GlobalProtect
Captive Portal and Enforce GlobalProtect for Network Access
Table of Contents
Captive Portal and Enforce GlobalProtect for Network Access
In most instances, mobile users connect to
Wi-Fi networks on which a captive portal has been enabled, such
as those used in coffee shops, airports, and hotels. Internet access
becomes available only after users log in to the captive portal.
Users can log in through a browser-based captive portal login page
or OS-based captive portal assistant using identifiers such as a
name and email address. With this configuration, you can limit the
amount of time for which users can log in to the captive portal.
If a user logs in successfully and the internet becomes reachable,
the GlobalProtect app automatically establishes a connection. If
a user fails to log in within the specified time period, all traffic
will be blocked.
To further reduce the risk of exposing your
network to security threats, you can also Enforce GlobalProtect for Network Access. When you
enable this option, GlobalProtect blocks all network traffic until
the app connects to a GlobalProtect gateway. All traffic is required
to go through the VPN tunnel for inspection and policy enforcement,
thereby enabling you to maintain full visibility and control over your
users’ traffic.
Based on the presence of a captive portal
and whether the GlobalProtect connection is required for network
access, users must follow a specific workflow to access the network:
Captive Portal | Enforce GlobalProtectfor Network Access | Workflow |
|---|---|---|
| Yes | Yes | If the GlobalProtect connection is required
for network access, and your end users must also log in to a captive portal
to access the internet, they must use the following steps to access
the network:
|
| Yes | No | If your end users must log in to a captive
portal to access the internet, but the GlobalProtect connection
is not required for network access, they must use the following steps
to access the network:
|
| No | Yes | If the GlobalProtect connection is required
for network access, but your end users do not have to log in to
a captive portal to access the internet, they must connect to the
Wi-Fi network. As soon as the Wi-Fi is connected and internet is reachable,
the GlobalProtect app connects automatically. If the app does
not connect immediately, and your administrator configures a traffic
blocking notification message to indicate that you must connect
to GlobalProtect for network access, it displays this message until
the connection is established. If GlobalProtect is unable to establish
a connection, you will be locked out of the network. You must re-initiate
network discovery by disconnecting and then reconnecting to the
Wi-Fi network, rebooting your endpoint, or refreshing the GlobalProtect
connection. |
Use the following steps to the customize captive
portal settings and indicate whether the GlobalProtect connection
is required for network access:
Configure
the Enforce GlobalProtect for Network Access option
only if you configure GlobalProtect with the Always On connect method.
- Set Up Access to the GlobalProtect Portal.
- Define the GlobalProtect Agent Configurations.
- Customize the GlobalProtect App.
- To ensure that the GlobalProtect connection is always on, set the Connect Method to User-logon (Always On).
- If your users must log in to a captive portal to access the internet, you can customize the captive portal settings by configuring the following options:
- In the Captive Portal Exception Timeout (sec) field, enter the amount of time (in seconds) within which users can log in to the captive portal (range is 0 to 3600 seconds; default is 0 seconds). If users do not log in within this time period, the captive portal login page times out and users will be blocked from using the network.
- To enable the GlobalProtect app to notify users when it detects a captive portal, set the Display Captive Portal Detection Message to Yes.
- In the Captive Portal Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the captive portal detection message (range is 1 to 120 seconds; default is 5 seconds). GlobalProtect initiates this timer after the captive portal has been detected but before the internet becomes reachable.
- Customize the Captive Portal Detection Message that displays when GlobalProtect detects a captive portal.
- To force all network traffic to traverse the GlobalProtect VPN tunnel, configure the following options:
- Set the Enforce GlobalProtect for Network Access option to Yes.
- To enable the GlobalProtect app to notify users that the GlobalProtect connection is required for network access, set the Display Traffic Blocking Notification Message to Yes. The GlobalProtect app displays this message when the internet becomes reachable but before the GlobalProtect connection is established.
- In the Traffic Blocking Notification Delay (sec) field, enter the amount of time (in seconds) after which the GlobalProtect app displays the traffic blocking notification message (range is 5 to 120 seconds; default is 15 seconds). GlobalProtect initiates this timer after the internet becomes reachable.
- Customize the Traffic Blocking Notification Message that displays when the GlobalProtect connection is required for network access. This message must be 512 characters or less.
- Commit the changes.