This feature requires Content Release 590-3397 or a later version.
To reduce the security risk of exposing your enterprise when a user is off-premise, you can now force users on endpoints running Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect to access to the network.
When this feature is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway. After the agent establishes a connection, GlobalProtect permits internal and external network traffic according to your security policy thus subjecting the traffic to inspection by the firewall and security policy enforcement. This feature also prevents the use of proxies as a means to bypass the firewall and access the Internet.
If users must connect to the network using a captive portal (such as at a hotel or airport), you can also configure a grace period that provides users enough time to connect to the captive portal and then connect to GlobalProtect.
Because GlobalProtect blocks traffic unless the GlobalProtect agent can connect to a gateway, we recommend that you enable this feature only for users that connect in User-logon or Pre-logon modes.
Enforce a GlobalProtect Connection for Network Access
Configure the GlobalProtect portal. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a client configuration or Add a new one.
Begin or modify an agent configuration. From the Agent tab, select the agent configuration you want to modify or Add a new one. Select the App tab.
Configure GlobalProtect to force all network traffic to traverse a GlobalProtect tunnel. In the App Configuration area, set Enforce GlobalProtect Connection for Network Access to Yes. By default, this option is set to No meaning users can still access the internet if GlobalProtect is disabled or disconnected.
(Optional) To provide additional information, configure a traffic blocking notification message (for example: To access the network, you must first connect to GlobalProtect. ). The message can indicate the reason for blocking the traffic and provide instructions on how to connect. If you enable this message, GlobalProtect will display the message when GlobalProtect is disconnected but detects the network is reachable. In the App Configuration area, make sure Display Traffic Blocking Notification Message is set to Yes. This is the default. Specify the message text in the Traffic Blocking Notification Message field. The message must be 512 or fewer characters. To specify when to display the notification (how soon after GlobalProtect determines the network is reachable), configure the Traffic Blocking Notification Delay in seconds (default is 15; range is 5 to 120). To always display traffic blocking notifications, set Allow Users to Dismiss Traffic Blocking Notifications to No. By default the value is set to Yes.
( Optional ) To allow a grace period before blocking traffic that provides the user time to connect to a captive portal, configure a notification message (for example: GlobalProtect has temporarily permitted network access for you to connect to the internet. Follow instructions from your internet provider. If you let the connection time out, open GlobalProtect and click Connect to try again .) and timeout value. The message can provide additional information about connecting to the captive portal. In the App Configuration area, make sure Display Captive Portal Detection Message is set to Yes. The default is No. Specify the message text in the Captive Portal Detection Message field. The message must be 512 or fewer characters. To specify the amount of time in which the user has to authenticate with a captive portal, enter the Captive Portal Exception Timeout in seconds (default is 0; range is 0 to 3600). For example, a value of 60 means that the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access. If you have a Captive Portal Detection Message enabled, the message appears 85 seconds before the Captive Portal Exception Timeout occurs. If the Capture Portal Exception Timeout is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.
Save your configuration changes. Click OK twice. Commit your changes.

Related Documentation