https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392961#M1045 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138583">@Pasquale01</a>,</P> <P>Sounds like you're just looking for the "<STRONG>Enforce GlobalProtect Connection for Network Access"&nbsp;</STRONG>feature in your agent.&nbsp;</P> Tue, 23 Mar 2021 13:19:10 GMT BPry 2021-03-23T13:19:10Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392806#M1039 <P>Is it possible to block internet access if user does not authenticate through the GP client? We don't want any access to the web on the laptop unless they fully&nbsp;authenticate through Okta/GP (SAML). Would Pre-logon solve this?</P><P>&nbsp;</P><P>Thanks</P> Mon, 22 Mar 2021 20:56:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392806#M1039 Pasquale01 2021-03-22T20:56:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392944#M1042 <P>Hi PPerrotta,</P><P>&nbsp;</P><P>You can setup a policy denying unknown users in the security policy with the action of block:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sarc845_0-1616503110946.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30495i3A6C3592EF45332C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Sarc845_0-1616503110946.png" alt="Sarc845_0-1616503110946.png" /></span></P><P>&nbsp;</P><P>Using Global Protect your user identification should work just fine so no need to worry about users not being identified when connecting to the vpn.</P><P>&nbsp;</P><P>Make sure your source zone and source addresses are from the VPN otherwise you might block traffic like printers etc unless you use the api to identify those devices.</P><P>&nbsp;</P><P>++ Edit</P><P>&nbsp;</P><P>You might have to allow your users to go to your okta tenant &lt;domain&gt;.okta.com above the deny policy to allow them to authenticate if you are using internal gateways as well</P> Tue, 23 Mar 2021 12:42:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392944#M1042 Sarc845 2021-03-23T12:42:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392958#M1044 <P>Thanks for the feedback.. but that is all post-authentication. We are in a locked-down environment so we cant use SSO or Always on, maybe pre-logon is an option. What we want is if a user doesn't authenticate on the VPN they shouldn't be able to browse the web. Users now just skip the authentication and use it for personal browsing then connect when they need access to the corporate network. So ultimately we want to stop that behavior.</P><P>Thanks</P><P>&nbsp;</P> Tue, 23 Mar 2021 13:14:05 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392958#M1044 Pasquale01 2021-03-23T13:14:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392961#M1045 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138583">@Pasquale01</a>,</P> <P>Sounds like you're just looking for the "<STRONG>Enforce GlobalProtect Connection for Network Access"&nbsp;</STRONG>feature in your agent.&nbsp;</P> Tue, 23 Mar 2021 13:19:10 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392961#M1045 BPry 2021-03-23T13:19:10Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392965#M1046 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138583">@Pasquale01</a>&nbsp;&nbsp;</P><P>&nbsp;</P><P>BPry is correct, you can configure this in the Portal settings under the Agent Configurations.&nbsp;</P> Tue, 23 Mar 2021 13:21:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-block-internet-access-if-user-does-not/m-p/392965#M1046 Sarc845 2021-03-23T13:21:33Z