https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-network-connection-forced/m-p/1217797#M6423 <P>We are in the testing phase for GP Always on.&nbsp; I currently have forced network connection with internal host detection and it is working fine.&nbsp;</P> <P>&nbsp;</P> <P>I did a quick search and did not find the configuration tweaks that would account for Always On / Forced Connection when the portal is unavailable.</P> <P>&nbsp;</P> <P>Use case...I have a user travelling abroad.&nbsp; When they are at their destination , they will send me their public ip to whitelist for GlobalProtect access.&nbsp;&nbsp;&nbsp; If she was in the Always On /Forced Network connection policy...does that mean that her lap would basically be bricked as far as network.&nbsp; She is in a geo blocked country...so no access to Portal without a whitelist entry on my part.&nbsp;&nbsp; I am sure there is a configuration combination that would allow for this...I want to make sure that the users' Office 365 apps will at least work so they can communicate even if the GP app cannot reach the portal.</P> <P>&nbsp;</P> <P>Thank you</P> Thu, 30 Jan 2025 13:35:13 GMT JoeBailey 2025-01-30T13:35:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-network-connection-forced/m-p/1217797#M6423 <P>We are in the testing phase for GP Always on.&nbsp; I currently have forced network connection with internal host detection and it is working fine.&nbsp;</P> <P>&nbsp;</P> <P>I did a quick search and did not find the configuration tweaks that would account for Always On / Forced Connection when the portal is unavailable.</P> <P>&nbsp;</P> <P>Use case...I have a user travelling abroad.&nbsp; When they are at their destination , they will send me their public ip to whitelist for GlobalProtect access.&nbsp;&nbsp;&nbsp; If she was in the Always On /Forced Network connection policy...does that mean that her lap would basically be bricked as far as network.&nbsp; She is in a geo blocked country...so no access to Portal without a whitelist entry on my part.&nbsp;&nbsp; I am sure there is a configuration combination that would allow for this...I want to make sure that the users' Office 365 apps will at least work so they can communicate even if the GP app cannot reach the portal.</P> <P>&nbsp;</P> <P>Thank you</P> Thu, 30 Jan 2025 13:35:13 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-network-connection-forced/m-p/1217797#M6423 JoeBailey 2025-01-30T13:35:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-network-connection-forced/m-p/1218793#M6427 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170734">@JoeBailey</a>,</P> <P>Correct. Do you have email hosted on-premise or are you using Exchange Online? You'll want to exclude the FQDNs as specified <A href="https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/enforce-globalprotect-connections-with-fqdn-exclusions" target="_self">HERE</A>. If you're using Exchange Online due to the number of dependencies required you'll want to look at Microsoft's 365 lists and select what FQDNs you'll need to allow from <A href="https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide" target="_self">HERE</A>.</P> <P>&nbsp;</P> <P>Personally when we encounter these sort of issues when people travel we don't allow them to bring their issued device. Depending on the country we either just send them with an unmanaged device for simple email access, or we send them with a cheaper device that is disposed of after they return.</P> Fri, 31 Jan 2025 01:35:02 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-always-on-network-connection-forced/m-p/1218793#M6427 BPry 2025-01-31T01:35:02Z