This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect - Block internet access if user does not authenticate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect - Block internet access if user does not authenticate

Go to solution
Pasquale01
L1 Bithead

‎03-22-2021 01:56 PM

Is it possible to block internet access if user does not authenticate through the GP client? We don't want any access to the web on the laptop unless they fully authenticate through Okta/GP (SAML). Would Pre-logon solve this?

 

Thanks

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Pasquale01

‎03-23-2021 06:19 AM

@Pasquale01,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

View solution in original post

1 person found this solution to be helpful.
4 REPLIES 4

Go to solution
Sarc845
L2 Linker

‎03-23-2021 05:40 AM - edited ‎03-23-2021 05:42 AM

Hi PPerrotta,

 

You can setup a policy denying unknown users in the security policy with the action of block:

Sarc845_0-1616503110946.png

 

Using Global Protect your user identification should work just fine so no need to worry about users not being identified when connecting to the vpn.

 

Make sure your source zone and source addresses are from the VPN otherwise you might block traffic like printers etc unless you use the api to identify those devices.

 

++ Edit

 

You might have to allow your users to go to your okta tenant <domain>.okta.com above the deny policy to allow them to authenticate if you are using internal gateways as well

Stay Safe
0 Likes Likes

Go to solution
Pasquale01
L1 Bithead
In response to Sarc845

‎03-23-2021 06:14 AM

Thanks for the feedback.. but that is all post-authentication. We are in a locked-down environment so we cant use SSO or Always on, maybe pre-logon is an option. What we want is if a user doesn't authenticate on the VPN they shouldn't be able to browse the web. Users now just skip the authentication and use it for personal browsing then connect when they need access to the corporate network. So ultimately we want to stop that behavior.

Thanks

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Pasquale01

‎03-23-2021 06:19 AM

@Pasquale01,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

1 person found this solution to be helpful.

Go to solution
Sarc845
L2 Linker
In response to Pasquale01

‎03-23-2021 06:21 AM

@Pasquale01  

 

BPry is correct, you can configure this in the Portal settings under the Agent Configurations. 

Stay Safe
  • 1 accepted solution
  • 9550 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks