Is it possible to block internet access if user does not authenticate through the GP client? We don't want any access to the web on the laptop unless they fully authenticate through Okta/GP (SAML). Would Pre-logon solve this?
Solved! Go to Solution.
You can setup a policy denying unknown users in the security policy with the action of block:
Using Global Protect your user identification should work just fine so no need to worry about users not being identified when connecting to the vpn.
Make sure your source zone and source addresses are from the VPN otherwise you might block traffic like printers etc unless you use the api to identify those devices.
You might have to allow your users to go to your okta tenant <domain>.okta.com above the deny policy to allow them to authenticate if you are using internal gateways as well
Thanks for the feedback.. but that is all post-authentication. We are in a locked-down environment so we cant use SSO or Always on, maybe pre-logon is an option. What we want is if a user doesn't authenticate on the VPN they shouldn't be able to browse the web. Users now just skip the authentication and use it for personal browsing then connect when they need access to the corporate network. So ultimately we want to stop that behavior.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!