This feature requires Content Release version 590-3397 or later.
After you enable smart card authentication on Windows endpoints, users can authenticate using a smart card or common access card (CAC) containing a client certificate. Now, when a user removes that card, you can either retain or disconnect the connection with GlobalProtect. By default, GlobalProtect retains the tunnel when the user removes the smart card. The decision on whether to retain the connection depends on your security requirements.
Configure the Connection Behavior on Smart Card Removal
Enable smart card authentication. Set up your smart card infrastructure. Import the Root CA certificate that issued the client certificates contained on the end user smart cards. Create the certificate profile. Assign the certificate profile to the gateway(s) or portal. Commit the configuration.
Configure the GlobalProtect portal. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a client configuration or Add a new one.
Begin or modify an agent configuration. From the Agent tab, select the agent configuration you want to modify or Add a new one. Select the App tab.
Configure the connection behavior when a user removes a smart card. In the App Configuration area, set Retain Connection on Smart Card Removal (Windows Only) to Yes.
Save your configuration changes. Click OK twice. Commit your changes.

Related Documentation