GlobalProtect - Block internet access if user does not authenticate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect - Block internet access if user does not authenticate

L1 Bithead

Is it possible to block internet access if user does not authenticate through the GP client? We don't want any access to the web on the laptop unless they fully authenticate through Okta/GP (SAML). Would Pre-logon solve this?

 

Thanks

1 accepted solution

Accepted Solutions

@Pasquale01,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

View solution in original post

4 REPLIES 4

L2 Linker

Hi PPerrotta,

 

You can setup a policy denying unknown users in the security policy with the action of block:

Sarc845_0-1616503110946.png

 

Using Global Protect your user identification should work just fine so no need to worry about users not being identified when connecting to the vpn.

 

Make sure your source zone and source addresses are from the VPN otherwise you might block traffic like printers etc unless you use the api to identify those devices.

 

++ Edit

 

You might have to allow your users to go to your okta tenant <domain>.okta.com above the deny policy to allow them to authenticate if you are using internal gateways as well

Stay Safe

Thanks for the feedback.. but that is all post-authentication. We are in a locked-down environment so we cant use SSO or Always on, maybe pre-logon is an option. What we want is if a user doesn't authenticate on the VPN they shouldn't be able to browse the web. Users now just skip the authentication and use it for personal browsing then connect when they need access to the corporate network. So ultimately we want to stop that behavior.

Thanks

 

@Pasquale01,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

@Pasquale01  

 

BPry is correct, you can configure this in the Portal settings under the Agent Configurations. 

Stay Safe
  • 1 accepted solution
  • 8152 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!