Enforce GlobalProtect for Network Access
Focus
Focus
GlobalProtect

Enforce GlobalProtect for Network Access

Table of Contents
End-of-Life (EoL)

Enforce GlobalProtect for Network Access

To reduce the security risk of exposing your enterprise when a user is off-premise, you can force users on endpoints running Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect to access the network.
When this feature is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway. After the agent establishes a connection, GlobalProtect permits internal and external network traffic according to your security policy thus subjecting the traffic to inspection by the firewall and security policy enforcement. This feature also prevents the use of proxies as a means to bypass the firewall and access the internet.
If users must connect to the network using a captive portal (such as at a hotel or airport), you can also configure a grace period that provides users enough time to connect to the captive portal and then connect to GlobalProtect.
Because GlobalProtect blocks traffic unless the GlobalProtect agent can connect to a gateway, we recommend that you enable this feature only for users that connect in User-logon or Pre-logon modes.
  1. Configure the GlobalProtect portal.
  2. Create or modify an agent configuration.
    1. Select NetworkGlobalProtectPortals and select the portal configuration for which you want to add a client configuration or Add a new one.
    2. From the Agent tab, select the agent configuration you want to modify or Add a new one.
    3. Select the App tab.
  3. Configure GlobalProtect to force all network traffic to traverse a GlobalProtect tunnel.
    In the App Configuration area, set Enforce GlobalProtect Connection for Network access to Yes. By default this option is set to No meaning that users can still access the internet if GlobalProtect is disabled or disconnected.
  4. (Optional) To provide additional information, configure a traffic blocking notification message.
    The message can indicate the reason for blocking the traffic and provide instructions on how to connect, such as To access the network, you must first connect to GlobalProtect. If you enable a message, GlobalProtect will display the message when GlobalProtect is disconnected but detects the network is reachable.
    1. In the App Configuration area, make sure Display Captive Portal Detection Message is set to Yes. The default is No.
    2. Specify the message text in the Captive Portal Detection Message field. The message must be 512 or fewer characters.
    3. To specify the amount of time in which the user has to authenticate with a captive portal, enter the Captive Portal Exception Timeout in seconds (default is 0; range is 0 to 3600). For example, a value of 60 means that the user must log in to the captive portal within one minute after GlobalProtect detects the captive portal. A value of 0 means GlobalProtect does not allow users to connect to a captive portal and immediately blocks access.
    4. If you have a Captive Portal Detection Message enabled, the message appears 85 seconds before the Captive Portal Exception Timeout occurs. If the Capture Portal Exception Timeout is 90 seconds or less, the message appears 5 seconds after a captive portal is detected.
  5. Click OK twice to save the configuration and then Commit your changes.