GlobalProtect - Block internet access if user does not authenticate

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
PPerrotta
L0 Member

GlobalProtect - Block internet access if user does not authenticate

Is it possible to block internet access if user does not authenticate through the GP client? We don't want any access to the web on the laptop unless they fully authenticate through Okta/GP (SAML). Would Pre-logon solve this?

 

Thanks

Tags (2)

Accepted Solutions
BPry
Cyber Elite

@PPerrotta,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

View solution in original post


All Replies
Sarc845
L2 Linker

Hi PPerrotta,

 

You can setup a policy denying unknown users in the security policy with the action of block:

Sarc845_0-1616503110946.png

 

Using Global Protect your user identification should work just fine so no need to worry about users not being identified when connecting to the vpn.

 

Make sure your source zone and source addresses are from the VPN otherwise you might block traffic like printers etc unless you use the api to identify those devices.

 

++ Edit

 

You might have to allow your users to go to your okta tenant <domain>.okta.com above the deny policy to allow them to authenticate if you are using internal gateways as well

Stay Safe
PPerrotta
L0 Member

Thanks for the feedback.. but that is all post-authentication. We are in a locked-down environment so we cant use SSO or Always on, maybe pre-logon is an option. What we want is if a user doesn't authenticate on the VPN they shouldn't be able to browse the web. Users now just skip the authentication and use it for personal browsing then connect when they need access to the corporate network. So ultimately we want to stop that behavior.

Thanks

 

BPry
Cyber Elite

@PPerrotta,

Sounds like you're just looking for the "Enforce GlobalProtect Connection for Network Access" feature in your agent. 

View solution in original post

Sarc845
L2 Linker

@PPerrotta  

 

BPry is correct, you can configure this in the Portal settings under the Agent Configurations. 

Stay Safe
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!