Filter traffic from mobile devices

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter traffic from mobile devices

L2 Linker


I was wondering if anyone has an idea on how to filter traffic coming from mobile devices. My scenario is that on our (open) guest wifi I would like to enable our users to do pretty much what they like from their mobile phones etc. but not let them have the same freedom just by undocking their laptops. Since we don´t pre-authenticate them to our Global Protect Portal I am aware that on any other network they are free to roam around as they please. Any ideas?

Thank you,

Mikael Gustafsson


L1 Bithead

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.


Thank you, I will try this. A bit complicated perhaps but I feel it will give me what I was asking for.

Best Regards,


Hi again,

I was thinking a bit more on your solution and doesn´t it mean that they will automatically connect to the external portal when not on our network or wifi? Or can an add a new client config at the bottom of the list of configs (I have both split and full tunneling depending on AD group) with only an internal gateway configured (no external) and internal host check enabled?



If you wan´t you can force the laptops to connect with GP both if they are in(guest wifi) or outside the network(Internet). If you you just want the laptops to auto connect to portal if there are connected to the guest wifi you just add a new portal(new IP) with an internal IP and an internal host that must be reachable for the laptop to connect to the internal GP. So 1 portal with the external gw for Internet usage and 1 portal with internal gw for wifi guest usage.

But that would require the end user to manually change the portal adress in the client?. Or maybe I could NAT them to the correct portal depending on the zone they connect from. I will try different methods to achieve this and find the best solution our environment. Thanks for your input.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!