Security incidents are often created by insiders. Some can be unintentional but others might be malicious. Either way, you want to defend yourself from so called incidents.
Contrary to GlobalProtect On-demand where you have a higher level of control as an enduser, GlobalProtect in user-logon mode does not offer the option to connect or disconnect at will. While it takes away the full control of the enduser, it does add an additional layer of security. The more layers of security an attacker must overcome, the better chance that an attack will not be successful!
Onions have layers !
The GlobalProtect agent automatically establishes a connection to the portal after the user logs in to an endpoint. The portal responds by providing the client with the appropriate agent configuration. Subsequently, the agent sets up a VPN to one of the gateways specified in the agent configuration it received from the portal.
This method ensures continuous conectivity to the core allowing administrators to push emergency updates and maintain control over sessions + applying corporate level threat prevention.
Once the client is installed and connected, the options available under the File menu are as shown below:
The 'Disconnect' option is grayed out and unavailable. For user-logon mode, the GlobalProtect client automatically establishes a connection after the user logs in to the host computer. Depending on how the administrator configured it on the firewall, he could even gray out the 'Disable' option. In doing so the administrator will prevent the end users to disable the GlobalProtect agent.
Want to know all the nitty gritty details then the following articles should help you on your way: