It's base on the gateway lookup resolution and you have to configure an internal gateway to do that.
and if the client is connected to the internal gateway no ipsec or vpn tunnel is mounted but you can use HIP information or login information to create your secuty rule that limit the accessible ressource for this device.
If you are talking about a user who wants to connect to an internal gateway, we can configure the PANFW gateway on a VPN tunnel with in the office as well. By default the PANFW supports the SSL connection to the GP users ( whether connected internally or externally), and we have to manually configure the gateways to accept a VPN connection.
You can find the information on the below thread:
Hope it helps,
You can leverage the single sign on feature, so when the laptop having the agent on it, connects within the network and has been successfully authenticated, a VPN tunnel gets established and he can go out to the internet via the tunnel. If he fails to get authenticated, the user will get identified as an unknown user, and we can configure a rule to block all unknown users. That way he cannot get access to the internet, although he is connected internally in the network. Like Gregoux mentioned as well, you can use the hip checks to deny access to the machines if they do not match a config criteria.
I got a test licesne for globalprotect HIP.
Well I'm pretty sure now there is no way I can force a laptop user that he has to be connected to the vpn to be able to use the internet. In HIP I can't check if he can reach a public ip adress and there is also no way to place a firewall rule that would block his traffic if the vpn is not connected.
I need to buy now a Cisco VPN....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!