network access to ensure all traffic is inspected before reaching the internet.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    To secure endpoint traffic on public networks, you can configure GlobalProtect to authenticate through captive portals using the embedded browser and enforce a VPN connection before allowing network access. For background on how these features interact and the user workflows they produce, see Captive Portal and Enforce GlobalProtect for Network Access.
    Configure the Enforce GlobalProtect for Network Access option only if you configure GlobalProtect with the Always On connect method.
    1. Set Up Access to the GlobalProtect Portal.
    2. Define the GlobalProtect Agent Configurations.
    3. Customize the GlobalProtect App.
      • To ensure that the GlobalProtect connection is always on, set the Connect Method to User-logon (Always On).
      • If your users must log in to a captive portal to access the internet, you can customize the captive portal settings by configuring the following options:
        • In the Captive Portal Exception Timeout (sec) field, enter the amount of time (in seconds) within which users can log in to the captive portal (range is 0 to 3600 seconds; default is 0 seconds). If users do not log in within this time period, the captive portal login page times out and users will be blocked from using the network.
          For embedded browser captive portal, the recommended Captive Portal Exception Timeout (sec) is 0 because embedded browser captive portal traffic is implicitly allowed.
        • To enable the GlobalProtect app to notify users when it detects a captive portal, set the Display Captive Portal Detection Message to Yes.
          • In the Captive Portal Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the captive portal detection message (range is 1 to 120 seconds; default is 5 seconds). GlobalProtect initiates this timer after the captive portal has been detected but before the internet becomes reachable.
          • Customize the Captive Portal Detection Message that displays when GlobalProtect detects a captive portal.
      • To force all network traffic to traverse the GlobalProtect VPN tunnel, configure the following options:
        • Set the Enforce GlobalProtect for Network Access option to Yes.
        • To enable the GlobalProtect app to notify users that the GlobalProtect connection is required for network access, set the Display Traffic Blocking Notification Message to Yes. The GlobalProtect app displays this message when the internet becomes reachable but before the GlobalProtect connection is established.
          • In the Traffic Blocking Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the traffic blocking notification message (range is 5 to 120 seconds; default is 15 seconds). GlobalProtect initiates this timer after the internet becomes reachable.
          • Customize the Traffic Blocking Notification Message that displays when the GlobalProtect connection is required for network access. This message must be 512 characters or less.
    4. Commit the changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.