topic Re: Enforce Global protect in GlobalProtect Discussions

Enforce Global protect

Monicashree — Sun, 28 May 2023 19:22:04 GMT

Hi Everyone,

I have a query on Global Protect.

Requirement :

one of our customer wants the requirement

if user is working from home internet should only work on his laptop if he is connected to global protect

if user is not connected to global protect his internet should not work even if he is connected to wifi also. All his traffic should pass through Global Protect itself.

And if the same user is coming back into office network GP should disconnect and user machine should be working on LAN network.

Is it possible ?

If possible please let me know what are configuration changes that are required.

Thanks and Regards

Monica Shree

Re: Enforce Global protect

Adrian_Jensen — Sun, 28 May 2023 20:37:41 GMT

Yes, this is possible and is a very common setup. Your customer wants to set the GlobalProtect client to "Always-On" - the client always connects to the GlobalProtect Gateway and doesn't allow traffic until connected, and enable "Enforce GlobalProtect Connection for Network Access".

Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Connect Method = User-logon (Always-On)

Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Enforce GlobalProtect Connection for Network Access = Yes

You may also want to block local network access when connected to the VPN:

Network -> GlobalProtect -> Gateways -<gateway_config> -> Agent -> <agent_config> -> Split Tunnel -> No direct access to local network = checked

Second, you want to enable "Internal Host Detection" to detect when the client is connected to the local network

Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Internal -> Internal Host Detection = checked

You need to specify an internal IP address and matching reverse-DNS name that the IP will match. If the clients DNS returns a matching value (Note: this is case-sensitive), then the client will know it is on the internal network and will connect directly to the local network without requiring a VPN tunnel.

Note that the client must still connect to the Portal to get the GlobalProtect configuration, before it can determine if it is on a local network. So the GP client will still prompt for user credentials when connecting internally. You can get around this (have nearly transparent internal connection) by using a user/machine certificate for the Portal authentication. The Gateway authentication (for when connecting to the VPN from outside the network) can continue to use your standard user/password credentials.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/enforce-globalprotect-for-network-access

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NcRCAU

Re: Enforce Global protect

Cha_Moua — Thu, 09 Jan 2025 19:52:42 GMT

Adrian,

Im also looking into doing this. Could I enable one or the other or does it require both to work effectively?

What im saying is, if i only enable "Enforce GlobalProtect Connection for Network Access = Yes"

what that be sufficient to block all network traffic until the device connects to VPN?