There's really nothing directly built into your firewall to function as an actual NAC solution. You could however easily block interzone communication for anything that doesn't pass a domain-joined hip-check so that non-company endpoints couldn't traverse security zones.
The "best" solution that you could force with just the firewall and managed switches would be teaming ACLs with GlobalProtect. Effectively you would allow communication to your GlobalProtect portal/gateway and nothing else. Then utilize tunnel mode to form a tunnel to the gateway and then utilize the GlobalProtect IP Pools to actually enable network access as required.
Now just a word of caution. The first option is usually the best that you can actually hope to apply within any given organization, and while it doesn't prevent nefarious actions across your security zone it does prevent anyone from crossing security zones and getting internet access. This allows allows you to create exceptions for things that can't utilize user-id like printers and such where interzone traffic is required without a user-id or GlobalProtect connection.
The second option works in some networks and works less well in others. There's a lot of exceptions that need to be created for devices that can't have a GlobalProtect connection (like printers) and it generally means a rather large ACL list to account for everything that can't form a connection to the gateway.